Closed mend-bolt-for-github[bot] closed 3 years ago
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.
This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.
CVE-2014-9970 - High Severity Vulnerability
Vulnerable Library - jasypt-1.9.0.jar
Java library which enables encryption in java apps with minimum effort.
path: 2/repository/org/jasypt/jasypt/1.9.0/jasypt-1.9.0.jar
Library home page: http://www.jasypt.org
Dependency Hierarchy: - :x: **jasypt-1.9.0.jar** (Vulnerable Library)Vulnerability Details
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
Publish Date: 2017-05-21
URL: CVE-2014-9970
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1039744
Fix Resolution: Red Hat has issued a fix. The Red Hat advisory is available at: https://access.redhat.com/errata/RHSA-2017:3141
Step up your Open Source Security Game with WhiteSource here