Path to dependency file: /wildfly/extensions/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar
A flaw was found in jboss-remoting in versions before 5.0.20.SP1-redhat-00001. A malicious attacker could cause threads to hold up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the ACK messages, or just tamper with jboss-remoting code, deleting the lines that send the ACK message from the EJB client code resulting in a denial of service. The highest threat from this vulnerability is to system availability.
CVE-2020-35510 - Medium Severity Vulnerability
Vulnerable Library - jboss-remoting-5.0.19.Final.jar
JBoss Remoting
Library home page: http://www.jboss.org
Path to dependency file: /wildfly/extensions/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/remoting/jboss-remoting/5.0.19.Final/jboss-remoting-5.0.19.Final.jar
Dependency Hierarchy: - wildfly-undertow-21.0.2.Final.jar (Root Library) - wildfly-server-13.0.3.Final.jar - :x: **jboss-remoting-5.0.19.Final.jar** (Vulnerable Library)
Found in HEAD commit: 9686933e579cc74ebc1592f893a47c601bcf4403
Found in base branch: master
Vulnerability Details
A flaw was found in jboss-remoting in versions before 5.0.20.SP1-redhat-00001. A malicious attacker could cause threads to hold up forever in the EJB server by writing a sequence of bytes corresponding to the expected messages of a successful EJB client request, but omitting the ACK messages, or just tamper with jboss-remoting code, deleting the lines that send the ACK message from the EJB client code resulting in a denial of service. The highest threat from this vulnerability is to system availability.
Publish Date: 2021-06-02
URL: CVE-2020-35510
CVSS 3 Score Details (5.9)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/advisories/GHSA-p6j8-hgv5-m35g
Release Date: 2021-06-02
Fix Resolution (org.jboss.remoting:jboss-remoting): 5.0.19.Final-redhat-00001
Direct dependency fix Resolution (org.wildfly:wildfly-undertow): 22.0.0.Final
:rescue_worker_helmet: Automatic Remediation is available for this issue