This is an automated email from the ASF dual-hosted git repository. acosentino pushed a commit to branch vex-file in repository https://gitbox.apache.org/repos/asf/camel.git
commit d284422a9f17d3894d04ff3cabbbf57e4291f1e9 Author: Andrea Cosentino <[email protected]> AuthorDate: Tue Jul 9 10:53:33 2024 +0200 Added VEX file from CycloneDX SBOM Signed-off-by: Andrea Cosentino <[email protected]> --- camel-sbom/camel-sbom.vex.json | 2990 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 2990 insertions(+) diff --git a/camel-sbom/camel-sbom.vex.json b/camel-sbom/camel-sbom.vex.json new file mode 100644 index 00000000000..0e075dbef3d --- /dev/null +++ b/camel-sbom/camel-sbom.vex.json @@ -0,0 +1,2990 @@ +{ + "bomFormat" : "CycloneDX", + "specVersion" : "1.5", + "serialNumber" : "urn:uuid:11f97572-cc57-4d08-9f52-b6d29f097725", + "version" : 1, + "metadata" : { + "timestamp" : "2024-07-09T08:44:32Z", + "tools" : [ + { + "vendor" : "OWASP", + "name" : "Dependency-Track", + "version" : "4.10.1" + } + ], + "component" : { + "name" : "Camel", + "version" : "4", + "externalReferences" : [ + { + "type" : "website", + "url" : "https://camel.apache.org"; + }, + { + "type" : "distribution-intake", + "url" : "https://repository.apache.org/service/local/staging/deploy/maven2"; + }, + { + "type" : "issue-tracker", + "url" : "https://issues.apache.org/jira/browse/CAMEL"; + }, + { + "type" : "mailing-list", + "url" : "[email protected]" + }, + { + "type" : "vcs", + "url" : "https://gitbox.apache.org/repos/asf?p=camel.git;a=summary"; + } + ], + "type" : "library", + "bom-ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + }, + "vulnerabilities" : [ + { + "bom-ref" : "05b4242e-e1bd-424c-8ede-2568da828d30", + "id" : "SNYK-JAVA-IOAIRLIFT-7164637", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 8.2, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Out-of-bounds Read via the decompression process due to improper input length validation in the functions `SnappyRawDecompressor.readUncompressedLengt`, `SnappyRawDecompressor.uncompressAll`, `ZstdFrameDecompressor.decompress`, `Lz4RawDecompressor.decompress` and `LzoRawDecompressor.decompress`. By exploiting this vulnerability, an attacker can crash the JVM or leak sensitive information by decompressi [...] + "recommendation" : "Upgrade the package version to 0.27 to fix this vulnerability", + "created" : "2024-05-30T06:38:51Z", + "published" : "2024-05-30T10:47:25Z", + "updated" : "2024-06-06T12:41:41Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6", + "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib) is a Kotlin Standard Library for JVM. Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using `createTempDir` or `createTempFile` and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system. **Note:** As of ver [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2022-02-04T09:36:58Z", + "published" : "2022-02-04T14:31:42Z", + "updated" : "2024-03-11T09:50:55Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53", + "id" : "SNYK-JAVA-JODATIME-6595834", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the component `org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger a `NullPointerException` by supplying a null value to the `Locale` parameter. ## Remediation There is no fixed version for `joda-time:joda-time`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) - [Vulnerable Code](https://github.com/Jo [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-11T06:34:09Z", + "published" : "2024-04-11T06:34:09Z", + "updated" : "2024-04-11T13:35:26Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "d8dd9c4f-d279-4c67-996c-10c28a29895f", + "id" : "SNYK-JAVA-IONETTY-1042268", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.4, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "cwes" : [ + 295 + ], + "description" : "## Overview [io.netty:netty-handler](https://github.com/netty/netty.git/netty-handler) is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies [...] + "created" : "2020-11-20T15:44:58Z", + "updated" : "2023-10-11T01:10:45Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53", + "id" : "SNYK-JAVA-JODATIME-6595834", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the component `org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger a `NullPointerException` by supplying a null value to the `Locale` parameter. ## Remediation There is no fixed version for `joda-time:joda-time`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) - [Vulnerable Code](https://github.com/Jo [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-11T06:34:09Z", + "published" : "2024-04-11T06:34:09Z", + "updated" : "2024-04-11T13:35:26Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "4ead0905-39e8-4b79-986c-a827289dadd4", + "id" : "SNYK-JAVA-ORGJSON-5962464", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can cause indefinite amounts of memory to be used by inputting a string of modest size. This can lead to a Denial of Service. ## PoC ```java package orgjsonbug; import org.json.JSONObject; /** * Illustrates a bug in JSON-Java. */ public class Bug { private static String makeNested(int depth) { if (depth == 0) { return \"{\\\"a\\\":1}\"; [...] + "recommendation" : "Upgrade the package version to 20231013 to fix this vulnerability", + "created" : "2023-10-13T06:42:49Z", + "published" : "2023-10-13T06:42:49Z", + "updated" : "2024-03-11T09:54:02Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6", + "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib) is a Kotlin Standard Library for JVM. Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using `createTempDir` or `createTempFile` and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system. **Note:** As of ver [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2022-02-04T09:36:58Z", + "published" : "2022-02-04T14:31:42Z", + "updated" : "2024-03-11T09:50:55Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "d8dd9c4f-d279-4c67-996c-10c28a29895f", + "id" : "SNYK-JAVA-IONETTY-1042268", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.4, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N" + } + ], + "cwes" : [ + 295 + ], + "description" : "## Overview [io.netty:netty-handler](https://github.com/netty/netty.git/netty-handler) is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies [...] + "created" : "2020-11-20T15:44:58Z", + "updated" : "2023-10-11T01:10:45Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "59203aaa-d1b6-48cf-84a0-d7dd732af3f1", + "id" : "SNYK-JAVA-CHQOSLOGBACK-6097493", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `logback receiver` component. An attacker can mount a denial-of-service attack by sending poisoned data. **Note:** Successful exploitation requires the logback-receiver component being enabled and also reachable by the [...] + "recommendation" : "Upgrade the package version to 1.2.13,1.3.14,1.4.14 to fix this vulnerability", + "created" : "2023-12-04T14:58:05Z", + "published" : "2023-12-04T15:19:16Z", + "updated" : "2024-03-11T09:54:09Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "633bf2f4-a92d-4dd9-a022-ba9dd72a9e83", + "id" : "SNYK-JAVA-CHQOSLOGBACK-6094943", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core) is a logback-core module. Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. ## Details Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its in [...] + "recommendation" : "Upgrade the package version to 1.2.13,1.3.12,1.4.12 to fix this vulnerability", + "created" : "2023-11-29T14:25:58Z", + "published" : "2023-11-29T14:25:58Z", + "updated" : "2024-03-11T09:54:08Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "125895eb-218a-4236-951b-3e196f958fc8", + "id" : "SNYK-JAVA-CHQOSLOGBACK-6097492", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic) is a reliable, generic, fast and flexible logging library for Java. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the `logback receiver` component. An attacker can mount a denial-of-service attack by sending poisoned data. **Note:** Successful exploitation requires the logback-receiver co [...] + "recommendation" : "Upgrade the package version to 1.2.13,1.3.14,1.4.14 to fix this vulnerability", + "created" : "2023-12-04T14:58:05Z", + "published" : "2023-12-04T15:19:15Z", + "updated" : "2024-03-11T09:54:09Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "446995be-0b71-44bc-b57c-c740662ce6ad", + "id" : "SNYK-JAVA-CHQOSLOGBACK-6094942", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic) is a reliable, generic, fast and flexible logging library for Java. Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. ## Details Denial of Service (DoS) describes a family of attacks, all [...] + "recommendation" : "Upgrade the package version to 1.2.13,1.3.12,1.4.12 to fix this vulnerability", + "created" : "2023-11-29T14:25:57Z", + "published" : "2023-11-29T14:25:58Z", + "updated" : "2024-03-11T09:54:08Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "20728065-a4e7-4865-ab15-1cfbe8c7dfa6", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254297", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to an `OutOfMemoryError` during the handling of a broken `Pack200` file. ## Remediation Upgrade `org.apache.commons:commons-compress` to version 1.26.0 or higher. ## References - [Apache Lists](https://list [...] + "recommendation" : "Upgrade the package version to 1.26.0 to fix this vulnerability", + "created" : "2024-02-20T10:55:46Z", + "published" : "2024-02-20T10:55:46Z", + "updated" : "2024-05-09T13:32:28Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Infinite loop due to the improper handling of certain inputs during the parsing of dump files. An attacker can cause the application to enter an infinite loop by supplying crafted inputs. ## Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...] + "recommendation" : "Upgrade the package version to 1.26.0 to fix this vulnerability", + "created" : "2024-02-20T10:52:07Z", + "published" : "2024-02-20T10:52:07Z", + "updated" : "2024-04-27T13:35:10Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "c074adea-ec56-459b-8a73-0750ec2ebbde", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277381", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via `javax.crypto.Cipher` exceptions and the OAEP interface vector leaks via the bit size of the decrypted data. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version 1.78 [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-02-26T18:00:10Z", + "published" : "2024-03-03T21:08:12Z", + "updated" : "2024-04-21T07:48:52Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6", + "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib) is a Kotlin Standard Library for JVM. Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using `createTempDir` or `createTempFile` and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system. **Note:** As of ver [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2022-02-04T09:36:58Z", + "published" : "2022-02-04T14:31:42Z", + "updated" : "2024-03-11T09:50:55Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6", + "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib) is a Kotlin Standard Library for JVM. Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using `createTempDir` or `createTempFile` and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system. **Note:** As of ver [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2022-02-04T09:36:58Z", + "published" : "2022-02-04T14:31:42Z", + "updated" : "2024-03-11T09:50:55Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "d0eefed3-e310-42c0-8479-606918c931e9", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-5901530", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Improper Input Validation when parsing TAR files. An attacker can manipulate file modification times headers, leading to a denial of service issue via CPU consumption. **Note:** This is only exploitable if applications are using the `CompressorStreamFactory` clas [...] + "recommendation" : "Upgrade the package version to 1.24.0 to fix this vulnerability", + "created" : "2023-09-14T12:49:35Z", + "published" : "2023-09-14T12:56:19Z", + "updated" : "2024-03-11T09:49:26Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "20728065-a4e7-4865-ab15-1cfbe8c7dfa6", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254297", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to an `OutOfMemoryError` during the handling of a broken `Pack200` file. ## Remediation Upgrade `org.apache.commons:commons-compress` to version 1.26.0 or higher. ## References - [Apache Lists](https://list [...] + "recommendation" : "Upgrade the package version to 1.26.0 to fix this vulnerability", + "created" : "2024-02-20T10:55:46Z", + "published" : "2024-02-20T10:55:46Z", + "updated" : "2024-05-09T13:32:28Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Infinite loop due to the improper handling of certain inputs during the parsing of dump files. An attacker can cause the application to enter an infinite loop by supplying crafted inputs. ## Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...] + "recommendation" : "Upgrade the package version to 1.26.0 to fix this vulnerability", + "created" : "2024-02-20T10:52:07Z", + "published" : "2024-02-20T10:52:07Z", + "updated" : "2024-04-27T13:35:10Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "a1519c00-c533-4f1c-bae8-58b67c7e3e24", + "id" : "SNYK-JAVA-ORGECLIPSEJETTY-5958847", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.eclipse.jetty:jetty-http](https://github.com/eclipse/jetty.project) is an is a http module for jetty server. Affected versions of this package are vulnerable to Denial of Service (DoS) in the `MetaDataBuilder.checkSize` function. An attacker provide a very large or negative length value for the HTTP/2 HPACK header values. This can lead to an integer overflow, resulting in a very large buffer allocation on the server. ## Details Denial of Service (D [...] + "recommendation" : "Upgrade the package version to 9.4.53.v20231009,10.0.16,11.0.16 to fix this vulnerability", + "created" : "2023-10-11T10:02:18Z", + "published" : "2023-10-11T11:57:46Z", + "updated" : "2024-03-11T09:54:02Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Information Exposure due to missing validation for the X.500 name of any certificate, subject, or issuer. The presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2023-07-11T15:15:48Z", + "published" : "2023-06-30T08:15:58Z", + "updated" : "2024-03-11T09:54:01Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a file that has crafted `ASN.1` data through the `PEMParser` causes an `OutOfMemoryError`. ## Workaround The attack can be avoid [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2023-11-24T08:10:03Z", + "published" : "2023-11-24T08:21:18Z", + "updated" : "2024-06-19T13:32:28Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via `javax.crypto.Cipher` exc [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-02-26T18:00:10Z", + "published" : "2024-03-03T21:08:12Z", + "updated" : "2024-04-21T07:48:52Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "aa5b765a-3538-4975-b1ae-49116a1b0fc7", + "id" : "SNYK-JAVA-ORGAPACHESSHD-5769687", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 4.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Information Exposure. In SFTP servers implemented using Apache MINA SSHD that use a `RootedFileSystem`, logged users may be able to discover \"exists/does not exist\" information about items outside the rooted tree via paths including parent navigation (`..`) beyond the root, or involving symlinks. ## Remediation Upgrade `org.apache.sshd:sshd-common` to version 2.10.0 or higher. ## References - [Apache [...] + "recommendation" : "Upgrade the package version to 2.10.0 to fix this vulnerability", + "created" : "2023-07-11T07:21:40Z", + "published" : "2023-07-11T09:22:25Z", + "updated" : "2024-03-11T09:54:02Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "20728065-a4e7-4865-ab15-1cfbe8c7dfa6", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254297", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to an `OutOfMemoryError` during the handling of a broken `Pack200` file. ## Remediation Upgrade `org.apache.commons:commons-compress` to version 1.26.0 or higher. ## References - [Apache Lists](https://list [...] + "recommendation" : "Upgrade the package version to 1.26.0 to fix this vulnerability", + "created" : "2024-02-20T10:55:46Z", + "published" : "2024-02-20T10:55:46Z", + "updated" : "2024-05-09T13:32:28Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Infinite loop due to the improper handling of certain inputs during the parsing of dump files. An attacker can cause the application to enter an infinite loop by supplying crafted inputs. ## Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...] + "recommendation" : "Upgrade the package version to 1.26.0 to fix this vulnerability", + "created" : "2024-02-20T10:52:07Z", + "published" : "2024-02-20T10:52:07Z", + "updated" : "2024-04-27T13:35:10Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "c074adea-ec56-459b-8a73-0750ec2ebbde", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277381", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via `javax.crypto.Cipher` exceptions and the OAEP interface vector leaks via the bit size of the decrypted data. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version 1.78 [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-02-26T18:00:10Z", + "published" : "2024-03-03T21:08:12Z", + "updated" : "2024-04-21T07:48:52Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "d39ed632-024c-4a55-bfc6-b975684b5789", + "id" : "SNYK-JAVA-ORGGLASSFISHJERSEYCORE-1255637", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Information Disclosure due to the use of the `File.createTempFile` which creates a file inside of the system temporary directory with the permissions `-rw-r--r--`. Thus the contents of this file are viewable by all other users locally on the system. As such, if the contents written is security sensitive, it can be disclosed to other local users. ## Details Denial of Service (DoS) describes a family of [...] + "recommendation" : "Upgrade the package version to 3.0.2,2.34 to fix this vulnerability", + "created" : "2021-04-26T13:20:38Z", + "published" : "2021-04-26T16:18:48Z", + "updated" : "2024-03-11T09:53:03Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "ef5c1d4c-b21d-46c5-9934-c14655f17765", + "id" : "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.1, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N" + } + ], + "description" : "## Overview [org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` parses an externally provided URL, and the application subsequently uses that URL. If it contains hierarchical com [...] + "recommendation" : "Upgrade the package version to 5.3.32,6.0.17,6.1.4 to fix this vulnerability", + "created" : "2024-02-22T09:39:25Z", + "published" : "2024-02-22T15:48:30Z", + "updated" : "2024-07-02T15:25:03Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "496ae866-bc06-4362-ae53-1f49c5c87c92", + "id" : "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.1, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N" + } + ], + "description" : "## Overview [org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Open Redirect when using `UriComponentsBuilder` to parse an externally provided `URL` and perform validation checks on the host of the parsed URL. **Note:** [...] + "recommendation" : "Upgrade the package version to 5.3.33,6.0.18,6.1.5 to fix this vulnerability", + "created" : "2024-03-15T10:11:04Z", + "published" : "2024-03-15T10:42:12Z", + "updated" : "2024-07-02T15:25:03Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "c074adea-ec56-459b-8a73-0750ec2ebbde", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277381", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via `javax.crypto.Cipher` exceptions and the OAEP interface vector leaks via the bit size of the decrypted data. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version 1.78 [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-02-26T18:00:10Z", + "published" : "2024-03-03T21:08:12Z", + "updated" : "2024-04-21T07:48:52Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6", + "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib) is a Kotlin Standard Library for JVM. Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using `createTempDir` or `createTempFile` and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system. **Note:** As of ver [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2022-02-04T09:36:58Z", + "published" : "2022-02-04T14:31:42Z", + "updated" : "2024-03-11T09:50:55Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "8dff54f3-1260-4b15-bdee-f9f1d0bf1b49", + "id" : "SNYK-JAVA-ORGCODEHAUSJACKSON-3038425", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "cwes" : [ + 400 + ], + "description" : "## Overview [org.codehaus.jackson:jackson-mapper-asl](https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl) is a high-performance data binding package built on Jackson JSON processor. Affected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource exhaustion when processing a deeply nested array. **NOTE:** For this vulnerability to be exploitable the n [...] + "created" : "2022-10-02T09:21:18Z", + "updated" : "2023-11-08T09:43:38Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "74c3d734-0837-4a8b-bc62-ebdbd7b09d05", + "id" : "SNYK-JAVA-ORGCODEHAUSJACKSON-3038427", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "cwes" : [ + 400 + ], + "description" : "## Overview [org.codehaus.jackson:jackson-mapper-asl](https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl) is a high-performance data binding package built on Jackson JSON processor. Affected versions of this package are vulnerable to Denial of Service (DoS) in the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to resource exhaustion when processing deeply nested arrays. **NOTE:** This vulnerability is only exploitable w [...] + "created" : "2022-10-02T09:41:44Z", + "updated" : "2023-11-08T09:43:38Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "1ce85ff3-bc60-44fe-963e-b452fffc97c4", + "id" : "SNYK-JAVA-ORGCODEHAUSJACKSON-534878", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N" + } + ], + "description" : "## Overview [org.codehaus.jackson:jackson-mapper-asl](https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl) is a high-performance data binding package built on Jackson JSON processor. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. via the `DOMDeserializer.class` file and its inner classes (`DocumentDeserializer.class` and `NodeDeserializer.class`) that uses the `_parserFactory` instance without restric [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2019-11-19T11:44:30Z", + "published" : "2019-11-19T11:56:32Z", + "updated" : "2024-03-11T09:54:00Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "5cfc8ca5-3e9b-4643-b175-012724d716ed", + "id" : "SNYK-JAVA-ORGCODEHAUSJACKSON-3326362", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 9.8, + "severity" : "critical", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "description" : "## Overview [org.codehaus.jackson:jackson-mapper-asl](https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl) is a high-performance data binding package built on Jackson JSON processor. Affected versions of this package are vulnerable to Improper Input Validation which results in several instances of deserialization of untrusted data. This issue is parallel to vulnerabilities reported and fixed in jackson-databind (CVE-2017-17485, CVE-2017-7525, [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2023-02-21T07:30:54Z", + "published" : "2023-03-01T08:47:56Z", + "updated" : "2024-03-11T09:54:00Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "ef05c048-e001-4375-8306-9eecce182cfc", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-1316638", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Denial of Service (DoS). When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against [...] + "recommendation" : "Upgrade the package version to 1.21 to fix this vulnerability", + "created" : "2021-07-13T11:27:28Z", + "published" : "2021-07-13T15:29:21Z", + "updated" : "2024-03-11T09:53:57Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "557ace8c-3ba0-4b34-b3bd-7475ecb0de6a", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-1316639", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Denial of Service (DoS). When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz [...] + "recommendation" : "Upgrade the package version to 1.21 to fix this vulnerability", + "created" : "2021-07-13T11:33:38Z", + "published" : "2021-07-13T15:29:20Z", + "updated" : "2024-03-11T09:53:53Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "fb8cad05-1fe6-4f5f-aa40-a4835cfe597a", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-1316640", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Denial of Service (DoS). When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against [...] + "recommendation" : "Upgrade the package version to 1.21 to fix this vulnerability", + "created" : "2021-07-13T11:35:27Z", + "published" : "2021-07-13T15:29:20Z", + "updated" : "2024-03-11T09:53:51Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "f8de35b3-546f-4ad9-99c0-9cfb6bb26ae1", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-1316641", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Denial of Service (DoS). When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out-of-memory error even for very small inputs. This could be used to mount a denial of service attack against [...] + "recommendation" : "Upgrade the package version to 1.21 to fix this vulnerability", + "created" : "2021-07-13T11:39:11Z", + "published" : "2021-07-13T15:29:20Z", + "updated" : "2024-03-11T09:53:57Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Infinite loop due to the improper handling of certain inputs during the parsing of dump files. An attacker can cause the application to enter an infinite loop by supplying crafted inputs. ## Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...] + "recommendation" : "Upgrade the package version to 1.26.0 to fix this vulnerability", + "created" : "2024-02-20T10:52:07Z", + "published" : "2024-02-20T10:52:07Z", + "updated" : "2024-04-27T13:35:10Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "7c5ae575-fa55-4f6e-b64e-bd927a3e1e37", + "id" : "SNYK-JAVA-ORGECLIPSEPARSSON-6044728", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Improper Input Validation when parsing `JSON` files from untrusted sources. An attacker can exploit the built-in support for parsing numbers with large scale where the input text of a number can lead to much larger processing time than expected. ## Remediation Upgrade `org.eclipse.parsson:parsson` to version 1.0.5, 1.1.4 or higher. ## References - [GitHub Commit](https://github.com/eclipse-ee4j/parsson [...] + "recommendation" : "Upgrade the package version to 1.0.5,1.1.4 to fix this vulnerability", + "created" : "2023-11-03T12:32:13Z", + "published" : "2023-11-03T12:36:19Z", + "updated" : "2024-03-11T09:54:04Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6", + "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib) is a Kotlin Standard Library for JVM. Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using `createTempDir` or `createTempFile` and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system. **Note:** As of ver [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2022-02-04T09:36:58Z", + "published" : "2022-02-04T14:31:42Z", + "updated" : "2024-03-11T09:50:55Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "0ffc3f54-92d3-4f01-8b52-9fb99a994d72", + "id" : "SNYK-JAVA-ORGYAML-3152153", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 9.8, + "severity" : "critical", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "description" : "## Overview [org.yaml:snakeyaml](https://code.google.com/p/snakeyaml/source/browse/) is a YAML 1.1 parser and emitter for Java. Affected versions of this package are vulnerable to Arbitrary Code Execution in the `Constructor` class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the `SafeConstructor` class. The maintainers of the libr [...] + "recommendation" : "Upgrade the package version to 2.0 to fix this vulnerability", + "created" : "2022-12-01T14:55:37Z", + "published" : "2022-12-08T18:58:07Z", + "updated" : "2024-06-27T14:59:48Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "ba9b5b48-9e9d-4b46-b885-92767e95af9a", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6475534", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-configuration2](https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2/2.0) is a group of tools to assist in the reading of configuration/preferences files in various formats. Affected versions of this package are vulnerable to Out-of-Bounds Write due to the improper handling of certain configurations in the `AbstractListDelimiterHandler.flattenIterator` method. An attacker can trigger a stack overflow b [...] + "recommendation" : "Upgrade the package version to 2.10.1 to fix this vulnerability", + "created" : "2024-03-21T15:04:18Z", + "published" : "2024-03-21T15:09:43Z", + "updated" : "2024-04-23T11:01:46Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "9b98e428-165c-4c49-84b3-0842e1c04dd8", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6475528", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-configuration2](https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2/2.0) is a group of tools to assist in the reading of configuration/preferences files in various formats. Affected versions of this package are vulnerable to Out-of-Bounds Write due to the improper handling of a cyclical object tree when calling the `ListDelimiterHandler.flatten` method. An attacker can trigger a StackOverflowError and [...] + "recommendation" : "Upgrade the package version to 2.10.1 to fix this vulnerability", + "created" : "2024-03-21T15:01:49Z", + "published" : "2024-03-21T15:07:58Z", + "updated" : "2024-04-23T11:01:46Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "2bf053f1-5d6d-4a04-9756-4ab5599451e1", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-2841508", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 4.8, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Cryptographic Issues via weak key-hash message authentication code (HMAC) that is only 16 bits long which can result in hash collisions, as a result of an error within the BKS version 1 keystore (BKS-V1) files and could lead to an attacker being abl [...] + "recommendation" : "Upgrade the package version to 1.69 to fix this vulnerability", + "created" : "2022-05-23T09:25:43Z", + "published" : "2022-05-26T11:36:47Z", + "updated" : "2024-03-06T13:56:37Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Information Exposure due to missing validation for the X.500 name of any certificate, subject, or issuer. The presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2023-07-11T15:15:48Z", + "published" : "2023-06-30T08:15:58Z", + "updated" : "2024-03-11T09:54:01Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a file that has crafted `ASN.1` data through the `PEMParser` causes an `OutOfMemoryError`. ## Workaround The attack can be avoid [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2023-11-24T08:10:03Z", + "published" : "2023-11-24T08:21:18Z", + "updated" : "2024-06-19T13:32:28Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via `javax.crypto.Cipher` exc [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-02-26T18:00:10Z", + "published" : "2024-03-03T21:08:12Z", + "updated" : "2024-04-21T07:48:52Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "fab9a60e-1dce-4c53-9011-676898520e62", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-1052448", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 8.1, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Comparison Using Wrong Factors. The `OpenBSDBCrypt.checkPassword` utility method compared incorrect data when checking the password, allowing incorrect passwords to indicate they were matching with previously hashed ones that were different. ## Reme [...] + "recommendation" : "Upgrade the package version to 1.67 to fix this vulnerability", + "created" : "2020-12-18T11:32:45Z", + "published" : "2020-12-18T16:33:09Z", + "updated" : "2024-03-11T09:53:49Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "462d6e04-9eef-431b-839d-27f7210b2063", + "id" : "SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1048058", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "description" : "## Overview [org.apache.httpcomponents:httpclient](http://hc.apache.org/) is a HttpClient component of the Apache HttpComponents project. Affected versions of this package are vulnerable to Improper Input Validation. Apache HttpClient can misinterpret malformed authority component in request URIs passed to the library as `java.net.URI` object and pick the wrong target host for request execution. ## Remediation Upgrade `org.apache.httpcomponents:httpclient` to versi [...] + "recommendation" : "Upgrade the package version to 4.5.13 to fix this vulnerability", + "created" : "2020-12-03T12:39:42Z", + "published" : "2020-12-03T16:47:50Z", + "updated" : "2024-03-11T09:53:47Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "dde186cb-589c-4717-a0ec-279071e15af9", + "id" : "SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.apache.httpcomponents:httpclient](http://hc.apache.org/) is a HttpClient component of the Apache HttpComponents project. Affected versions of this package are vulnerable to Directory Traversal. String input by user is not validated for the presence of leading character `/` and is passed to the constructor as `path` information, resulting in a Directory Traversal vulnerability. ## Details A Directory Traversal attack (also known as path traversal) a [...] + "recommendation" : "Upgrade the package version to 4.5.3 to fix this vulnerability", + "created" : "2017-01-17T07:28:21Z", + "published" : "2017-09-20T00:00:00Z", + "updated" : "2024-03-06T14:01:21Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "462d6e04-9eef-431b-839d-27f7210b2063", + "id" : "SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1048058", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "description" : "## Overview [org.apache.httpcomponents:httpclient](http://hc.apache.org/) is a HttpClient component of the Apache HttpComponents project. Affected versions of this package are vulnerable to Improper Input Validation. Apache HttpClient can misinterpret malformed authority component in request URIs passed to the library as `java.net.URI` object and pick the wrong target host for request execution. ## Remediation Upgrade `org.apache.httpcomponents:httpclient` to versi [...] + "recommendation" : "Upgrade the package version to 4.5.13 to fix this vulnerability", + "created" : "2020-12-03T12:39:42Z", + "published" : "2020-12-03T16:47:50Z", + "updated" : "2024-03-11T09:53:47Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "85b4750f-b399-4e42-bc2d-abd7be2c4a71", + "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5773320", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper exception handling by the `GzipSource` class when parsing a malformed gzip buffer. This vulnerability can be exploited on the Okio client when handling a crafted GZIP archive. ## PoC ```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString = (\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz: GzipSource = GzipSource(gzBuf) [...] + "recommendation" : "Upgrade the package version to 1.17.6,3.4.0 to fix this vulnerability", + "created" : "2023-07-13T08:54:58Z", + "published" : "2023-07-13T09:04:26Z", + "updated" : "2024-04-08T08:36:20Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "40cee64e-b16b-464a-a368-253adeac0cf7", + "id" : "SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview [com.squareup.okhttp3:okhttp](https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp) is a HTTP & HTTP/2 client for Android and Java applications Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an `IllegalArgumentException` is thrown whose message includes the full header value. ## PoC ``` package com.launchdarkly.eventsource; import okhttp3.*; import org.junit.Test; [...] + "recommendation" : "Upgrade the package version to 4.9.2 to fix this vulnerability", + "created" : "2022-07-22T06:59:36Z", + "published" : "2022-07-22T06:59:36Z", + "updated" : "2024-03-11T09:53:38Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "d4df2818-7fef-4ccd-bea2-6ca4f37d4888", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-1296075", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Timing Attack. A timing issue within the EC math library can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures. ## Remediation Upgrade `org.b [...] + "recommendation" : "Upgrade the package version to 1.66 to fix this vulnerability", + "created" : "2021-05-20T17:21:17Z", + "published" : "2021-05-20T17:22:54Z", + "updated" : "2024-03-11T09:53:53Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "0210b57b-6269-404c-b131-0678b28b77b8", + "id" : "SNYK-JAVA-COMGITHUBJNR-1570422", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 8.1, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Use After Free due to CVE-2014-4043. ## Remediation Upgrade `com.github.jnr:jnr-posix` to version 3.1.8 or higher. ## References - [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043) - [GitHub PR](https://github.com/jnr/jnr-posix/pull/171) - [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1983750)", + "recommendation" : "Upgrade the package version to 3.1.8 to fix this vulnerability", + "created" : "2021-08-27T16:00:23Z", + "published" : "2021-09-06T15:30:41Z", + "updated" : "2024-03-06T14:01:33Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "0210b57b-6269-404c-b131-0678b28b77b8", + "id" : "SNYK-JAVA-COMGITHUBJNR-1570422", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 8.1, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Use After Free due to CVE-2014-4043. ## Remediation Upgrade `com.github.jnr:jnr-posix` to version 3.1.8 or higher. ## References - [CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043) - [GitHub PR](https://github.com/jnr/jnr-posix/pull/171) - [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1983750)", + "recommendation" : "Upgrade the package version to 3.1.8 to fix this vulnerability", + "created" : "2021-08-27T16:00:23Z", + "published" : "2021-09-06T15:30:41Z", + "updated" : "2024-03-06T14:01:33Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "68e35d90-7008-4ca2-b8ce-f2c8cace740e", + "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5820002", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper exception handling by the `GzipSource` class when parsing a malformed gzip buffer. This vulnerability can be exploited on the Okio client when handling a crafted GZIP archive. ## PoC ```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString = (\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz: GzipSource = GzipSource(gzBuf) [...] + "recommendation" : "Upgrade the package version to 3.4.0 to fix this vulnerability", + "created" : "2023-08-04T12:48:52Z", + "published" : "2023-07-13T09:04:26Z", + "updated" : "2024-04-08T08:36:20Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "3105f865-1b87-4c40-a9de-01e787fd87a2", + "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5918282", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a missing upper bound check on chunk length in the `SnappyInputStream` function. An attacker can decompress data with an excessively large chunk size. ## Remediation Upgrade `org.xerial.snappy:snappy-java` to version 1.1.10.4 or higher. ## References - [GitHub Commit](https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917 [...] + "recommendation" : "Upgrade the package version to 1.1.10.4 to fix this vulnerability", + "created" : "2023-09-26T06:24:11Z", + "published" : "2023-09-26T09:05:16Z", + "updated" : "2024-03-11T09:54:02Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "ed0a8992-85a5-49cd-b9be-7d48ba351848", + "id" : "SNYK-JAVA-COMJAYWAYJSONPATH-6140361", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Buffer Overflow via the deprecated `Criteria.parse` or `Criteria.where` methods. An attacker can disrupt the regular operation of the application by supplying a specially crafted input that triggers a stack overflow. Exploiting this vulnerability requires insecure configurations on the server side, for example - handling requests in a one single thread. ## PoC ```java import com.jayway.jsonpath.Criteri [...] + "recommendation" : "Upgrade the package version to 2.9.0 to fix this vulnerability", + "created" : "2023-12-28T14:45:06Z", + "published" : "2024-01-21T15:14:21Z", + "updated" : "2024-03-11T09:49:29Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "3105f865-1b87-4c40-a9de-01e787fd87a2", + "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5918282", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a missing upper bound check on chunk length in the `SnappyInputStream` function. An attacker can decompress data with an excessively large chunk size. ## Remediation Upgrade `org.xerial.snappy:snappy-java` to version 1.1.10.4 or higher. ## References - [GitHub Commit](https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917 [...] + "recommendation" : "Upgrade the package version to 1.1.10.4 to fix this vulnerability", + "created" : "2023-09-26T06:24:11Z", + "published" : "2023-09-26T09:05:16Z", + "updated" : "2024-03-11T09:54:02Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "f7d6d98d-008b-4bf9-8b2c-b0f193b30a39", + "id" : "SNYK-JAVA-ORGAPACHEAVRO-5926693", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.avro:avro](https://avro.apache.org/) is an Avro core components Affected versions of this package are vulnerable to Improper Input Validation when deserializing untrusted or corrupted data. An attacker can consume memory beyond the allowed constraints, resulting in the system being out of memory. ## Remediation Upgrade `org.apache.avro:avro` to version 1.11.3 or higher. ## References - [Apache List](https://lists.apache.org/thread/q142wj99cw [...] + "recommendation" : "Upgrade the package version to 1.11.3 to fix this vulnerability", + "created" : "2023-10-01T10:48:46Z", + "published" : "2023-10-01T11:21:06Z", + "updated" : "2024-03-11T09:54:02Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "16643a38-1b57-426e-b879-3fb71305aceb", + "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5710961", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the function `compress(char[] input)` in `Snappy.java` due to improper validation of the array length. Exploiting this vulnerability is possible when the “buf” array compiled by the `maxCompressedLength` function is successfully allocated but its size might be too small to use for the compression, causing a fatal Access Violation error. **Note:** The issue most likely [...] + "recommendation" : "Upgrade the package version to 1.1.10.1 to fix this vulnerability", + "created" : "2023-06-16T08:17:19Z", + "published" : "2023-06-16T08:17:19Z", + "updated" : "2024-03-11T09:54:01Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "dd3e4d18-72a9-4fa6-9afc-d0477b90aa0c", + "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5710960", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Denial of Service (DoS) via the `hasNextChunk` function due to improper validation of the `chunkSize` variable value. Exploiting this vulnerability is possible by passing a negative number (such as `0xFFFFFFFF`, which is -1), which will cause the code to raise a `java.lang.NegativeArraySizeException` exception. A worse case would happen when passing a huge positive value (such as `0x7FFFFFFF`), raising [...] + "recommendation" : "Upgrade the package version to 1.1.10.1 to fix this vulnerability", + "created" : "2023-06-16T08:05:41Z", + "published" : "2023-06-16T08:05:41Z", + "updated" : "2024-03-11T09:54:01Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "40cee64e-b16b-464a-a368-253adeac0cf7", + "id" : "SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview [com.squareup.okhttp3:okhttp](https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp) is a HTTP & HTTP/2 client for Android and Java applications Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an `IllegalArgumentException` is thrown whose message includes the full header value. ## PoC ``` package com.launchdarkly.eventsource; import okhttp3.*; import org.junit.Test; [...] + "recommendation" : "Upgrade the package version to 4.9.2 to fix this vulnerability", + "created" : "2022-07-22T06:59:36Z", + "published" : "2022-07-22T06:59:36Z", + "updated" : "2024-03-11T09:53:38Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "85b4750f-b399-4e42-bc2d-abd7be2c4a71", + "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5773320", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper exception handling by the `GzipSource` class when parsing a malformed gzip buffer. This vulnerability can be exploited on the Okio client when handling a crafted GZIP archive. ## PoC ```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString = (\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz: GzipSource = GzipSource(gzBuf) [...] + "recommendation" : "Upgrade the package version to 1.17.6,3.4.0 to fix this vulnerability", + "created" : "2023-07-13T08:54:58Z", + "published" : "2023-07-13T09:04:26Z", + "updated" : "2024-04-08T08:36:20Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "8a5ad283-2082-4fda-8209-9466a598fc20", + "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5710959", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound via the `shuffle(int[] input)` function due to improper validation of the multiplications done on the input length. Exploiting this vulnerability is possible by passing negative, zero, float, very small, or very long values to the `shuffle` functions, which later on are multiplicated by four. A successful exploration results in “java.lang.ArrayIndexOutOfBoundsException\" [...] + "recommendation" : "Upgrade the package version to 1.1.10.1 to fix this vulnerability", + "created" : "2023-06-16T07:52:47Z", + "published" : "2023-06-16T07:52:47Z", + "updated" : "2024-03-11T09:54:01Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "54bb58b0-d5ec-47bf-a2b2-4301f1c1bbf3", + "id" : "SNYK-JAVA-ORGAPACHECOMMONS-32473", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.apache.commons:commons-compress](https://github.com/apache/commons-compress) is an API for working with compression and archive formats. Affected versions of this package are vulnerable to Denial of Service (DoS). When reading a specially crafted ZIP archive, the read method might fail to return the correct `EOF` indication after the end of the stream has been reached. If it combined with a `java.io.InputStreamReader`, it can lead to an infinite st [...] + "recommendation" : "Upgrade the package version to 1.18-RC1 to fix this vulnerability", + "created" : "2018-08-16T14:26:43Z", + "published" : "2018-08-19T13:36:14Z", + "updated" : "2024-03-11T09:48:50Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "40cee64e-b16b-464a-a368-253adeac0cf7", + "id" : "SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview [com.squareup.okhttp3:okhttp](https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp) is a HTTP & HTTP/2 client for Android and Java applications Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an `IllegalArgumentException` is thrown whose message includes the full header value. ## PoC ``` package com.launchdarkly.eventsource; import okhttp3.*; import org.junit.Test; [...] + "recommendation" : "Upgrade the package version to 4.9.2 to fix this vulnerability", + "created" : "2022-07-22T06:59:36Z", + "published" : "2022-07-22T06:59:36Z", + "updated" : "2024-03-11T09:53:38Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "85b4750f-b399-4e42-bc2d-abd7be2c4a71", + "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5773320", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper exception handling by the `GzipSource` class when parsing a malformed gzip buffer. This vulnerability can be exploited on the Okio client when handling a crafted GZIP archive. ## PoC ```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString = (\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz: GzipSource = GzipSource(gzBuf) [...] + "recommendation" : "Upgrade the package version to 1.17.6,3.4.0 to fix this vulnerability", + "created" : "2023-07-13T08:54:58Z", + "published" : "2023-07-13T09:04:26Z", + "updated" : "2024-04-08T08:36:20Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "e25cb34f-59e4-497e-a67e-669c112d84c6", + "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N" + } + ], + "description" : "## Overview [org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib) is a Kotlin Standard Library for JVM. Affected versions of this package are vulnerable to Improper Locking due to inability to lock dependencies for Multiplatform Gradle Projects. ## Remediation Upgrade `org.jetbrains.kotlin:kotlin-stdlib` to version 1.6.0 or higher. ## References - [JetBrains Issue](https://youtrack.jetbrains.com/issue/KT-49449) - [...] + "recommendation" : "Upgrade the package version to 1.6.0 to fix this vulnerability", + "created" : "2022-04-12T12:56:51Z", + "published" : "2022-04-12T14:21:55Z", + "updated" : "2024-03-11T09:49:25Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "85b4750f-b399-4e42-bc2d-abd7be2c4a71", + "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5773320", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper exception handling by the `GzipSource` class when parsing a malformed gzip buffer. This vulnerability can be exploited on the Okio client when handling a crafted GZIP archive. ## PoC ```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString = (\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz: GzipSource = GzipSource(gzBuf) [...] + "recommendation" : "Upgrade the package version to 1.17.6,3.4.0 to fix this vulnerability", + "created" : "2023-07-13T08:54:58Z", + "published" : "2023-07-13T09:04:26Z", + "updated" : "2024-04-08T08:36:20Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "533bb1ce-7b5a-4881-a3b0-309aead23e1f", + "id" : "SNYK-JAVA-ORGMOZILLA-1314295", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 8.2, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:R" + } + ], + "description" : "## Overview [org.mozilla:rhino](https://github.com/mozilla/rhino) is a Rhino is an open-source implementation of JavaScript written entirely in Java. It is typically embedded into Java applications to provide scripting to end users. Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. The function `toXml` allows usage of external entities when parsing an XML document. ## Details XXE Injection is a type of attack against an applic [...] + "recommendation" : "Upgrade the package version to 1.7.12 to fix this vulnerability", + "created" : "2021-06-24T10:42:20Z", + "published" : "2021-06-24T14:49:34Z", + "updated" : "2024-03-06T14:00:46Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "40cee64e-b16b-464a-a368-253adeac0cf7", + "id" : "SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview [com.squareup.okhttp3:okhttp](https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp) is a HTTP & HTTP/2 client for Android and Java applications Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an `IllegalArgumentException` is thrown whose message includes the full header value. ## PoC ``` package com.launchdarkly.eventsource; import okhttp3.*; import org.junit.Test; [...] + "recommendation" : "Upgrade the package version to 4.9.2 to fix this vulnerability", + "created" : "2022-07-22T06:59:36Z", + "published" : "2022-07-22T06:59:36Z", + "updated" : "2024-03-11T09:53:38Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "b9ddb5ce-ece9-42e4-b836-38b61c4f8386", + "id" : "SNYK-JAVA-ORGTHREETEN-6592149", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the `org.threeten.bp.LocalDate::compareTo(ChronoLocalDate)` method. An attacker can trigger a `NullPointerException` by supplying a null object as an argument to the `other` parameter. ## Remediation There is no fixed version for `org.threeten:threetenbp`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3) - [Vulnerable Code](http [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-09T06:33:27Z", + "published" : "2024-04-09T06:50:04Z", + "updated" : "2024-04-09T07:07:18Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "554bc189-75fa-429f-a2d4-727c886c157e", + "id" : "SNYK-JAVA-ORGTHREETEN-6591891", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 6.2, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the `org.threeten.bp.format.DateTimeFormatter::parse(CharSequence, ParsePosition)` method, when the string is empty, the parameter index is 10, and the `errorIndex` is 10. ## Remediation There is no fixed version for `org.threeten:threetenbp`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/d2618f5f4e5ac37eb75cff5617e58b90) - [Vulnerable Code](https://gith [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-08T19:36:37Z", + "published" : "2024-04-09T06:16:54Z", + "updated" : "2024-04-09T06:16:54Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "b6912050-0f59-4a66-98f4-9198a08b2afc", + "id" : "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.4, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N" + } + ], + "description" : "## Overview [org.springframework:spring-web](https://github.com/spring-projects/spring-framework) is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform. Affected versions of this package are vulnerable to Open Redirect when `UriComponentsBuilder` is used to parse an externally provided URL and perform validation checks on the host of the parsed URL. **Note:** [...] + "recommendation" : "Upgrade the package version to 5.3.34,6.0.19,6.1.6 to fix this vulnerability", + "created" : "2024-04-12T08:32:41Z", + "published" : "2024-04-12T08:32:41Z", + "updated" : "2024-04-16T13:32:25Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53", + "id" : "SNYK-JAVA-JODATIME-6595834", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the component `org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger a `NullPointerException` by supplying a null value to the `Locale` parameter. ## Remediation There is no fixed version for `joda-time:joda-time`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) - [Vulnerable Code](https://github.com/Jo [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-11T06:34:09Z", + "published" : "2024-04-11T06:34:09Z", + "updated" : "2024-04-11T13:35:26Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53", + "id" : "SNYK-JAVA-JODATIME-6595834", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the component `org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger a `NullPointerException` by supplying a null value to the `Locale` parameter. ## Remediation There is no fixed version for `joda-time:joda-time`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) - [Vulnerable Code](https://github.com/Jo [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-11T06:34:09Z", + "published" : "2024-04-11T06:34:09Z", + "updated" : "2024-04-11T13:35:26Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53", + "id" : "SNYK-JAVA-JODATIME-6595834", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the component `org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger a `NullPointerException` by supplying a null value to the `Locale` parameter. ## Remediation There is no fixed version for `joda-time:joda-time`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) - [Vulnerable Code](https://github.com/Jo [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-11T06:34:09Z", + "published" : "2024-04-11T06:34:09Z", + "updated" : "2024-04-11T13:35:26Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53", + "id" : "SNYK-JAVA-JODATIME-6595834", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the component `org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger a `NullPointerException` by supplying a null value to the `Locale` parameter. ## Remediation There is no fixed version for `joda-time:joda-time`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) - [Vulnerable Code](https://github.com/Jo [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-11T06:34:09Z", + "published" : "2024-04-11T06:34:09Z", + "updated" : "2024-04-11T13:35:26Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53", + "id" : "SNYK-JAVA-JODATIME-6595834", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the component `org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger a `NullPointerException` by supplying a null value to the `Locale` parameter. ## Remediation There is no fixed version for `joda-time:joda-time`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) - [Vulnerable Code](https://github.com/Jo [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-11T06:34:09Z", + "published" : "2024-04-11T06:34:09Z", + "updated" : "2024-04-11T13:35:26Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "5828b7c6-47de-4c98-83b4-9f0a5e50f642", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612984", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Infinite loop in ED25519 verification in the `ScalarUtil` class. An attacker can send a malicious signature and public key to trigger denial of service. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version 1.78 or higher. ## References - [GitHub Commit](https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49) - [GitHub Issue](https://github.com/bcgit/bc-java/issu [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-04-14T09:52:22Z", + "published" : "2024-04-14T13:27:01Z", + "updated" : "2024-04-14T13:27:01Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "5828b7c6-47de-4c98-83b4-9f0a5e50f642", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612984", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Infinite loop in ED25519 verification in the `ScalarUtil` class. An attacker can send a malicious signature and public key to trigger denial of service. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version 1.78 or higher. ## References - [GitHub Commit](https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49) - [GitHub Issue](https://github.com/bcgit/bc-java/issu [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-04-14T09:52:22Z", + "published" : "2024-04-14T13:27:01Z", + "updated" : "2024-04-14T13:27:01Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "5828b7c6-47de-4c98-83b4-9f0a5e50f642", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612984", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Infinite loop in ED25519 verification in the `ScalarUtil` class. An attacker can send a malicious signature and public key to trigger denial of service. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version 1.78 or higher. ## References - [GitHub Commit](https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49) - [GitHub Issue](https://github.com/bcgit/bc-java/issu [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-04-14T09:52:22Z", + "published" : "2024-04-14T13:27:01Z", + "updated" : "2024-04-14T13:27:01Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `solveQuadraticEquation()` function used for certificate verification in `ECCurve.java`. Passing a large f2m parameter can cause excessive CPU consumption. ## Remediation There is no fixed [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-14T15:09:02Z", + "published" : "2024-04-14T15:09:02Z", + "updated" : "2024-04-14T15:09:03Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "bcaa7ef6-85c8-4348-801e-385ac4aad4cb", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613079", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `solveQuadraticEquation()` function used for certificate verification in `ECCurve.java`. Passing a large f2m parameter can cause excessive CPU consumption. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version 1.78 or higher. ## References - [GitHub Commit](https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-04-14T15:09:02Z", + "published" : "2024-04-14T15:09:02Z", + "updated" : "2024-04-14T15:09:03Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "08f699d3-ac78-4ff2-a4c7-5c602d37e21f", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613076", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin. **Note:** The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` t [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-04-14T14:45:29Z", + "published" : "2024-04-14T14:45:29Z", + "updated" : "2024-05-29T14:05:06Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `solveQuadraticEquation()` function used for certificate verification in `ECCurve.java`. Passing a large f2m parameter can cause excessive CPU consumption. ## Remediation There is no fixed [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-14T15:09:02Z", + "published" : "2024-04-14T15:09:02Z", + "updated" : "2024-04-14T15:09:03Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "bcaa7ef6-85c8-4348-801e-385ac4aad4cb", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613079", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `solveQuadraticEquation()` function used for certificate verification in `ECCurve.java`. Passing a large f2m parameter can cause excessive CPU consumption. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version 1.78 or higher. ## References - [GitHub Commit](https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-04-14T15:09:02Z", + "published" : "2024-04-14T15:09:02Z", + "updated" : "2024-04-14T15:09:03Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "bcaa7ef6-85c8-4348-801e-385ac4aad4cb", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613079", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `solveQuadraticEquation()` function used for certificate verification in `ECCurve.java`. Passing a large f2m parameter can cause excessive CPU consumption. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version 1.78 or higher. ## References - [GitHub Commit](https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-04-14T15:09:02Z", + "published" : "2024-04-14T15:09:02Z", + "updated" : "2024-04-14T15:09:03Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "08f699d3-ac78-4ff2-a4c7-5c602d37e21f", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613076", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin. **Note:** The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` t [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-04-14T14:45:29Z", + "published" : "2024-04-14T14:45:29Z", + "updated" : "2024-05-29T14:05:06Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "08f699d3-ac78-4ff2-a4c7-5c602d37e21f", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613076", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Observable Discrepancy due to the timing difference between exceptions thrown when processing RSA key exchange handshakes, AKA Marvin. **Note:** The implemented fix mitigates the leakage of data via the PKCS#1 interface, but does not fully alleviate the side-channel as it allows cases in which the padding check fails but the handshake succeeds. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` t [...] + "recommendation" : "Upgrade the package version to 1.78 to fix this vulnerability", + "created" : "2024-04-14T14:45:29Z", + "published" : "2024-04-14T14:45:29Z", + "updated" : "2024-05-29T14:05:06Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in the `solveQuadraticEquation()` function used for certificate verification in `ECCurve.java`. Passing a large f2m parameter can cause excessive CPU consumption. ## Remediation There is no fixed [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-14T15:09:02Z", + "published" : "2024-04-14T15:09:02Z", + "updated" : "2024-04-14T15:09:03Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Information Exposure due to missing validation for the X.500 name of any certificate, subject, or issuer. The presence of a wild card may lead to information disclosure. This could allow a malicious user to obtain unauthorized information via blind [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2023-07-11T15:15:48Z", + "published" : "2023-06-30T08:15:58Z", + "updated" : "2024-03-11T09:54:01Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.5, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a file that has crafted `ASN.1` data through the `PEMParser` causes an `OutOfMemoryError`. ## Workaround The attack can be avoid [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2023-11-24T08:10:03Z", + "published" : "2023-11-24T08:21:18Z", + "updated" : "2024-06-19T13:32:28Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4", + "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.9, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N" + } + ], + "description" : "## Overview [org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on) is a Java implementation of cryptographic algorithms. Affected versions of this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP decryption process. An attacker can recover ciphertexts via a side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector leaks data via `javax.crypto.Cipher` exc [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-02-26T18:00:10Z", + "published" : "2024-03-03T21:08:12Z", + "updated" : "2024-04-21T07:48:52Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "2817c193-763d-4ecf-944c-d9972570e12f", + "id" : "SNYK-JAVA-COMNIMBUSDS-6247633", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 7.5, + "severity" : "high", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview [com.nimbusds:nimbus-jose-jwt](https://connect2id.com/products/nimbus-jose-jwt) is a library for JSON Web Tokens (JWT) Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to a large JWE `p2c` header value (AKA iteration count) for the `PasswordBasedDecrypter` (PBKDF2) class. An attacker can cause resource consumption by specifying an excessively large iteration count. ## Remediation Upgrade `com.n [...] + "recommendation" : "Upgrade the package version to 9.37.2 to fix this vulnerability", + "created" : "2024-02-15T08:19:31Z", + "published" : "2024-02-15T10:01:12Z", + "updated" : "2024-03-06T14:09:44Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "b9ddb5ce-ece9-42e4-b836-38b61c4f8386", + "id" : "SNYK-JAVA-ORGTHREETEN-6592149", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to NULL Pointer Dereference via the `org.threeten.bp.LocalDate::compareTo(ChronoLocalDate)` method. An attacker can trigger a `NullPointerException` by supplying a null object as an argument to the `other` parameter. ## Remediation There is no fixed version for `org.threeten:threetenbp`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3) - [Vulnerable Code](http [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-09T06:33:27Z", + "published" : "2024-04-09T06:50:04Z", + "updated" : "2024-04-09T07:07:18Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "554bc189-75fa-429f-a2d4-727c886c157e", + "id" : "SNYK-JAVA-ORGTHREETEN-6591891", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 6.2, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H" + } + ], + "description" : "## Overview Affected versions of this package are vulnerable to Integer Overflow or Wraparound in the `org.threeten.bp.format.DateTimeFormatter::parse(CharSequence, ParsePosition)` method, when the string is empty, the parameter index is 10, and the `errorIndex` is 10. ## Remediation There is no fixed version for `org.threeten:threetenbp`. ## References - [GitHub Gist](https://gist.github.com/LLM4IG/d2618f5f4e5ac37eb75cff5617e58b90) - [Vulnerable Code](https://gith [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2024-04-08T19:36:37Z", + "published" : "2024-04-09T06:16:54Z", + "updated" : "2024-04-09T06:16:54Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6", + "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib) is a Kotlin Standard Library for JVM. Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using `createTempDir` or `createTempFile` and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system. **Note:** As of ver [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2022-02-04T09:36:58Z", + "published" : "2022-02-04T14:31:42Z", + "updated" : "2024-03-11T09:50:55Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + }, + { + "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6", + "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744", + "source" : { + "name" : "SNYK" + }, + "ratings" : [ + { + "source" : { + "name" : "SNYK" + }, + "score" : 5.3, + "severity" : "medium", + "method" : "CVSSv31", + "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N" + } + ], + "description" : "## Overview [org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib) is a Kotlin Standard Library for JVM. Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using `createTempDir` or `createTempFile` and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system. **Note:** As of ver [...] + "recommendation" : "Upgrade the package version to to fix this vulnerability", + "created" : "2022-02-04T09:36:58Z", + "published" : "2022-02-04T14:31:42Z", + "updated" : "2024-03-11T09:50:55Z", + "affects" : [ + { + "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23" + } + ] + } + ] +} \ No newline at end of file
