Use of unsafe third-party libraries

[Bombita010]

Brief description of bug

Self-Diagnosis

• [x] I did a vulnerability check on this project
• [x] The results show that this project uses a third-party library with security vulnerabilities
• [x] The library used by this project:jboss-negotiation-main:pom:3.0.7.CR1-SNAPSHOT. Exist in the National Information Security Vulnerability Database
• [x] CNNVD shows that the previous version of jboss-negotiation-main-2.3.7.Final-SNAPSHOT.pom contains vulnerabilities.

Environment(for bug reports)

• [x] Operating System:Mac OS

The results of My vulnerability test

-------------------- Vulnerabilities Report --------------------

Found 8 vulnerabilities in target JAVA project

[1]

• CVE No: CVE-2015-1849
• CVE Level: medium
• CVE Jar Name: jboss-negotiation-main-2.3.7.Final-SNAPSHOT.pom
• CVE Method Name: org.jboss.security.negotiation.AdvancedLdapLoginModule.AuthorizeAction.run
• CVE Vulnerable Line: 967
• File Containing This CVE in Project: (1)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 327
  • Column: 25

[2]

• CVE No: CVE-2015-1849
• CVE Level: medium
• CVE Jar Name: jboss-negotiation-main-2.3.7.Final-SNAPSHOT.pom
• CVE Method Name: org.jboss.security.negotiation.AdvancedLdapLoginModule.authenticate
• CVE Vulnerable Line: 669
• File Containing This CVE in Project: (1)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 402
  • Column: 12

[3]

• CVE No: CVE-2015-1849
• CVE Level: medium
• CVE Jar Name: jboss-negotiation-main-2.3.7.Final-SNAPSHOT.pom
• CVE Method Name: org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContext
• CVE Vulnerable Line: 485
• File Containing This CVE in Project: (1)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 674
  • Column: 38 (2)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 382
  • Column: 25

[4]

• CVE No: CVE-2015-1849
• CVE Level: medium
• CVE Jar Name: jboss-negotiation-main-2.3.7.Final-SNAPSHOT.pom
• CVE Method Name: org.jboss.security.negotiation.AdvancedLdapLoginModule.constructLdapContextEnvironment
• CVE Vulnerable Line: 476
• File Containing This CVE in Project: (1)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 490
  • Column: 27 (2)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 609
  • Column: 30

[5]

• CVE No: CVE-2015-1849
• CVE Level: medium
• CVE Jar Name: jboss-negotiation-main-2.3.7.Final-SNAPSHOT.pom
• CVE Method Name: org.jboss.security.negotiation.AdvancedLdapLoginModule.innerLogin
• CVE Vulnerable Line: 397
• File Containing This CVE in Project: (1)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 977
  • Column: 19

[6]

• CVE No: CVE-2015-1849
• CVE Level: medium
• CVE Jar Name: jboss-negotiation-main-2.3.7.Final-SNAPSHOT.pom
• CVE Method Name: org.jboss.security.negotiation.AdvancedLdapLoginModule.referralAuthenticate
• CVE Vulnerable Line: 604
• File Containing This CVE in Project: (1)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 667
  • Column: 9

[7]

• CVE No: CVE-2015-1849
• CVE Level: medium
• CVE Jar Name: jboss-negotiation-main-2.3.7.Final-SNAPSHOT.pom
• CVE Method Name: org.jboss.security.negotiation.AdvancedLdapLoginModule.traceLdapEnv
• CVE Vulnerable Line: [912,918]
• File Containing This CVE in Project: (1)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 481
  • Column: 7

[8]

• CVE No: CVE-2015-1849
• CVE Level: medium
• CVE Jar Name: jboss-negotiation-main-2.3.7.Final-SNAPSHOT.pom
• CVE Method Name: org.jboss.security.negotiation.AdvancedLdapLoginModule.traceLdapEnv
• CVE Vulnerable Line: [912,918]
• File Containing This CVE in Project: (1)
  • File Name: jboss-negotiation-extras/src/main/java/org/jboss/security/negotiation/AdvancedLdapLoginModule.java
  • Line: 481
  • Column: 7

---

[darranl]

The referenced CVE was addressed in 2015 https://github.com/wildfly-security/jboss-negotiation/pull/21