search

zahori-io / zahori-framework

Library containing Zahori Test Framework for Zahori.io
GNU Affero General Public License v3.0
0 stars 6 forks source link

browsermob-core-2.1.5.jar: 8 vulnerabilities (highest severity is: 8.9) #107

Open mend-bolt-for-github[bot] opened 1 year ago

mend-bolt-for-github[bot] commented 1 year ago
Vulnerable Library - browsermob-core-2.1.5.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (browsermob-core version) Remediation Possible**
CVE-2024-25638 High 8.9 dnsjava-3.5.3.jar Transitive N/A*
CVE-2024-29857 High 7.5 bcprov-jdk15on-1.70.jar Transitive N/A*
CVE-2023-44487 High 7.5 netty-codec-http2-4.1.91.Final.jar Transitive N/A*
CVE-2024-30172 Medium 5.9 bcprov-jdk15on-1.70.jar Transitive N/A*
CVE-2024-30171 Medium 5.9 bcprov-jdk15on-1.70.jar Transitive N/A*
CVE-2023-33202 Medium 5.5 bcprov-jdk15on-1.70.jar Transitive N/A*
CVE-2024-29025 Medium 5.3 netty-codec-http-4.1.101.Final.jar Transitive N/A*
CVE-2023-33201 Medium 5.3 bcprov-jdk15on-1.70.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-25638 ### Vulnerable Library - dnsjava-3.5.3.jar

dnsjava is an implementation of DNS in Java. It supports all defined record types (including the DNSSEC types), and unknown types. It can be used for queries, zone transfers, and dynamic updates. It includes a cache which can be used by clients, and a minimal implementation of a server. It supports TSIG authenticated messages, partial DNSSEC verification, and EDNS0.

Library home page: https://github.com/dnsjava/dnsjava

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy: - browsermob-core-2.1.5.jar (Root Library) - :x: **dnsjava-3.5.3.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

dnsjava is an implementation of DNS in Java. Records in DNS replies are not checked for their relevance to the query, allowing an attacker to respond with RRs from different zones. This vulnerability is fixed in 3.6.0.

Publish Date: 2024-07-22

URL: CVE-2024-25638

### CVSS 3 Score Details (8.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Changed - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/dnsjava/dnsjava/security/advisories/GHSA-cfxw-4h78-h7fw

Release Date: 2024-07-22

Fix Resolution: dnsjava:dnsjava:3.6.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29857 ### Vulnerable Library - bcprov-jdk15on-1.70.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy: - browsermob-core-2.1.5.jar (Root Library) - :x: **bcprov-jdk15on-1.70.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Publish Date: 2024-05-14

URL: CVE-2024-29857

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.bouncycastle.org/latest_releases.html

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-44487 ### Vulnerable Library - netty-codec-http2-4.1.91.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy: - browsermob-core-2.1.5.jar (Root Library) - littleproxy-1.1.0-beta-bmp-17.jar - netty-all-4.1.101.Final.jar - :x: **netty-codec-http2-4.1.91.Final.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-30172 ### Vulnerable Library - bcprov-jdk15on-1.70.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy: - browsermob-core-2.1.5.jar (Root Library) - :x: **bcprov-jdk15on-1.70.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Publish Date: 2024-05-09

URL: CVE-2024-30172

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-m44j-cfrm-g8qc

Release Date: 2024-03-24

Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78, BouncyCastle.Cryptography - 2.3.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-30171 ### Vulnerable Library - bcprov-jdk15on-1.70.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy: - browsermob-core-2.1.5.jar (Root Library) - :x: **bcprov-jdk15on-1.70.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

Publish Date: 2024-05-09

URL: CVE-2024-30171

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-v435-xc8x-wvr9

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-33202 ### Vulnerable Library - bcprov-jdk15on-1.70.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy: - browsermob-core-2.1.5.jar (Root Library) - :x: **bcprov-jdk15on-1.70.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)

Publish Date: 2023-11-23

URL: CVE-2023-33202

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-wjxj-5m7g-mg7q

Release Date: 2023-11-23

Fix Resolution: org.bouncycastle:bcprov-jdk14:1.73, org.bouncycastle:bcprov-jdk15to18: 1.73, org.bouncycastle:bcprov-jdk18on:1.73

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2024-29025 ### Vulnerable Library - netty-codec-http-4.1.101.Final.jar

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy: - browsermob-core-2.1.5.jar (Root Library) - littleproxy-1.1.0-beta-bmp-17.jar - netty-all-4.1.101.Final.jar - :x: **netty-codec-http-4.1.101.Final.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The `HttpPostRequestDecoder` can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the `bodyListHttpData` list. The decoder cumulates bytes in the `undecodedChunk` buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

Publish Date: 2024-03-25

URL: CVE-2024-29025

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: Low

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-29025

Release Date: 2024-03-25

Fix Resolution: io.netty:netty-codec-http:4.1.108.Final

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
CVE-2023-33201 ### Vulnerable Library - bcprov-jdk15on-1.70.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy: - browsermob-core-2.1.5.jar (Root Library) - :x: **bcprov-jdk15on-1.70.jar** (Vulnerable Library)

Found in base branch: master

### Vulnerability Details

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Publish Date: 2023-07-05

URL: CVE-2023-33201

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2023-07-05

Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)
mend-bolt-for-github[bot] commented 1 year ago

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-bolt-for-github[bot] commented 1 year ago

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.