zahori-framework-0.2.6.jar: 14 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - zahori-framework-0.2.6.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (zahori-framework version)	Remediation Available
CVE-2022-1471	High	9.8	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2016-1000027	High	9.8	spring-web-5.3.27.jar	Transitive	N/A*	❌
CVE-2019-17570	High	9.8	xmlrpc-common-3.1.3.jar	Transitive	N/A*	❌
CVE-2018-1000613	High	9.8	bcprov-jdk15on-1.58.jar	Transitive	N/A*	❌
CVE-2019-17359	High	7.5	bcprov-jdk15on-1.58.jar	Transitive	N/A*	❌
CVE-2022-25857	High	7.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2018-1000180	High	7.5	bcprov-jdk15on-1.58.jar	Transitive	N/A*	❌
CVE-2022-41854	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-38752	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-38751	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2022-38749	Medium	6.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2020-15522	Medium	5.9	bcprov-jdk15on-1.58.jar	Transitive	N/A*	❌
CVE-2022-38750	Medium	5.5	snakeyaml-1.30.jar	Transitive	N/A*	❌
CVE-2020-26939	Medium	5.3	bcprov-jdk15on-1.58.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-1471

### Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - :x: **snakeyaml-1.30.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

### CVSS 3 Score Details (9.8)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: High - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2016-1000027

### Vulnerable Library - spring-web-5.3.27.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.27/spring-web-5.3.27.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - alm-rest-client-0.1.4.jar - :x: **spring-web-5.3.27.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data. Mend Note: After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-4wrc-f8pq-fpqp

Release Date: 2020-01-02

Fix Resolution: org.springframework:spring-web:6.0.0

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2019-17570

### Vulnerable Library - xmlrpc-common-3.1.3.jar

Apache XML-RPC is a Java implementation of XML-RPC, a popular protocol that uses XML over HTTP to implement remote procedure calls. Compared to SOAP, or JAX-RPC, it is stable, much simpler and easier to handle. Version 3 of Apache XML-RPC introduces several important vendor extensions over the original XML-RPC specification.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlrpc/xmlrpc-common/3.1.3/xmlrpc-common-3.1.3.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - testlink-java-api-1.9.16-1.jar - :x: **xmlrpc-common-3.1.3.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

An untrusted deserialization was found in the org.apache.xmlrpc.parser.XmlRpcResponseParser:addResult method of Apache XML-RPC (aka ws-xmlrpc) library. A malicious XML-RPC server could target a XML-RPC client causing it to execute arbitrary code. Apache XML-RPC is no longer maintained and this issue will not be fixed.

Publish Date: 2020-01-23

URL: CVE-2019-17570

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-17570

Release Date: 2020-01-23

Fix Resolution: org.apache.xmlrpc:xmlrpc-common - 3.1.3-redhat-2,3.0b1

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2018-1000613

### Vulnerable Library - bcprov-jdk15on-1.58.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

Publish Date: 2018-07-09

URL: CVE-2018-1000613

### CVSS 3 Score Details (9.8)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000613

Release Date: 2018-07-09

Fix Resolution: org.bouncycastle:bcprov-ext-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk15on:1.60,org.bouncycastle:bcprov-debug-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk14:1.60,org.bouncycastle:bcprov-ext-jdk15on:1.60,org.bouncycastle:bcprov-jdk14:1.60,org.bouncycastle:bcprov-jdk15on:1.60

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2019-17359

### Vulnerable Library - bcprov-jdk15on-1.58.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Publish Date: 2019-10-08

URL: CVE-2019-17359

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359

Release Date: 2019-10-08

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-25857

### Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - :x: **snakeyaml-1.30.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

### CVSS 3 Score Details (7.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2018-1000180

### Vulnerable Library - bcprov-jdk15on-1.58.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

### CVSS 3 Score Details (7.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180

Release Date: 2018-06-05

Fix Resolution: org.bouncycastle:bc-fips:1.0.2;org.bouncycastle:bcprov-jdk15on:1.60;org.bouncycastle:bcprov-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk15on:1.60;org.bouncycastle:bcprov-debug-jdk14:1.60;org.bouncycastle:bcprov-debug-jdk15on:1.60

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-41854

### Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - :x: **snakeyaml-1.30.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution: org.yaml:snakeyaml:1.32

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-38752

### Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - :x: **snakeyaml-1.30.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

### CVSS 3 Score Details (6.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: Low - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.32

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-38751

### Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - :x: **snakeyaml-1.30.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38751

### CVSS 3 Score Details (6.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-38749

### Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - :x: **snakeyaml-1.30.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38749

### CVSS 3 Score Details (6.5)

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2020-15522

### Vulnerable Library - bcprov-jdk15on-1.58.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

Publish Date: 2021-05-20

URL: CVE-2020-15522

### CVSS 3 Score Details (5.9)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: High - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522

Release Date: 2021-05-20

Fix Resolution: C#- release-1.8.7, Java- 1.66

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2022-38750

### Vulnerable Library - snakeyaml-1.30.jar

YAML 1.1 parser and emitter for Java

Library home page: https://bitbucket.org/snakeyaml/snakeyaml

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.30/snakeyaml-1.30.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - :x: **snakeyaml-1.30.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

Publish Date: 2022-09-05

URL: CVE-2022-38750

### CVSS 3 Score Details (5.5)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Local - Attack Complexity: Low - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: None - Integrity Impact: None - Availability Impact: High

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

CVE-2020-26939

### Vulnerable Library - bcprov-jdk15on-1.58.jar

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.58/bcprov-jdk15on-1.58.jar

Dependency Hierarchy: - zahori-framework-0.2.6.jar (Root Library) - browsermob-core-2.1.5.jar - :x: **bcprov-jdk15on-1.58.jar** (Vulnerable Library)

Found in HEAD commit: 222bd9cad8a279e37814f1871081bec0132ded3d

Found in base branch: master

### Vulnerability Details

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Publish Date: 2020-11-02

URL: CVE-2020-26939

### CVSS 3 Score Details (5.3)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: Low - Privileges Required: None - User Interaction: None - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Release Date: 2020-11-02

Fix Resolution: org.bouncycastle:bcprov-jdk14:1.61,org.bouncycastle:bcprov-ext-debug-jdk15on:1.61,org.bouncycastle:bcprov-debug-jdk15on:1.61,org.bouncycastle:bcprov-ext-jdk15on:1.61,org.bouncycastle:bcprov-jdk15on:1.61

Step up your Open Source Security Game with Mend [here](https://www.whitesourcesoftware.com/full_solution_bolt_github)

zahori-io / zahori-process

zahori-framework-0.2.6.jar: 14 vulnerabilities (highest severity is: 9.8) - autoclosed #53

Vulnerabilities

Details