This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 6c1249adf8b Added VEX file from CycloneDX SBOM (#14767)
6c1249adf8b is described below
commit 6c1249adf8b68dff4ca3dd5465cb2eec3531603c
Author: Andrea Cosentino <[email protected]>
AuthorDate: Tue Jul 9 11:01:25 2024 +0200
Added VEX file from CycloneDX SBOM (#14767)
Signed-off-by: Andrea Cosentino <[email protected]>
---
camel-sbom/camel-sbom.vex.json | 2990 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 2990 insertions(+)
diff --git a/camel-sbom/camel-sbom.vex.json b/camel-sbom/camel-sbom.vex.json
new file mode 100644
index 00000000000..0e075dbef3d
--- /dev/null
+++ b/camel-sbom/camel-sbom.vex.json
@@ -0,0 +1,2990 @@
+{
+ "bomFormat" : "CycloneDX",
+ "specVersion" : "1.5",
+ "serialNumber" : "urn:uuid:11f97572-cc57-4d08-9f52-b6d29f097725",
+ "version" : 1,
+ "metadata" : {
+ "timestamp" : "2024-07-09T08:44:32Z",
+ "tools" : [
+ {
+ "vendor" : "OWASP",
+ "name" : "Dependency-Track",
+ "version" : "4.10.1"
+ }
+ ],
+ "component" : {
+ "name" : "Camel",
+ "version" : "4",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "https://camel.apache.org";
+ },
+ {
+ "type" : "distribution-intake",
+ "url" :
"https://repository.apache.org/service/local/staging/deploy/maven2";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "https://issues.apache.org/jira/browse/CAMEL";
+ },
+ {
+ "type" : "mailing-list",
+ "url" : "[email protected]"
+ },
+ {
+ "type" : "vcs",
+ "url" : "https://gitbox.apache.org/repos/asf?p=camel.git;a=summary";
+ }
+ ],
+ "type" : "library",
+ "bom-ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ },
+ "vulnerabilities" : [
+ {
+ "bom-ref" : "05b4242e-e1bd-424c-8ede-2568da828d30",
+ "id" : "SNYK-JAVA-IOAIRLIFT-7164637",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.2,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Out-of-bounds Read via the decompression process due to improper
input length validation in the functions
`SnappyRawDecompressor.readUncompressedLengt`,
`SnappyRawDecompressor.uncompressAll`, `ZstdFrameDecompressor.decompress`,
`Lz4RawDecompressor.decompress` and `LzoRawDecompressor.decompress`. By
exploiting this vulnerability, an attacker can crash the JVM or leak sensitive
information by decompressi [...]
+ "recommendation" : "Upgrade the package version to 0.27 to fix this
vulnerability",
+ "created" : "2024-05-30T06:38:51Z",
+ "published" : "2024-05-30T10:47:25Z",
+ "updated" : "2024-06-06T12:41:41Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d8dd9c4f-d279-4c67-996c-10c28a29895f",
+ "id" : "SNYK-JAVA-IONETTY-1042268",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.4,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ }
+ ],
+ "cwes" : [
+ 295
+ ],
+ "description" : "## Overview
[io.netty:netty-handler](https://github.com/netty/netty.git/netty-handler) is a
library that provides an asynchronous event-driven network application
framework and tools for rapid development of maintainable high performance and
high scalability protocol servers and clients. In other words, Netty is a NIO
client server framework which enables quick and easy development of network
applications such as protocol servers and clients. It greatly simplifies [...]
+ "created" : "2020-11-20T15:44:58Z",
+ "updated" : "2023-10-11T01:10:45Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "4ead0905-39e8-4b79-986c-a827289dadd4",
+ "id" : "SNYK-JAVA-ORGJSON-5962464",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling. An attacker
can cause indefinite amounts of memory to be used by inputting a string of
modest size. This can lead to a Denial of Service. ## PoC ```java package
orgjsonbug; import org.json.JSONObject; /** * Illustrates a bug in JSON-Java.
*/ public class Bug { private static String makeNested(int depth) { if (depth
== 0) { return \"{\\\"a\\\":1}\"; [...]
+ "recommendation" : "Upgrade the package version to 20231013 to fix this
vulnerability",
+ "created" : "2023-10-13T06:42:49Z",
+ "published" : "2023-10-13T06:42:49Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d8dd9c4f-d279-4c67-996c-10c28a29895f",
+ "id" : "SNYK-JAVA-IONETTY-1042268",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.4,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ }
+ ],
+ "cwes" : [
+ 295
+ ],
+ "description" : "## Overview
[io.netty:netty-handler](https://github.com/netty/netty.git/netty-handler) is a
library that provides an asynchronous event-driven network application
framework and tools for rapid development of maintainable high performance and
high scalability protocol servers and clients. In other words, Netty is a NIO
client server framework which enables quick and easy development of network
applications such as protocol servers and clients. It greatly simplifies [...]
+ "created" : "2020-11-20T15:44:58Z",
+ "updated" : "2023-10-11T01:10:45Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "59203aaa-d1b6-48cf-84a0-d7dd732af3f1",
+ "id" : "SNYK-JAVA-CHQOSLOGBACK-6097493",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core)
is a logback-core module. Affected versions of this package are vulnerable to
Uncontrolled Resource Consumption ('Resource Exhaustion') via the `logback
receiver` component. An attacker can mount a denial-of-service attack by
sending poisoned data. **Note:** Successful exploitation requires the
logback-receiver component being enabled and also reachable by the [...]
+ "recommendation" : "Upgrade the package version to 1.2.13,1.3.14,1.4.14
to fix this vulnerability",
+ "created" : "2023-12-04T14:58:05Z",
+ "published" : "2023-12-04T15:19:16Z",
+ "updated" : "2024-03-11T09:54:09Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "633bf2f4-a92d-4dd9-a022-ba9dd72a9e83",
+ "id" : "SNYK-JAVA-CHQOSLOGBACK-6094943",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[ch.qos.logback:logback-core](https://mvnrepository.com/artifact/ch.qos.logback/logback-core)
is a logback-core module. Affected versions of this package are vulnerable to
Denial of Service (DoS). An attacker can mount a denial-of-service attack by
sending poisoned data. This is only exploitable if logback receiver component
is deployed. ## Details Denial of Service (DoS) describes a family of attacks,
all aimed at making a system inaccessible to its in [...]
+ "recommendation" : "Upgrade the package version to 1.2.13,1.3.12,1.4.12
to fix this vulnerability",
+ "created" : "2023-11-29T14:25:58Z",
+ "published" : "2023-11-29T14:25:58Z",
+ "updated" : "2024-03-11T09:54:08Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "125895eb-218a-4236-951b-3e196f958fc8",
+ "id" : "SNYK-JAVA-CHQOSLOGBACK-6097492",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic)
is a reliable, generic, fast and flexible logging library for Java. Affected
versions of this package are vulnerable to Uncontrolled Resource Consumption
('Resource Exhaustion') via the `logback receiver` component. An attacker can
mount a denial-of-service attack by sending poisoned data. **Note:** Successful
exploitation requires the logback-receiver co [...]
+ "recommendation" : "Upgrade the package version to 1.2.13,1.3.14,1.4.14
to fix this vulnerability",
+ "created" : "2023-12-04T14:58:05Z",
+ "published" : "2023-12-04T15:19:15Z",
+ "updated" : "2024-03-11T09:54:09Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "446995be-0b71-44bc-b57c-c740662ce6ad",
+ "id" : "SNYK-JAVA-CHQOSLOGBACK-6094942",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[ch.qos.logback:logback-classic](https://mvnrepository.com/artifact/ch.qos.logback/logback-classic)
is a reliable, generic, fast and flexible logging library for Java. Affected
versions of this package are vulnerable to Denial of Service (DoS). An attacker
can mount a denial-of-service attack by sending poisoned data. This is only
exploitable if logback receiver component is deployed. ## Details Denial of
Service (DoS) describes a family of attacks, all [...]
+ "recommendation" : "Upgrade the package version to 1.2.13,1.3.12,1.4.12
to fix this vulnerability",
+ "created" : "2023-11-29T14:25:57Z",
+ "published" : "2023-11-29T14:25:58Z",
+ "updated" : "2024-03-11T09:54:08Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "20728065-a4e7-4865-ab15-1cfbe8c7dfa6",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254297",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Allocation of Resources Without Limits or
Throttling due to an `OutOfMemoryError` during the handling of a broken
`Pack200` file. ## Remediation Upgrade `org.apache.commons:commons-compress` to
version 1.26.0 or higher. ## References - [Apache Lists](https://list [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:55:46Z",
+ "published" : "2024-02-20T10:55:46Z",
+ "updated" : "2024-05-09T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Infinite loop due to the improper handling of
certain inputs during the parsing of dump files. An attacker can cause the
application to enter an infinite loop by supplying crafted inputs. ##
Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:52:07Z",
+ "published" : "2024-02-20T10:52:07Z",
+ "updated" : "2024-04-27T13:35:10Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "c074adea-ec56-459b-8a73-0750ec2ebbde",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277381",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP
decryption process. An attacker can recover ciphertexts via a side-channel
attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector
leaks data via `javax.crypto.Cipher` exceptions and the OAEP interface vector
leaks via the bit size of the decrypted data. ## Remediation Upgrade
`org.bouncycastle:bcprov-jdk18on` to version 1.78 [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d0eefed3-e310-42c0-8479-606918c931e9",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-5901530",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Improper Input Validation when parsing TAR
files. An attacker can manipulate file modification times headers, leading to a
denial of service issue via CPU consumption. **Note:** This is only exploitable
if applications are using the `CompressorStreamFactory` clas [...]
+ "recommendation" : "Upgrade the package version to 1.24.0 to fix this
vulnerability",
+ "created" : "2023-09-14T12:49:35Z",
+ "published" : "2023-09-14T12:56:19Z",
+ "updated" : "2024-03-11T09:49:26Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "20728065-a4e7-4865-ab15-1cfbe8c7dfa6",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254297",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Allocation of Resources Without Limits or
Throttling due to an `OutOfMemoryError` during the handling of a broken
`Pack200` file. ## Remediation Upgrade `org.apache.commons:commons-compress` to
version 1.26.0 or higher. ## References - [Apache Lists](https://list [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:55:46Z",
+ "published" : "2024-02-20T10:55:46Z",
+ "updated" : "2024-05-09T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Infinite loop due to the improper handling of
certain inputs during the parsing of dump files. An attacker can cause the
application to enter an infinite loop by supplying crafted inputs. ##
Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:52:07Z",
+ "published" : "2024-02-20T10:52:07Z",
+ "updated" : "2024-04-27T13:35:10Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "a1519c00-c533-4f1c-bae8-58b67c7e3e24",
+ "id" : "SNYK-JAVA-ORGECLIPSEJETTY-5958847",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.eclipse.jetty:jetty-http](https://github.com/eclipse/jetty.project) is an
is a http module for jetty server. Affected versions of this package are
vulnerable to Denial of Service (DoS) in the `MetaDataBuilder.checkSize`
function. An attacker provide a very large or negative length value for the
HTTP/2 HPACK header values. This can lead to an integer overflow, resulting in
a very large buffer allocation on the server. ## Details Denial of Service (D
[...]
+ "recommendation" : "Upgrade the package version to
9.4.53.v20231009,10.0.16,11.0.16 to fix this vulnerability",
+ "created" : "2023-10-11T10:02:18Z",
+ "published" : "2023-10-11T11:57:46Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Information Exposure due to missing validation
for the X.500 name of any certificate, subject, or issuer. The presence of a
wild card may lead to information disclosure. This could allow a malicious user
to obtain unauthorized information via blind [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-07-11T15:15:48Z",
+ "published" : "2023-06-30T08:15:58Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Uncontrolled Resource Consumption ('Resource
Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a
file that has crafted `ASN.1` data through the `PEMParser` causes an
`OutOfMemoryError`. ## Workaround The attack can be avoid [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-11-24T08:10:03Z",
+ "published" : "2023-11-24T08:21:18Z",
+ "updated" : "2024-06-19T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5
and OAEP decryption process. An attacker can recover ciphertexts via a
side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5
attack vector leaks data via `javax.crypto.Cipher` exc [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "aa5b765a-3538-4975-b1ae-49116a1b0fc7",
+ "id" : "SNYK-JAVA-ORGAPACHESSHD-5769687",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 4.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Information Exposure. In SFTP servers implemented using Apache
MINA SSHD that use a `RootedFileSystem`, logged users may be able to discover
\"exists/does not exist\" information about items outside the rooted tree via
paths including parent navigation (`..`) beyond the root, or involving
symlinks. ## Remediation Upgrade `org.apache.sshd:sshd-common` to version
2.10.0 or higher. ## References - [Apache [...]
+ "recommendation" : "Upgrade the package version to 2.10.0 to fix this
vulnerability",
+ "created" : "2023-07-11T07:21:40Z",
+ "published" : "2023-07-11T09:22:25Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "20728065-a4e7-4865-ab15-1cfbe8c7dfa6",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254297",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Allocation of Resources Without Limits or
Throttling due to an `OutOfMemoryError` during the handling of a broken
`Pack200` file. ## Remediation Upgrade `org.apache.commons:commons-compress` to
version 1.26.0 or higher. ## References - [Apache Lists](https://list [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:55:46Z",
+ "published" : "2024-02-20T10:55:46Z",
+ "updated" : "2024-05-09T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Infinite loop due to the improper handling of
certain inputs during the parsing of dump files. An attacker can cause the
application to enter an infinite loop by supplying crafted inputs. ##
Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:52:07Z",
+ "published" : "2024-02-20T10:52:07Z",
+ "updated" : "2024-04-27T13:35:10Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "c074adea-ec56-459b-8a73-0750ec2ebbde",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277381",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP
decryption process. An attacker can recover ciphertexts via a side-channel
attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector
leaks data via `javax.crypto.Cipher` exceptions and the OAEP interface vector
leaks via the bit size of the decrypted data. ## Remediation Upgrade
`org.bouncycastle:bcprov-jdk18on` to version 1.78 [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d39ed632-024c-4a55-bfc6-b975684b5789",
+ "id" : "SNYK-JAVA-ORGGLASSFISHJERSEYCORE-1255637",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Information Disclosure due to the use of the
`File.createTempFile` which creates a file inside of the system temporary
directory with the permissions `-rw-r--r--`. Thus the contents of this file are
viewable by all other users locally on the system. As such, if the contents
written is security sensitive, it can be disclosed to other local users. ##
Details Denial of Service (DoS) describes a family of [...]
+ "recommendation" : "Upgrade the package version to 3.0.2,2.34 to fix
this vulnerability",
+ "created" : "2021-04-26T13:20:38Z",
+ "published" : "2021-04-26T16:18:48Z",
+ "updated" : "2024-03-11T09:53:03Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "ef5c1d4c-b21d-46c5-9934-c14655f17765",
+ "id" : "SNYK-JAVA-ORGSPRINGFRAMEWORK-6261586",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.springframework:spring-web](https://github.com/spring-projects/spring-framework)
is a package that provides a comprehensive programming and configuration model
for modern Java-based enterprise applications - on any kind of deployment
platform. Affected versions of this package are vulnerable to Open Redirect
when `UriComponentsBuilder` parses an externally provided URL, and the
application subsequently uses that URL. If it contains hierarchical com [...]
+ "recommendation" : "Upgrade the package version to 5.3.32,6.0.17,6.1.4
to fix this vulnerability",
+ "created" : "2024-02-22T09:39:25Z",
+ "published" : "2024-02-22T15:48:30Z",
+ "updated" : "2024-07-02T15:25:03Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "496ae866-bc06-4362-ae53-1f49c5c87c92",
+ "id" : "SNYK-JAVA-ORGSPRINGFRAMEWORK-6444790",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.springframework:spring-web](https://github.com/spring-projects/spring-framework)
is a package that provides a comprehensive programming and configuration model
for modern Java-based enterprise applications - on any kind of deployment
platform. Affected versions of this package are vulnerable to Open Redirect
when using `UriComponentsBuilder` to parse an externally provided `URL` and
perform validation checks on the host of the parsed URL. **Note:** [...]
+ "recommendation" : "Upgrade the package version to 5.3.33,6.0.18,6.1.5
to fix this vulnerability",
+ "created" : "2024-03-15T10:11:04Z",
+ "published" : "2024-03-15T10:42:12Z",
+ "updated" : "2024-07-02T15:25:03Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "c074adea-ec56-459b-8a73-0750ec2ebbde",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277381",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP
decryption process. An attacker can recover ciphertexts via a side-channel
attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector
leaks data via `javax.crypto.Cipher` exceptions and the OAEP interface vector
leaks via the bit size of the decrypted data. ## Remediation Upgrade
`org.bouncycastle:bcprov-jdk18on` to version 1.78 [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8dff54f3-1260-4b15-bdee-f9f1d0bf1b49",
+ "id" : "SNYK-JAVA-ORGCODEHAUSJACKSON-3038425",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "cwes" : [
+ 400
+ ],
+ "description" : "## Overview
[org.codehaus.jackson:jackson-mapper-asl](https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl)
is a high-performance data binding package built on Jackson JSON processor.
Affected versions of this package are vulnerable to Denial of Service (DoS) in
the `_deserializeFromArray()` function in `BeanDeserializer`, due to resource
exhaustion when processing a deeply nested array. **NOTE:** For this
vulnerability to be exploitable the n [...]
+ "created" : "2022-10-02T09:21:18Z",
+ "updated" : "2023-11-08T09:43:38Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "74c3d734-0837-4a8b-bc62-ebdbd7b09d05",
+ "id" : "SNYK-JAVA-ORGCODEHAUSJACKSON-3038427",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "cwes" : [
+ 400
+ ],
+ "description" : "## Overview
[org.codehaus.jackson:jackson-mapper-asl](https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl)
is a high-performance data binding package built on Jackson JSON processor.
Affected versions of this package are vulnerable to Denial of Service (DoS) in
the `_deserializeWrappedValue()` function in `StdDeserializer.java`, due to
resource exhaustion when processing deeply nested arrays. **NOTE:** This
vulnerability is only exploitable w [...]
+ "created" : "2022-10-02T09:41:44Z",
+ "updated" : "2023-11-08T09:43:38Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "1ce85ff3-bc60-44fe-963e-b452fffc97c4",
+ "id" : "SNYK-JAVA-ORGCODEHAUSJACKSON-534878",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.codehaus.jackson:jackson-mapper-asl](https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl)
is a high-performance data binding package built on Jackson JSON processor.
Affected versions of this package are vulnerable to XML External Entity (XXE)
Injection. via the `DOMDeserializer.class` file and its inner classes
(`DocumentDeserializer.class` and `NodeDeserializer.class`) that uses the
`_parserFactory` instance without restric [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2019-11-19T11:44:30Z",
+ "published" : "2019-11-19T11:56:32Z",
+ "updated" : "2024-03-11T09:54:00Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "5cfc8ca5-3e9b-4643-b175-012724d716ed",
+ "id" : "SNYK-JAVA-ORGCODEHAUSJACKSON-3326362",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 9.8,
+ "severity" : "critical",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.codehaus.jackson:jackson-mapper-asl](https://mvnrepository.com/artifact/org.codehaus.jackson/jackson-mapper-asl)
is a high-performance data binding package built on Jackson JSON processor.
Affected versions of this package are vulnerable to Improper Input Validation
which results in several instances of deserialization of untrusted data. This
issue is parallel to vulnerabilities reported and fixed in jackson-databind
(CVE-2017-17485, CVE-2017-7525, [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-02-21T07:30:54Z",
+ "published" : "2023-03-01T08:47:56Z",
+ "updated" : "2024-03-11T09:54:00Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "ef05c048-e001-4375-8306-9eecce182cfc",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-1316638",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Denial of Service (DoS). When reading a
specially crafted 7Z archive, Compress can be made to allocate large amounts of
memory that finally leads to an out-of-memory error even for very small inputs.
This could be used to mount a denial of service attack against [...]
+ "recommendation" : "Upgrade the package version to 1.21 to fix this
vulnerability",
+ "created" : "2021-07-13T11:27:28Z",
+ "published" : "2021-07-13T15:29:21Z",
+ "updated" : "2024-03-11T09:53:57Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "557ace8c-3ba0-4b34-b3bd-7475ecb0de6a",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-1316639",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Denial of Service (DoS). When reading a
specially crafted 7Z archive, the construction of the list of codecs that
decompress an entry can result in an infinite loop. This could be used to mount
a denial of service attack against services that use Compress' sevenz [...]
+ "recommendation" : "Upgrade the package version to 1.21 to fix this
vulnerability",
+ "created" : "2021-07-13T11:33:38Z",
+ "published" : "2021-07-13T15:29:20Z",
+ "updated" : "2024-03-11T09:53:53Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "fb8cad05-1fe6-4f5f-aa40-a4835cfe597a",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-1316640",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Denial of Service (DoS). When reading a
specially crafted TAR archive, Compress can be made to allocate large amounts
of memory that finally leads to an out-of-memory error even for very small
inputs. This could be used to mount a denial of service attack against [...]
+ "recommendation" : "Upgrade the package version to 1.21 to fix this
vulnerability",
+ "created" : "2021-07-13T11:35:27Z",
+ "published" : "2021-07-13T15:29:20Z",
+ "updated" : "2024-03-11T09:53:51Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f8de35b3-546f-4ad9-99c0-9cfb6bb26ae1",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-1316641",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Denial of Service (DoS). When reading a
specially crafted ZIP archive, Compress can be made to allocate large amounts
of memory that finally leads to an out-of-memory error even for very small
inputs. This could be used to mount a denial of service attack against [...]
+ "recommendation" : "Upgrade the package version to 1.21 to fix this
vulnerability",
+ "created" : "2021-07-13T11:39:11Z",
+ "published" : "2021-07-13T15:29:20Z",
+ "updated" : "2024-03-11T09:53:57Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Infinite loop due to the improper handling of
certain inputs during the parsing of dump files. An attacker can cause the
application to enter an infinite loop by supplying crafted inputs. ##
Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:52:07Z",
+ "published" : "2024-02-20T10:52:07Z",
+ "updated" : "2024-04-27T13:35:10Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "7c5ae575-fa55-4f6e-b64e-bd927a3e1e37",
+ "id" : "SNYK-JAVA-ORGECLIPSEPARSSON-6044728",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Improper Input Validation when parsing `JSON` files from
untrusted sources. An attacker can exploit the built-in support for parsing
numbers with large scale where the input text of a number can lead to much
larger processing time than expected. ## Remediation Upgrade
`org.eclipse.parsson:parsson` to version 1.0.5, 1.1.4 or higher. ## References
- [GitHub Commit](https://github.com/eclipse-ee4j/parsson [...]
+ "recommendation" : "Upgrade the package version to 1.0.5,1.1.4 to fix
this vulnerability",
+ "created" : "2023-11-03T12:32:13Z",
+ "published" : "2023-11-03T12:36:19Z",
+ "updated" : "2024-03-11T09:54:04Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "0ffc3f54-92d3-4f01-8b52-9fb99a994d72",
+ "id" : "SNYK-JAVA-ORGYAML-3152153",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 9.8,
+ "severity" : "critical",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.yaml:snakeyaml](https://code.google.com/p/snakeyaml/source/browse/) is a
YAML 1.1 parser and emitter for Java. Affected versions of this package are
vulnerable to Arbitrary Code Execution in the `Constructor` class, which does
not restrict which types can be deserialized. This vulnerability is exploitable
by an attacker who provides a malicious YAML file for deserialization, which
circumvents the `SafeConstructor` class. The maintainers of the libr [...]
+ "recommendation" : "Upgrade the package version to 2.0 to fix this
vulnerability",
+ "created" : "2022-12-01T14:55:37Z",
+ "published" : "2022-12-08T18:58:07Z",
+ "updated" : "2024-06-27T14:59:48Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "ba9b5b48-9e9d-4b46-b885-92767e95af9a",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6475534",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-configuration2](https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2/2.0)
is a group of tools to assist in the reading of configuration/preferences
files in various formats. Affected versions of this package are vulnerable to
Out-of-Bounds Write due to the improper handling of certain configurations in
the `AbstractListDelimiterHandler.flattenIterator` method. An attacker can
trigger a stack overflow b [...]
+ "recommendation" : "Upgrade the package version to 2.10.1 to fix this
vulnerability",
+ "created" : "2024-03-21T15:04:18Z",
+ "published" : "2024-03-21T15:09:43Z",
+ "updated" : "2024-04-23T11:01:46Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9b98e428-165c-4c49-84b3-0842e1c04dd8",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6475528",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-configuration2](https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2/2.0)
is a group of tools to assist in the reading of configuration/preferences
files in various formats. Affected versions of this package are vulnerable to
Out-of-Bounds Write due to the improper handling of a cyclical object tree when
calling the `ListDelimiterHandler.flatten` method. An attacker can trigger a
StackOverflowError and [...]
+ "recommendation" : "Upgrade the package version to 2.10.1 to fix this
vulnerability",
+ "created" : "2024-03-21T15:01:49Z",
+ "published" : "2024-03-21T15:07:58Z",
+ "updated" : "2024-04-23T11:01:46Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "2bf053f1-5d6d-4a04-9756-4ab5599451e1",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-2841508",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 4.8,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Cryptographic Issues via weak key-hash message
authentication code (HMAC) that is only 16 bits long which can result in hash
collisions, as a result of an error within the BKS version 1 keystore (BKS-V1)
files and could lead to an attacker being abl [...]
+ "recommendation" : "Upgrade the package version to 1.69 to fix this
vulnerability",
+ "created" : "2022-05-23T09:25:43Z",
+ "published" : "2022-05-26T11:36:47Z",
+ "updated" : "2024-03-06T13:56:37Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Information Exposure due to missing validation
for the X.500 name of any certificate, subject, or issuer. The presence of a
wild card may lead to information disclosure. This could allow a malicious user
to obtain unauthorized information via blind [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-07-11T15:15:48Z",
+ "published" : "2023-06-30T08:15:58Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Uncontrolled Resource Consumption ('Resource
Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a
file that has crafted `ASN.1` data through the `PEMParser` causes an
`OutOfMemoryError`. ## Workaround The attack can be avoid [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-11-24T08:10:03Z",
+ "published" : "2023-11-24T08:21:18Z",
+ "updated" : "2024-06-19T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5
and OAEP decryption process. An attacker can recover ciphertexts via a
side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5
attack vector leaks data via `javax.crypto.Cipher` exc [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "fab9a60e-1dce-4c53-9011-676898520e62",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-1052448",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Comparison Using Wrong Factors. The
`OpenBSDBCrypt.checkPassword` utility method compared incorrect data when
checking the password, allowing incorrect passwords to indicate they were
matching with previously hashed ones that were different. ## Reme [...]
+ "recommendation" : "Upgrade the package version to 1.67 to fix this
vulnerability",
+ "created" : "2020-12-18T11:32:45Z",
+ "published" : "2020-12-18T16:33:09Z",
+ "updated" : "2024-03-11T09:53:49Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "462d6e04-9eef-431b-839d-27f7210b2063",
+ "id" : "SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1048058",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.apache.httpcomponents:httpclient](http://hc.apache.org/) is a HttpClient
component of the Apache HttpComponents project. Affected versions of this
package are vulnerable to Improper Input Validation. Apache HttpClient can
misinterpret malformed authority component in request URIs passed to the
library as `java.net.URI` object and pick the wrong target host for request
execution. ## Remediation Upgrade `org.apache.httpcomponents:httpclient` to
versi [...]
+ "recommendation" : "Upgrade the package version to 4.5.13 to fix this
vulnerability",
+ "created" : "2020-12-03T12:39:42Z",
+ "published" : "2020-12-03T16:47:50Z",
+ "updated" : "2024-03-11T09:53:47Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "dde186cb-589c-4717-a0ec-279071e15af9",
+ "id" : "SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.apache.httpcomponents:httpclient](http://hc.apache.org/) is a HttpClient
component of the Apache HttpComponents project. Affected versions of this
package are vulnerable to Directory Traversal. String input by user is not
validated for the presence of leading character `/` and is passed to the
constructor as `path` information, resulting in a Directory Traversal
vulnerability. ## Details A Directory Traversal attack (also known as path
traversal) a [...]
+ "recommendation" : "Upgrade the package version to 4.5.3 to fix this
vulnerability",
+ "created" : "2017-01-17T07:28:21Z",
+ "published" : "2017-09-20T00:00:00Z",
+ "updated" : "2024-03-06T14:01:21Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "462d6e04-9eef-431b-839d-27f7210b2063",
+ "id" : "SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1048058",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.apache.httpcomponents:httpclient](http://hc.apache.org/) is a HttpClient
component of the Apache HttpComponents project. Affected versions of this
package are vulnerable to Improper Input Validation. Apache HttpClient can
misinterpret malformed authority component in request URIs passed to the
library as `java.net.URI` object and pick the wrong target host for request
execution. ## Remediation Upgrade `org.apache.httpcomponents:httpclient` to
versi [...]
+ "recommendation" : "Upgrade the package version to 4.5.13 to fix this
vulnerability",
+ "created" : "2020-12-03T12:39:42Z",
+ "published" : "2020-12-03T16:47:50Z",
+ "updated" : "2024-03-11T09:53:47Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "85b4750f-b399-4e42-bc2d-abd7be2c4a71",
+ "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5773320",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Denial of Service (DoS) due to improper exception handling by the
`GzipSource` class when parsing a malformed gzip buffer. This vulnerability can
be exploited on the Okio client when handling a crafted GZIP archive. ## PoC
```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString =
(\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz:
GzipSource = GzipSource(gzBuf) [...]
+ "recommendation" : "Upgrade the package version to 1.17.6,3.4.0 to fix
this vulnerability",
+ "created" : "2023-07-13T08:54:58Z",
+ "published" : "2023-07-13T09:04:26Z",
+ "updated" : "2024-04-08T08:36:20Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "40cee64e-b16b-464a-a368-253adeac0cf7",
+ "id" : "SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[com.squareup.okhttp3:okhttp](https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp)
is a HTTP & HTTP/2 client for Android and Java applications Affected versions
of this package are vulnerable to Information Exposure. When there's an illegal
character in a header value, an `IllegalArgumentException` is thrown whose
message includes the full header value. ## PoC ``` package
com.launchdarkly.eventsource; import okhttp3.*; import org.junit.Test; [...]
+ "recommendation" : "Upgrade the package version to 4.9.2 to fix this
vulnerability",
+ "created" : "2022-07-22T06:59:36Z",
+ "published" : "2022-07-22T06:59:36Z",
+ "updated" : "2024-03-11T09:53:38Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d4df2818-7fef-4ccd-bea2-6ca4f37d4888",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-1296075",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Timing Attack. A timing issue within the EC math
library can expose information about the private key when an attacker is able
to observe timing information for the generation of multiple deterministic
ECDSA signatures. ## Remediation Upgrade `org.b [...]
+ "recommendation" : "Upgrade the package version to 1.66 to fix this
vulnerability",
+ "created" : "2021-05-20T17:21:17Z",
+ "published" : "2021-05-20T17:22:54Z",
+ "updated" : "2024-03-11T09:53:53Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "0210b57b-6269-404c-b131-0678b28b77b8",
+ "id" : "SNYK-JAVA-COMGITHUBJNR-1570422",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Use After Free due to CVE-2014-4043. ## Remediation Upgrade
`com.github.jnr:jnr-posix` to version 3.1.8 or higher. ## References -
[CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043) - [GitHub
PR](https://github.com/jnr/jnr-posix/pull/171) - [RedHat Bugzilla
Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1983750)",
+ "recommendation" : "Upgrade the package version to 3.1.8 to fix this
vulnerability",
+ "created" : "2021-08-27T16:00:23Z",
+ "published" : "2021-09-06T15:30:41Z",
+ "updated" : "2024-03-06T14:01:33Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "0210b57b-6269-404c-b131-0678b28b77b8",
+ "id" : "SNYK-JAVA-COMGITHUBJNR-1570422",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Use After Free due to CVE-2014-4043. ## Remediation Upgrade
`com.github.jnr:jnr-posix` to version 3.1.8 or higher. ## References -
[CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043) - [GitHub
PR](https://github.com/jnr/jnr-posix/pull/171) - [RedHat Bugzilla
Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1983750)",
+ "recommendation" : "Upgrade the package version to 3.1.8 to fix this
vulnerability",
+ "created" : "2021-08-27T16:00:23Z",
+ "published" : "2021-09-06T15:30:41Z",
+ "updated" : "2024-03-06T14:01:33Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "68e35d90-7008-4ca2-b8ce-f2c8cace740e",
+ "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5820002",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Denial of Service (DoS) due to improper exception handling by the
`GzipSource` class when parsing a malformed gzip buffer. This vulnerability can
be exploited on the Okio client when handling a crafted GZIP archive. ## PoC
```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString =
(\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz:
GzipSource = GzipSource(gzBuf) [...]
+ "recommendation" : "Upgrade the package version to 3.4.0 to fix this
vulnerability",
+ "created" : "2023-08-04T12:48:52Z",
+ "published" : "2023-07-13T09:04:26Z",
+ "updated" : "2024-04-08T08:36:20Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "3105f865-1b87-4c40-a9de-01e787fd87a2",
+ "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5918282",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling due to a
missing upper bound check on chunk length in the `SnappyInputStream` function.
An attacker can decompress data with an excessively large chunk size. ##
Remediation Upgrade `org.xerial.snappy:snappy-java` to version 1.1.10.4 or
higher. ## References - [GitHub
Commit](https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917
[...]
+ "recommendation" : "Upgrade the package version to 1.1.10.4 to fix this
vulnerability",
+ "created" : "2023-09-26T06:24:11Z",
+ "published" : "2023-09-26T09:05:16Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "ed0a8992-85a5-49cd-b9be-7d48ba351848",
+ "id" : "SNYK-JAVA-COMJAYWAYJSONPATH-6140361",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Buffer Overflow via the deprecated `Criteria.parse` or
`Criteria.where` methods. An attacker can disrupt the regular operation of the
application by supplying a specially crafted input that triggers a stack
overflow. Exploiting this vulnerability requires insecure configurations on the
server side, for example - handling requests in a one single thread. ## PoC
```java import com.jayway.jsonpath.Criteri [...]
+ "recommendation" : "Upgrade the package version to 2.9.0 to fix this
vulnerability",
+ "created" : "2023-12-28T14:45:06Z",
+ "published" : "2024-01-21T15:14:21Z",
+ "updated" : "2024-03-11T09:49:29Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "3105f865-1b87-4c40-a9de-01e787fd87a2",
+ "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5918282",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling due to a
missing upper bound check on chunk length in the `SnappyInputStream` function.
An attacker can decompress data with an excessively large chunk size. ##
Remediation Upgrade `org.xerial.snappy:snappy-java` to version 1.1.10.4 or
higher. ## References - [GitHub
Commit](https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917
[...]
+ "recommendation" : "Upgrade the package version to 1.1.10.4 to fix this
vulnerability",
+ "created" : "2023-09-26T06:24:11Z",
+ "published" : "2023-09-26T09:05:16Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f7d6d98d-008b-4bf9-8b2c-b0f193b30a39",
+ "id" : "SNYK-JAVA-ORGAPACHEAVRO-5926693",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.avro:avro](https://avro.apache.org/) is an Avro core components
Affected versions of this package are vulnerable to Improper Input Validation
when deserializing untrusted or corrupted data. An attacker can consume memory
beyond the allowed constraints, resulting in the system being out of memory. ##
Remediation Upgrade `org.apache.avro:avro` to version 1.11.3 or higher. ##
References - [Apache List](https://lists.apache.org/thread/q142wj99cw [...]
+ "recommendation" : "Upgrade the package version to 1.11.3 to fix this
vulnerability",
+ "created" : "2023-10-01T10:48:46Z",
+ "published" : "2023-10-01T11:21:06Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "16643a38-1b57-426e-b879-3fb71305aceb",
+ "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5710961",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Integer Overflow or Wraparound via the function `compress(char[]
input)` in `Snappy.java` due to improper validation of the array length.
Exploiting this vulnerability is possible when the “buf” array compiled by the
`maxCompressedLength` function is successfully allocated but its size might be
too small to use for the compression, causing a fatal Access Violation error.
**Note:** The issue most likely [...]
+ "recommendation" : "Upgrade the package version to 1.1.10.1 to fix this
vulnerability",
+ "created" : "2023-06-16T08:17:19Z",
+ "published" : "2023-06-16T08:17:19Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "dd3e4d18-72a9-4fa6-9afc-d0477b90aa0c",
+ "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5710960",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Denial of Service (DoS) via the `hasNextChunk` function due to
improper validation of the `chunkSize` variable value. Exploiting this
vulnerability is possible by passing a negative number (such as `0xFFFFFFFF`,
which is -1), which will cause the code to raise a
`java.lang.NegativeArraySizeException` exception. A worse case would happen
when passing a huge positive value (such as `0x7FFFFFFF`), raising [...]
+ "recommendation" : "Upgrade the package version to 1.1.10.1 to fix this
vulnerability",
+ "created" : "2023-06-16T08:05:41Z",
+ "published" : "2023-06-16T08:05:41Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "40cee64e-b16b-464a-a368-253adeac0cf7",
+ "id" : "SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[com.squareup.okhttp3:okhttp](https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp)
is a HTTP & HTTP/2 client for Android and Java applications Affected versions
of this package are vulnerable to Information Exposure. When there's an illegal
character in a header value, an `IllegalArgumentException` is thrown whose
message includes the full header value. ## PoC ``` package
com.launchdarkly.eventsource; import okhttp3.*; import org.junit.Test; [...]
+ "recommendation" : "Upgrade the package version to 4.9.2 to fix this
vulnerability",
+ "created" : "2022-07-22T06:59:36Z",
+ "published" : "2022-07-22T06:59:36Z",
+ "updated" : "2024-03-11T09:53:38Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "85b4750f-b399-4e42-bc2d-abd7be2c4a71",
+ "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5773320",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Denial of Service (DoS) due to improper exception handling by the
`GzipSource` class when parsing a malformed gzip buffer. This vulnerability can
be exploited on the Okio client when handling a crafted GZIP archive. ## PoC
```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString =
(\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz:
GzipSource = GzipSource(gzBuf) [...]
+ "recommendation" : "Upgrade the package version to 1.17.6,3.4.0 to fix
this vulnerability",
+ "created" : "2023-07-13T08:54:58Z",
+ "published" : "2023-07-13T09:04:26Z",
+ "updated" : "2024-04-08T08:36:20Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8a5ad283-2082-4fda-8209-9466a598fc20",
+ "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5710959",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Integer Overflow or Wraparound via the `shuffle(int[] input)`
function due to improper validation of the multiplications done on the input
length. Exploiting this vulnerability is possible by passing negative, zero,
float, very small, or very long values to the `shuffle` functions, which later
on are multiplicated by four. A successful exploration results in
“java.lang.ArrayIndexOutOfBoundsException\" [...]
+ "recommendation" : "Upgrade the package version to 1.1.10.1 to fix this
vulnerability",
+ "created" : "2023-06-16T07:52:47Z",
+ "published" : "2023-06-16T07:52:47Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "54bb58b0-d5ec-47bf-a2b2-4301f1c1bbf3",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-32473",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Denial of Service (DoS). When reading a
specially crafted ZIP archive, the read method might fail to return the correct
`EOF` indication after the end of the stream has been reached. If it combined
with a `java.io.InputStreamReader`, it can lead to an infinite st [...]
+ "recommendation" : "Upgrade the package version to 1.18-RC1 to fix this
vulnerability",
+ "created" : "2018-08-16T14:26:43Z",
+ "published" : "2018-08-19T13:36:14Z",
+ "updated" : "2024-03-11T09:48:50Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "40cee64e-b16b-464a-a368-253adeac0cf7",
+ "id" : "SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[com.squareup.okhttp3:okhttp](https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp)
is a HTTP & HTTP/2 client for Android and Java applications Affected versions
of this package are vulnerable to Information Exposure. When there's an illegal
character in a header value, an `IllegalArgumentException` is thrown whose
message includes the full header value. ## PoC ``` package
com.launchdarkly.eventsource; import okhttp3.*; import org.junit.Test; [...]
+ "recommendation" : "Upgrade the package version to 4.9.2 to fix this
vulnerability",
+ "created" : "2022-07-22T06:59:36Z",
+ "published" : "2022-07-22T06:59:36Z",
+ "updated" : "2024-03-11T09:53:38Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "85b4750f-b399-4e42-bc2d-abd7be2c4a71",
+ "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5773320",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Denial of Service (DoS) due to improper exception handling by the
`GzipSource` class when parsing a malformed gzip buffer. This vulnerability can
be exploited on the Okio client when handling a crafted GZIP archive. ## PoC
```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString =
(\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz:
GzipSource = GzipSource(gzBuf) [...]
+ "recommendation" : "Upgrade the package version to 1.17.6,3.4.0 to fix
this vulnerability",
+ "created" : "2023-07-13T08:54:58Z",
+ "published" : "2023-07-13T09:04:26Z",
+ "updated" : "2024-04-08T08:36:20Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "e25cb34f-59e4-497e-a67e-669c112d84c6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2628385",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Improper Locking due to inability to lock dependencies for
Multiplatform Gradle Projects. ## Remediation Upgrade
`org.jetbrains.kotlin:kotlin-stdlib` to version 1.6.0 or higher. ## References
- [JetBrains Issue](https://youtrack.jetbrains.com/issue/KT-49449) - [...]
+ "recommendation" : "Upgrade the package version to 1.6.0 to fix this
vulnerability",
+ "created" : "2022-04-12T12:56:51Z",
+ "published" : "2022-04-12T14:21:55Z",
+ "updated" : "2024-03-11T09:49:25Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "85b4750f-b399-4e42-bc2d-abd7be2c4a71",
+ "id" : "SNYK-JAVA-COMSQUAREUPOKIO-5773320",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Denial of Service (DoS) due to improper exception handling by the
`GzipSource` class when parsing a malformed gzip buffer. This vulnerability can
be exploited on the Okio client when handling a crafted GZIP archive. ## PoC
```java val gzBuf: Buffer = Buffer() try { val gzByteString: ByteString =
(\"1f8b41ff424242424343ffff\").decodeHex() gzBuf.write(gzByteString) val gz:
GzipSource = GzipSource(gzBuf) [...]
+ "recommendation" : "Upgrade the package version to 1.17.6,3.4.0 to fix
this vulnerability",
+ "created" : "2023-07-13T08:54:58Z",
+ "published" : "2023-07-13T09:04:26Z",
+ "updated" : "2024-04-08T08:36:20Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "533bb1ce-7b5a-4881-a3b0-309aead23e1f",
+ "id" : "SNYK-JAVA-ORGMOZILLA-1314295",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.2,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" :
"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:R"
+ }
+ ],
+ "description" : "## Overview
[org.mozilla:rhino](https://github.com/mozilla/rhino) is a Rhino is an
open-source implementation of JavaScript written entirely in Java. It is
typically embedded into Java applications to provide scripting to end users.
Affected versions of this package are vulnerable to XML External Entity (XXE)
Injection. The function `toXml` allows usage of external entities when parsing
an XML document. ## Details XXE Injection is a type of attack against an applic
[...]
+ "recommendation" : "Upgrade the package version to 1.7.12 to fix this
vulnerability",
+ "created" : "2021-06-24T10:42:20Z",
+ "published" : "2021-06-24T14:49:34Z",
+ "updated" : "2024-03-06T14:00:46Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "40cee64e-b16b-464a-a368-253adeac0cf7",
+ "id" : "SNYK-JAVA-COMSQUAREUPOKHTTP3-2958044",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[com.squareup.okhttp3:okhttp](https://mvnrepository.com/artifact/com.squareup.okhttp3/okhttp)
is a HTTP & HTTP/2 client for Android and Java applications Affected versions
of this package are vulnerable to Information Exposure. When there's an illegal
character in a header value, an `IllegalArgumentException` is thrown whose
message includes the full header value. ## PoC ``` package
com.launchdarkly.eventsource; import okhttp3.*; import org.junit.Test; [...]
+ "recommendation" : "Upgrade the package version to 4.9.2 to fix this
vulnerability",
+ "created" : "2022-07-22T06:59:36Z",
+ "published" : "2022-07-22T06:59:36Z",
+ "updated" : "2024-03-11T09:53:38Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "b9ddb5ce-ece9-42e4-b836-38b61c4f8386",
+ "id" : "SNYK-JAVA-ORGTHREETEN-6592149",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the
`org.threeten.bp.LocalDate::compareTo(ChronoLocalDate)` method. An attacker can
trigger a `NullPointerException` by supplying a null object as an argument to
the `other` parameter. ## Remediation There is no fixed version for
`org.threeten:threetenbp`. ## References - [GitHub
Gist](https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3) -
[Vulnerable Code](http [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-09T06:33:27Z",
+ "published" : "2024-04-09T06:50:04Z",
+ "updated" : "2024-04-09T07:07:18Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "554bc189-75fa-429f-a2d4-727c886c157e",
+ "id" : "SNYK-JAVA-ORGTHREETEN-6591891",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 6.2,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Integer Overflow or Wraparound in the
`org.threeten.bp.format.DateTimeFormatter::parse(CharSequence, ParsePosition)`
method, when the string is empty, the parameter index is 10, and the
`errorIndex` is 10. ## Remediation There is no fixed version for
`org.threeten:threetenbp`. ## References - [GitHub
Gist](https://gist.github.com/LLM4IG/d2618f5f4e5ac37eb75cff5617e58b90) -
[Vulnerable Code](https://gith [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-08T19:36:37Z",
+ "published" : "2024-04-09T06:16:54Z",
+ "updated" : "2024-04-09T06:16:54Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "b6912050-0f59-4a66-98f4-9198a08b2afc",
+ "id" : "SNYK-JAVA-ORGSPRINGFRAMEWORK-6597980",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.4,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.springframework:spring-web](https://github.com/spring-projects/spring-framework)
is a package that provides a comprehensive programming and configuration model
for modern Java-based enterprise applications - on any kind of deployment
platform. Affected versions of this package are vulnerable to Open Redirect
when `UriComponentsBuilder` is used to parse an externally provided URL and
perform validation checks on the host of the parsed URL. **Note:** [...]
+ "recommendation" : "Upgrade the package version to 5.3.34,6.0.19,6.1.6
to fix this vulnerability",
+ "created" : "2024-04-12T08:32:41Z",
+ "published" : "2024-04-12T08:32:41Z",
+ "updated" : "2024-04-16T13:32:25Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "5828b7c6-47de-4c98-83b4-9f0a5e50f642",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612984",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Infinite loop in ED25519 verification in the `ScalarUtil` class.
An attacker can send a malicious signature and public key to trigger denial of
service. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version
1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49)
- [GitHub Issue](https://github.com/bcgit/bc-java/issu [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T09:52:22Z",
+ "published" : "2024-04-14T13:27:01Z",
+ "updated" : "2024-04-14T13:27:01Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "5828b7c6-47de-4c98-83b4-9f0a5e50f642",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612984",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Infinite loop in ED25519 verification in the `ScalarUtil` class.
An attacker can send a malicious signature and public key to trigger denial of
service. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version
1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49)
- [GitHub Issue](https://github.com/bcgit/bc-java/issu [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T09:52:22Z",
+ "published" : "2024-04-14T13:27:01Z",
+ "updated" : "2024-04-14T13:27:01Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "5828b7c6-47de-4c98-83b4-9f0a5e50f642",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612984",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Infinite loop in ED25519 verification in the `ScalarUtil` class.
An attacker can send a malicious signature and public key to trigger denial of
service. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version
1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49)
- [GitHub Issue](https://github.com/bcgit/bc-java/issu [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T09:52:22Z",
+ "published" : "2024-04-14T13:27:01Z",
+ "updated" : "2024-04-14T13:27:01Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Allocation of Resources Without Limits or
Throttling in the `solveQuadraticEquation()` function used for certificate
verification in `ECCurve.java`. Passing a large f2m parameter can cause
excessive CPU consumption. ## Remediation There is no fixed [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "bcaa7ef6-85c8-4348-801e-385ac4aad4cb",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613079",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling in the
`solveQuadraticEquation()` function used for certificate verification in
`ECCurve.java`. Passing a large f2m parameter can cause excessive CPU
consumption. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to
version 1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a
[...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "08f699d3-ac78-4ff2-a4c7-5c602d37e21f",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613076",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Discrepancy due to the timing difference between
exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
**Note:** The implemented fix mitigates the leakage of data via the PKCS#1
interface, but does not fully alleviate the side-channel as it allows cases in
which the padding check fails but the handshake succeeds. ## Remediation
Upgrade `org.bouncycastle:bcprov-jdk18on` t [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T14:45:29Z",
+ "published" : "2024-04-14T14:45:29Z",
+ "updated" : "2024-05-29T14:05:06Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Allocation of Resources Without Limits or
Throttling in the `solveQuadraticEquation()` function used for certificate
verification in `ECCurve.java`. Passing a large f2m parameter can cause
excessive CPU consumption. ## Remediation There is no fixed [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "bcaa7ef6-85c8-4348-801e-385ac4aad4cb",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613079",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling in the
`solveQuadraticEquation()` function used for certificate verification in
`ECCurve.java`. Passing a large f2m parameter can cause excessive CPU
consumption. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to
version 1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a
[...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "bcaa7ef6-85c8-4348-801e-385ac4aad4cb",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613079",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling in the
`solveQuadraticEquation()` function used for certificate verification in
`ECCurve.java`. Passing a large f2m parameter can cause excessive CPU
consumption. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to
version 1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a
[...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "08f699d3-ac78-4ff2-a4c7-5c602d37e21f",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613076",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Discrepancy due to the timing difference between
exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
**Note:** The implemented fix mitigates the leakage of data via the PKCS#1
interface, but does not fully alleviate the side-channel as it allows cases in
which the padding check fails but the handshake succeeds. ## Remediation
Upgrade `org.bouncycastle:bcprov-jdk18on` t [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T14:45:29Z",
+ "published" : "2024-04-14T14:45:29Z",
+ "updated" : "2024-05-29T14:05:06Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "08f699d3-ac78-4ff2-a4c7-5c602d37e21f",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613076",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Discrepancy due to the timing difference between
exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
**Note:** The implemented fix mitigates the leakage of data via the PKCS#1
interface, but does not fully alleviate the side-channel as it allows cases in
which the padding check fails but the handshake succeeds. ## Remediation
Upgrade `org.bouncycastle:bcprov-jdk18on` t [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T14:45:29Z",
+ "published" : "2024-04-14T14:45:29Z",
+ "updated" : "2024-05-29T14:05:06Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Allocation of Resources Without Limits or
Throttling in the `solveQuadraticEquation()` function used for certificate
verification in `ECCurve.java`. Passing a large f2m parameter can cause
excessive CPU consumption. ## Remediation There is no fixed [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Information Exposure due to missing validation
for the X.500 name of any certificate, subject, or issuer. The presence of a
wild card may lead to information disclosure. This could allow a malicious user
to obtain unauthorized information via blind [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-07-11T15:15:48Z",
+ "published" : "2023-06-30T08:15:58Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Uncontrolled Resource Consumption ('Resource
Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a
file that has crafted `ASN.1` data through the `PEMParser` causes an
`OutOfMemoryError`. ## Workaround The attack can be avoid [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-11-24T08:10:03Z",
+ "published" : "2023-11-24T08:21:18Z",
+ "updated" : "2024-06-19T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5
and OAEP decryption process. An attacker can recover ciphertexts via a
side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5
attack vector leaks data via `javax.crypto.Cipher` exc [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "2817c193-763d-4ecf-944c-d9972570e12f",
+ "id" : "SNYK-JAVA-COMNIMBUSDS-6247633",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[com.nimbusds:nimbus-jose-jwt](https://connect2id.com/products/nimbus-jose-jwt)
is a library for JSON Web Tokens (JWT) Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling due to a
large JWE `p2c` header value (AKA iteration count) for the
`PasswordBasedDecrypter` (PBKDF2) class. An attacker can cause resource
consumption by specifying an excessively large iteration count. ## Remediation
Upgrade `com.n [...]
+ "recommendation" : "Upgrade the package version to 9.37.2 to fix this
vulnerability",
+ "created" : "2024-02-15T08:19:31Z",
+ "published" : "2024-02-15T10:01:12Z",
+ "updated" : "2024-03-06T14:09:44Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "b9ddb5ce-ece9-42e4-b836-38b61c4f8386",
+ "id" : "SNYK-JAVA-ORGTHREETEN-6592149",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the
`org.threeten.bp.LocalDate::compareTo(ChronoLocalDate)` method. An attacker can
trigger a `NullPointerException` by supplying a null object as an argument to
the `other` parameter. ## Remediation There is no fixed version for
`org.threeten:threetenbp`. ## References - [GitHub
Gist](https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3) -
[Vulnerable Code](http [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-09T06:33:27Z",
+ "published" : "2024-04-09T06:50:04Z",
+ "updated" : "2024-04-09T07:07:18Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "554bc189-75fa-429f-a2d4-727c886c157e",
+ "id" : "SNYK-JAVA-ORGTHREETEN-6591891",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 6.2,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Integer Overflow or Wraparound in the
`org.threeten.bp.format.DateTimeFormatter::parse(CharSequence, ParsePosition)`
method, when the string is empty, the parameter index is 10, and the
`errorIndex` is 10. ## Remediation There is no fixed version for
`org.threeten:threetenbp`. ## References - [GitHub
Gist](https://gist.github.com/LLM4IG/d2618f5f4e5ac37eb75cff5617e58b90) -
[Vulnerable Code](https://gith [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-08T19:36:37Z",
+ "published" : "2024-04-09T06:16:54Z",
+ "updated" : "2024-04-09T06:16:54Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "ad418462-c08d-4e01-b0af-b50a403dcc23"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
