JNA prior to 5.0.0 was discovered to contain an out-of-bounds read. Advapi32Util.registryGetValues does not terminate the returned string with null terminators. When it tries to identify the string content it searches for the next null-terminator and will read out-of-bounds of the buffer.
WS-2014-0065 - High Severity Vulnerability
Vulnerable Library - jna-platform-4.1.0.jar
Java Native Access Platform
Library home page: https://github.com/twall/jna
Path to dependency file: /fs-agent/pom.xml
Path to vulnerable library: /root/.m2/repository/net/java/dev/jna/jna-platform/4.1.0/jna-platform-4.1.0.jar
Dependency Hierarchy: - svnkit-1.8.7.jar (Root Library) - :x: **jna-platform-4.1.0.jar** (Vulnerable Library)
Found in base branch: master
Vulnerability Details
JNA prior to 5.0.0 was discovered to contain an out-of-bounds read. Advapi32Util.registryGetValues does not terminate the returned string with null terminators. When it tries to identify the string content it searches for the next null-terminator and will read out-of-bounds of the buffer.
Publish Date: 2014-06-24
URL: WS-2014-0065
CVSS 3 Score Details (7.5)
Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2014-06-24
Fix Resolution (net.java.dev.jna:jna-platform): 5.0.0
Direct dependency fix Resolution (org.tmatesoft.svnkit:svnkit): 1.8.13