Open dev-mend-for-github-com[bot] opened 1 year ago
:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.
:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.
Vulnerable Library - java-saml-2.5.0.jar
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar
Found in HEAD commit: 4c656c86ff4bbf5abd7c9c7e09ffaec53e389e82
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
WS-2018-0629
### Vulnerable Library - woodstox-core-5.0.3.jarWoodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs
Library home page: https://github.com/FasterXML/woodstox
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar
Dependency Hierarchy: - java-saml-2.5.0.jar (Root Library) - java-saml-core-2.5.0.jar - xmlsec-2.1.4.jar - :x: **woodstox-core-5.0.3.jar** (Vulnerable Library)
Found in HEAD commit: 4c656c86ff4bbf5abd7c9c7e09ffaec53e389e82
Found in base branch: main
### Vulnerability DetailsThe woodstox-core package is vulnerable to improper restriction of XXE reference.
Publish Date: 2018-08-23
URL: WS-2018-0629
### CVSS 3 Score Details (9.1)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2018-08-23
Fix Resolution (com.fasterxml.woodstox:woodstox-core): 5.2.1
Direct dependency fix Resolution (com.onelogin:java-saml): 2.6.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.WS-2019-0379
### Vulnerable Library - commons-codec-1.6.jarThe codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/codec/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar
Dependency Hierarchy: - java-saml-2.5.0.jar (Root Library) - java-saml-core-2.5.0.jar - xmlsec-2.1.4.jar - :x: **commons-codec-1.6.jar** (Vulnerable Library)
Found in HEAD commit: 4c656c86ff4bbf5abd7c9c7e09ffaec53e389e82
Found in base branch: main
### Vulnerability DetailsApache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
### CVSS 3 Score Details (6.5)Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: Low - Availability Impact: None
For more information on CVSS3 Scores, click here. ### Suggested FixType: Upgrade version
Release Date: 2019-05-20
Fix Resolution (commons-codec:commons-codec): 1.13
Direct dependency fix Resolution (com.onelogin:java-saml): 2.6.0
:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.CVE-2002-2010
### Vulnerable Library - commons-codec-1.6.jarThe codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/codec/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar
Dependency Hierarchy: - java-saml-2.5.0.jar (Root Library) - java-saml-core-2.5.0.jar - xmlsec-2.1.4.jar - :x: **commons-codec-1.6.jar** (Vulnerable Library)
Found in HEAD commit: 4c656c86ff4bbf5abd7c9c7e09ffaec53e389e82
Found in base branch: main
### Vulnerability DetailsCross-site scripting (XSS) vulnerability in htsearch.cgi in htdig (ht://Dig) 3.1.5, 3.1.6, and 3.2 allows remote attackers to inject arbitrary web script or HTML via the words parameter.
Publish Date: 2002-12-31
URL: CVE-2002-2010
### CVSS 2 Score Details (4.3)Base Score Metrics not available
### Suggested FixType: Upgrade version
Origin: https://issues.apache.org/jira/browse/CODEC-96
Release Date: 2002-12-31
Fix Resolution: 1.7
:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.