shaundmorris / ddf

The Distributed Data Framework
Other
0 stars 0 forks source link

CVE-2014-9970 High Severity Vulnerability detected by WhiteSource #1923

Closed mend-bolt-for-github[bot] closed 4 years ago

mend-bolt-for-github[bot] commented 5 years ago

CVE-2014-9970 - High Severity Vulnerability

Vulnerable Library - jasypt-1.9.0.jar

Java library which enables encryption in java apps with minimum effort.

path: 2/repository/org/jasypt/jasypt/1.9.0/jasypt-1.9.0.jar

Library home page: http://www.jasypt.org

Dependency Hierarchy: - :x: **jasypt-1.9.0.jar** (Vulnerable Library)

Vulnerability Details

jasypt before 1.9.2 allows a timing attack against the password hash comparison.

Publish Date: 2017-05-21

URL: CVE-2014-9970

CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1040360

Fix Resolution: Red Hat has issued a fix (Data Grid 7.1.2). The Red Hat advisory is available at: https://access.redhat.com/errata/RHSA-2018:0294


Step up your Open Source Security Game with WhiteSource here

stale[bot] commented 4 years ago

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs within 7 days. Thank you for your contributions.