This is an automated email from the ASF dual-hosted git repository.
acosentino pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel-spring-boot.git
The following commit(s) were added to refs/heads/main by this push:
new 1f8b0e55b5f Added VEX File from SBOM
1f8b0e55b5f is described below
commit 1f8b0e55b5f15bcae386a89548c9aef659d48be6
Author: Andrea Cosentino <[email protected]>
AuthorDate: Wed Jul 10 12:10:14 2024 +0200
Added VEX File from SBOM
Signed-off-by: Andrea Cosentino <[email protected]>
---
.../camel-spring-boot-sbom.vex.json | 2533 ++++++++++++++++++++
1 file changed, 2533 insertions(+)
diff --git a/camel-spring-boot-sbom/camel-spring-boot-sbom.vex.json
b/camel-spring-boot-sbom/camel-spring-boot-sbom.vex.json
new file mode 100644
index 00000000000..1386f0b6932
--- /dev/null
+++ b/camel-spring-boot-sbom/camel-spring-boot-sbom.vex.json
@@ -0,0 +1,2533 @@
+{
+ "bomFormat" : "CycloneDX",
+ "specVersion" : "1.5",
+ "serialNumber" : "urn:uuid:d60ba589-0346-4bb2-a4b8-ec4e0bb1acd6",
+ "version" : 1,
+ "metadata" : {
+ "timestamp" : "2024-07-10T10:09:42Z",
+ "tools" : [
+ {
+ "vendor" : "OWASP",
+ "name" : "Dependency-Track",
+ "version" : "4.10.1"
+ }
+ ],
+ "component" : {
+ "name" : "Camel-SpringBoot",
+ "version" : "4",
+ "externalReferences" : [
+ {
+ "type" : "website",
+ "url" : "https://camel.apache.org";
+ },
+ {
+ "type" : "distribution",
+ "url" :
"https://repository.apache.org/service/local/staging/deploy/maven2";
+ },
+ {
+ "type" : "issue-tracker",
+ "url" : "https://issues.apache.org/jira/browse/CAMEL";
+ },
+ {
+ "type" : "mailing-list",
+ "url" : "[email protected]"
+ },
+ {
+ "type" : "vcs",
+ "url" :
"https://gitbox.apache.org/repos/asf?p=camel-spring-boot.git;a=summary";
+ }
+ ],
+ "type" : "library",
+ "bom-ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ },
+ "vulnerabilities" : [
+ {
+ "bom-ref" : "923130c6-40ab-4236-baa8-8308055cffb8",
+ "id" : "CVE-2023-30081",
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv3",
+ "vector" : "CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L"
+ }
+ ],
+ "cwes" : [
+ 426
+ ],
+ "description" : "jython-standalone - Untrusted Search Path",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f1801e41-a13b-46f4-8ead-7b4a27f50be6",
+ "id" : "CVE-2020-13956",
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 5.0,
+ "severity" : "medium",
+ "method" : "CVSSv2",
+ "vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
+ },
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv3",
+ "vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "Apache HttpClient versions prior to version 4.5.13 and
5.0.3 can misinterpret malformed authority component in request URIs passed to
the library as java.net.URI object and pick the wrong target host for request
execution.",
+ "published" : "2020-12-02T17:15:00Z",
+ "updated" : "2023-11-07T03:17:00Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f1801e41-a13b-46f4-8ead-7b4a27f50be6",
+ "id" : "CVE-2020-13956",
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 5.0,
+ "severity" : "medium",
+ "method" : "CVSSv2",
+ "vector" : "(AV:N/AC:L/Au:N/C:N/I:P/A:N)"
+ },
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv3",
+ "vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "Apache HttpClient versions prior to version 4.5.13 and
5.0.3 can misinterpret malformed authority component in request URIs passed to
the library as java.net.URI object and pick the wrong target host for request
execution.",
+ "published" : "2020-12-02T17:15:00Z",
+ "updated" : "2023-11-07T03:17:00Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "05b4242e-e1bd-424c-8ede-2568da828d30",
+ "id" : "SNYK-JAVA-IOAIRLIFT-7164637",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.2,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Out-of-bounds Read via the decompression process due to improper
input length validation in the functions
`SnappyRawDecompressor.readUncompressedLengt`,
`SnappyRawDecompressor.uncompressAll`, `ZstdFrameDecompressor.decompress`,
`Lz4RawDecompressor.decompress` and `LzoRawDecompressor.decompress`. By
exploiting this vulnerability, an attacker can crash the JVM or leak sensitive
information by decompressi [...]
+ "recommendation" : "Upgrade the package version to 0.27 to fix this
vulnerability",
+ "created" : "2024-05-30T06:38:51Z",
+ "published" : "2024-05-30T10:47:25Z",
+ "updated" : "2024-06-06T12:41:41Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "3a5fbdc8-ddcb-4d85-a97a-52f4bfdc3aae",
+ "id" : "SNYK-JAVA-ORGJBOSSXNIO-6403375",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.jboss.xnio:xnio-api](https://mvnrepository.com/artifact/org.jboss.xnio/xnio-api)
is a simplified low-level I/O layer which can be used anywhere you are using
NIO. Affected versions of this package are vulnerable to Uncontrolled Resource
Consumption due to the `NotifierState` function that can cause a Stack Overflow
Exception when the chain of notifier states becomes problematically large,
leading to a possible denial of service. ## Remediation Upgr [...]
+ "recommendation" : "Upgrade the package version to 3.8.14 to fix this
vulnerability",
+ "created" : "2024-03-06T14:54:57Z",
+ "published" : "2024-03-07T06:05:43Z",
+ "updated" : "2024-04-27T13:45:18Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "2bf053f1-5d6d-4a04-9756-4ab5599451e1",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-2841508",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 4.8,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Cryptographic Issues via weak key-hash message
authentication code (HMAC) that is only 16 bits long which can result in hash
collisions, as a result of an error within the BKS version 1 keystore (BKS-V1)
files and could lead to an attacker being abl [...]
+ "recommendation" : "Upgrade the package version to 1.69 to fix this
vulnerability",
+ "created" : "2022-05-23T09:25:43Z",
+ "published" : "2022-05-26T11:36:47Z",
+ "updated" : "2024-03-06T13:56:37Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Information Exposure due to missing validation
for the X.500 name of any certificate, subject, or issuer. The presence of a
wild card may lead to information disclosure. This could allow a malicious user
to obtain unauthorized information via blind [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-07-11T15:15:48Z",
+ "published" : "2023-06-30T08:15:58Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d4df2818-7fef-4ccd-bea2-6ca4f37d4888",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-1296075",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Timing Attack. A timing issue within the EC math
library can expose information about the private key when an attacker is able
to observe timing information for the generation of multiple deterministic
ECDSA signatures. ## Remediation Upgrade `org.b [...]
+ "recommendation" : "Upgrade the package version to 1.66 to fix this
vulnerability",
+ "created" : "2021-05-20T17:21:17Z",
+ "published" : "2021-05-20T17:22:54Z",
+ "updated" : "2024-03-11T09:53:53Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "0210b57b-6269-404c-b131-0678b28b77b8",
+ "id" : "SNYK-JAVA-COMGITHUBJNR-1570422",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Use After Free due to CVE-2014-4043. ## Remediation Upgrade
`com.github.jnr:jnr-posix` to version 3.1.8 or higher. ## References -
[CVE](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-4043) - [GitHub
PR](https://github.com/jnr/jnr-posix/pull/171) - [RedHat Bugzilla
Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1983750)",
+ "recommendation" : "Upgrade the package version to 3.1.8 to fix this
vulnerability",
+ "created" : "2021-08-27T16:00:23Z",
+ "published" : "2021-09-06T15:30:41Z",
+ "updated" : "2024-03-06T14:01:33Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "fab9a60e-1dce-4c53-9011-676898520e62",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-1052448",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Comparison Using Wrong Factors. The
`OpenBSDBCrypt.checkPassword` utility method compared incorrect data when
checking the password, allowing incorrect passwords to indicate they were
matching with previously hashed ones that were different. ## Reme [...]
+ "recommendation" : "Upgrade the package version to 1.67 to fix this
vulnerability",
+ "created" : "2020-12-18T11:32:45Z",
+ "published" : "2020-12-18T16:33:09Z",
+ "updated" : "2024-03-11T09:53:49Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "943cb13e-8465-4cbb-b1f9-7fb90cce6310",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6026508",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 3.7,
+ "severity" : "low",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Buffer Overflow in
`LoadVectorMaskedNode::Ideal()` in the hotspot compiler, when running unstr
[...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-10-22T14:56:27Z",
+ "published" : "2023-10-22T14:56:41Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "63a18c7e-0dc2-46f6-b2e5-4c7856192736",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6026490",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Denial of Service (DoS) in
`security-libs/javax.net.ssl`, when running untrusted code. ## Reme [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-10-22T14:35:46Z",
+ "published" : "2023-10-22T14:35:46Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "462d6e04-9eef-431b-839d-27f7210b2063",
+ "id" : "SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1048058",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.apache.httpcomponents:httpclient](http://hc.apache.org/) is a HttpClient
component of the Apache HttpComponents project. Affected versions of this
package are vulnerable to Improper Input Validation. Apache HttpClient can
misinterpret malformed authority component in request URIs passed to the
library as `java.net.URI` object and pick the wrong target host for request
execution. ## Remediation Upgrade `org.apache.httpcomponents:httpclient` to
versi [...]
+ "recommendation" : "Upgrade the package version to 4.5.13 to fix this
vulnerability",
+ "created" : "2020-12-03T12:39:42Z",
+ "published" : "2020-12-03T16:47:50Z",
+ "updated" : "2024-03-11T09:53:47Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "dde186cb-589c-4717-a0ec-279071e15af9",
+ "id" : "SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-31517",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.apache.httpcomponents:httpclient](http://hc.apache.org/) is a HttpClient
component of the Apache HttpComponents project. Affected versions of this
package are vulnerable to Directory Traversal. String input by user is not
validated for the presence of leading character `/` and is passed to the
constructor as `path` information, resulting in a Directory Traversal
vulnerability. ## Details A Directory Traversal attack (also known as path
traversal) a [...]
+ "recommendation" : "Upgrade the package version to 4.5.3 to fix this
vulnerability",
+ "created" : "2017-01-17T07:28:21Z",
+ "published" : "2017-09-20T00:00:00Z",
+ "updated" : "2024-03-06T14:01:21Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "462d6e04-9eef-431b-839d-27f7210b2063",
+ "id" : "SNYK-JAVA-ORGAPACHEHTTPCOMPONENTS-1048058",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.apache.httpcomponents:httpclient](http://hc.apache.org/) is a HttpClient
component of the Apache HttpComponents project. Affected versions of this
package are vulnerable to Improper Input Validation. Apache HttpClient can
misinterpret malformed authority component in request URIs passed to the
library as `java.net.URI` object and pick the wrong target host for request
execution. ## Remediation Upgrade `org.apache.httpcomponents:httpclient` to
versi [...]
+ "recommendation" : "Upgrade the package version to 4.5.13 to fix this
vulnerability",
+ "created" : "2020-12-03T12:39:42Z",
+ "published" : "2020-12-03T16:47:50Z",
+ "updated" : "2024-03-11T09:53:47Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "533bb1ce-7b5a-4881-a3b0-309aead23e1f",
+ "id" : "SNYK-JAVA-ORGMOZILLA-1314295",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.2,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" :
"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N/E:U/RL:O/RC:R"
+ }
+ ],
+ "description" : "## Overview
[org.mozilla:rhino](https://github.com/mozilla/rhino) is a Rhino is an
open-source implementation of JavaScript written entirely in Java. It is
typically embedded into Java applications to provide scripting to end users.
Affected versions of this package are vulnerable to XML External Entity (XXE)
Injection. The function `toXml` allows usage of external entities when parsing
an XML document. ## Details XXE Injection is a type of attack against an applic
[...]
+ "recommendation" : "Upgrade the package version to 1.7.12 to fix this
vulnerability",
+ "created" : "2021-06-24T10:42:20Z",
+ "published" : "2021-06-24T14:49:34Z",
+ "updated" : "2024-03-06T14:00:46Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9d33265c-035a-4abe-93e7-dbe6b34148b6",
+ "id" : "SNYK-JAVA-ORGJETBRAINSKOTLIN-2393744",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.jetbrains.kotlin:kotlin-stdlib](https://search.maven.org/artifact/org.jetbrains.kotlin/kotlin-stdlib)
is a Kotlin Standard Library for JVM. Affected versions of this package are
vulnerable to Information Exposure. A Kotlin application using `createTempDir`
or `createTempFile` and placing sensitive information within either of these
locations would be leaking this information in a read-only way to other users
also on this system. **Note:** As of ver [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2022-02-04T09:36:58Z",
+ "published" : "2022-02-04T14:31:42Z",
+ "updated" : "2024-03-11T09:50:55Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "aa5b765a-3538-4975-b1ae-49116a1b0fc7",
+ "id" : "SNYK-JAVA-ORGAPACHESSHD-5769687",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 4.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Information Exposure. In SFTP servers implemented using Apache
MINA SSHD that use a `RootedFileSystem`, logged users may be able to discover
\"exists/does not exist\" information about items outside the rooted tree via
paths including parent navigation (`..`) beyond the root, or involving
symlinks. ## Remediation Upgrade `org.apache.sshd:sshd-common` to version
2.10.0 or higher. ## References - [Apache [...]
+ "recommendation" : "Upgrade the package version to 2.10.0 to fix this
vulnerability",
+ "created" : "2023-07-11T07:21:40Z",
+ "published" : "2023-07-11T09:22:25Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "94817108-a63c-4baa-92d1-57b9c27c2ce1",
+ "id" : "CVE-2023-33201",
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv3",
+ "vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "cwes" : [
+ 295
+ ],
+ "description" : "Bouncy Castle For Java before 1.74 is affected by an
LDAP injection vulnerability. The vulnerability only affects applications that
use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During
the certificate validation process, Bouncy Castle inserts the certificate's
Subject Name into an LDAP search filter without any escaping, which leads to an
LDAP injection vulnerability.",
+ "published" : "2023-07-05T03:15:00Z",
+ "updated" : "2023-08-24T19:15:00Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "94817108-a63c-4baa-92d1-57b9c27c2ce1",
+ "id" : "CVE-2023-33201",
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv3",
+ "vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "cwes" : [
+ 295
+ ],
+ "description" : "Bouncy Castle For Java before 1.74 is affected by an
LDAP injection vulnerability. The vulnerability only affects applications that
use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During
the certificate validation process, Bouncy Castle inserts the certificate's
Subject Name into an LDAP search filter without any escaping, which leads to an
LDAP injection vulnerability.",
+ "published" : "2023-07-05T03:15:00Z",
+ "updated" : "2023-08-24T19:15:00Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "fe470b8f-5ff9-450a-95ca-6794a36434eb",
+ "id" : "CVE-2020-11050",
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 6.8,
+ "severity" : "medium",
+ "method" : "CVSSv2",
+ "vector" : "(AV:N/AC:M/Au:N/C:P/I:P/A:P)"
+ },
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv3",
+ "vector" : "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "cwes" : [
+ 295
+ ],
+ "description" : "In Java-WebSocket less than or equal to 1.4.1, there is
an Improper Validation of Certificate with Host Mismatch where WebSocketClient
does not perform SSL hostname validation. This has been patched in 1.5.0.",
+ "published" : "2020-05-07T21:15:00Z",
+ "updated" : "2021-10-07T17:19:00Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f5627b8c-074b-47ea-b6f6-89fc5e1bc709",
+ "id" : "SNYK-JAVA-ORGJAVAWEBSOCKET-568685",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 8.1,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"
+ }
+ ],
+ "cwes" : [
+ 297
+ ],
+ "description" : "## Overview
[org.java-websocket:Java-WebSocket](https://github.com/TooTallNate/Java-WebSocket)
is a barebones WebSocket server and client implementation written in 100%
Java. Affected versions of this package are vulnerable to Improper Validation
of Certificate with Host Mismatch. The Java-WebSocket Client does not perform
hostname verification. This means that SSL certificates of other hosts are
accepted as long as they are trusted. To exploit this vulnerability a [...]
+ "created" : "2020-05-08T10:42:03Z",
+ "updated" : "2022-01-03T18:02:04Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "7c5ae575-fa55-4f6e-b64e-bd927a3e1e37",
+ "id" : "SNYK-JAVA-ORGECLIPSEPARSSON-6044728",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Improper Input Validation when parsing `JSON` files from
untrusted sources. An attacker can exploit the built-in support for parsing
numbers with large scale where the input text of a number can lead to much
larger processing time than expected. ## Remediation Upgrade
`org.eclipse.parsson:parsson` to version 1.0.5, 1.1.4 or higher. ## References
- [GitHub Commit](https://github.com/eclipse-ee4j/parsson [...]
+ "recommendation" : "Upgrade the package version to 1.0.5,1.1.4 to fix
this vulnerability",
+ "created" : "2023-11-03T12:32:13Z",
+ "published" : "2023-11-03T12:36:19Z",
+ "updated" : "2024-03-11T09:54:04Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "e26bd89a-1ede-4ef7-a909-98f3f8503a52",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6164710",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Improper Input Validation due to a
flaw in the JVM class file verifier in the `hotspot/runtime [...]
+ "recommendation" : "Upgrade the package version to 20.3.13,21.3.9,23.0.0
to fix this vulnerability",
+ "created" : "2024-01-17T14:21:49Z",
+ "published" : "2024-01-17T21:05:27Z",
+ "updated" : "2024-03-11T09:52:28Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "0cdd562d-4120-454d-9059-488892d3971c",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6164701",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 4.7,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Insertion of Sensitive Information
into Log File in the `security-libs/javax.xml.crypto` compo [...]
+ "recommendation" : "Upgrade the package version to 20.3.13,21.3.9,23.0.0
to fix this vulnerability",
+ "created" : "2024-01-17T14:19:18Z",
+ "published" : "2024-01-17T21:02:31Z",
+ "updated" : "2024-03-11T09:52:28Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "a1cd755e-2569-46f8-b14c-7673d0fe7b57",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6164698",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Improper Input Validation due to a
range check loop optimization issue in the `hotspot/compile [...]
+ "recommendation" : "Upgrade the package version to 20.3.13,21.3.9,23.0.0
to fix this vulnerability",
+ "created" : "2024-01-17T14:16:15Z",
+ "published" : "2024-01-17T21:00:27Z",
+ "updated" : "2024-03-11T09:52:24Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "c961dd93-0674-446d-a40f-107ece7f58eb",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6162757",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.4,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Covert Timing Channel in the
`security-libs/java.security` component. An attacker can recover [...]
+ "recommendation" : "Upgrade the package version to 20.3.13,21.3.9,23.0.0
to fix this vulnerability",
+ "created" : "2024-01-17T14:03:45Z",
+ "published" : "2024-01-17T20:53:06Z",
+ "updated" : "2024-03-11T09:51:18Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "231cb8fe-21b2-4f5f-b331-4d3bea6aea3b",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6164703",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.4,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Improper Privilege Management in the
`hotspot/compiler` component. **Note** This is only explo [...]
+ "recommendation" : "Upgrade the package version to 20.3.13,21.3.9,22.3.5
to fix this vulnerability",
+ "created" : "2024-01-17T14:19:37Z",
+ "published" : "2024-01-17T21:04:05Z",
+ "updated" : "2024-03-11T09:51:18Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "c19c29a3-d59c-42c6-b68d-fa486077661d",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6164695",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Information Exposure in the
`core-libs/javax.script` component. **Note:** This vulnerability a [...]
+ "recommendation" : "Upgrade the package version to 20.3.13,21.3.9,22.3.5
to fix this vulnerability",
+ "created" : "2024-01-17T14:12:52Z",
+ "published" : "2024-01-17T20:59:05Z",
+ "updated" : "2024-03-11T09:51:18Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "3ad2032c-edf6-40cc-9635-09d9f7faa30a",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-6163607",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Improper Privilege Management in the
`security-libs/java.security` component. **Note:** This v [...]
+ "recommendation" : "Upgrade the package version to 21.3.9,22.3.5 to fix
this vulnerability",
+ "created" : "2024-01-17T14:08:10Z",
+ "published" : "2024-01-17T20:56:02Z",
+ "updated" : "2024-03-11T09:51:20Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "e32f07e8-5137-42a4-848c-0cf2c7d97ec8",
+ "id" : "SNYK-JAVA-IOUNDERTOW-7300152",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core)
is a Java web server based on non-blocking IO. Affected versions of this
package are vulnerable to Uncontrolled Resource Consumption through the
handling of URL-encoded request path information on `ajp-listener`. An attacker
can cause the server to process incorrect paths, leading to a disruption of
service by sending specially crafted concurrent requests. ## Detai [...]
+ "recommendation" : "Upgrade the package version to
2.2.33.Final,2.3.14.Final to fix this vulnerability",
+ "created" : "2024-06-21T06:28:17Z",
+ "published" : "2024-06-21T07:17:01Z",
+ "updated" : "2024-06-24T09:03:55Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "3cfabcd2-5add-4f59-901e-042f92c9c0c6",
+ "id" : "SNYK-JAVA-IOUNDERTOW-7300153",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[io.undertow:undertow-core](https://mvnrepository.com/artifact/io.undertow/undertow-core)
is a Java web server based on non-blocking IO. Affected versions of this
package are vulnerable to Uncontrolled Resource Consumption ('Resource
Exhaustion') due to insufficient limitations on the amount of `CONTINUATION`
frames that can be sent within a single stream. An attacker can use up compute
or memory resources to cause a disruption in service by sending pac [...]
+ "recommendation" : "Upgrade the package version to
2.2.33.Final,2.3.14.Final to fix this vulnerability",
+ "created" : "2024-06-21T06:34:44Z",
+ "published" : "2024-06-21T06:34:44Z",
+ "updated" : "2024-06-24T09:04:33Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d5eab648-dc8f-4d17-88d7-2dfb5fed95c5",
+ "id" : "CVE-2023-34454",
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv3",
+ "vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "cwes" : [
+ 190
+ ],
+ "description" : "snappy-java is a fast compressor/decompressor for Java.
Due to unchecked multiplications, an integer overflow may occur in versions
prior to 1.1.10.1, causing an unrecoverable fatal error. The function
`compress(char[] input)` in the file `Snappy.java` receives an array of
characters and compresses it. It does so by multiplying the length by 2 and
passing it to the rawCompress` function. Since the length is not tested, the
multiplication by two can cause an integer [...]
+ "published" : "2023-06-15T17:15:00Z",
+ "updated" : "2023-06-27T16:04:00Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "d8dd9c4f-d279-4c67-996c-10c28a29895f",
+ "id" : "SNYK-JAVA-IONETTY-1042268",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.4,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N"
+ }
+ ],
+ "cwes" : [
+ 295
+ ],
+ "description" : "## Overview
[io.netty:netty-handler](https://github.com/netty/netty.git/netty-handler) is a
library that provides an asynchronous event-driven network application
framework and tools for rapid development of maintainable high performance and
high scalability protocol servers and clients. In other words, Netty is a NIO
client server framework which enables quick and easy development of network
applications such as protocol servers and clients. It greatly simplifies [...]
+ "created" : "2020-11-20T15:44:58Z",
+ "updated" : "2023-10-11T01:10:45Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "523ba8f7-55da-405e-b717-bd343e10e69a",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-5781367",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 3.7,
+ "severity" : "low",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Denial of Service (DoS). Difficult
to exploit vulnerability allows unauthenticated attackers w [...]
+ "recommendation" : "Upgrade the package version to 20.3.11,21.3.7,22.3.3
to fix this vulnerability",
+ "created" : "2023-07-19T10:13:49Z",
+ "published" : "2023-07-19T12:54:00Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "b0d2d8e6-d8be-450c-b75c-e08d0705341d",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-5781371",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 3.7,
+ "severity" : "low",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Information Exposure in the
`hotspot/compiler` component. **Note:** This vulnerability can be [...]
+ "recommendation" : "Upgrade the package version to 20.3.11,21.3.7,22.3.3
to fix this vulnerability",
+ "created" : "2023-07-19T10:27:05Z",
+ "published" : "2023-07-19T12:53:49Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "cf19f68e-f376-4aaa-8f07-296135dc1bbb",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-5781373",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 3.7,
+ "severity" : "low",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Information Exposure in the
`hotspot/compiler` component. **Note:** This vulnerability can be [...]
+ "recommendation" : "Upgrade the package version to 21.3.7,22.3.3 to fix
this vulnerability",
+ "created" : "2023-07-19T10:30:31Z",
+ "published" : "2023-07-19T12:53:38Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "30ebc22a-ddc7-44e1-8448-568dd3b5ae3e",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-5781374",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.1,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Improper Access Control which allows
unauthenticated attackers with logon to the infrastructur [...]
+ "recommendation" : "Upgrade the package version to 20.3.11,21.3.7,22.3.3
to fix this vulnerability",
+ "created" : "2023-07-19T10:32:25Z",
+ "published" : "2023-07-19T12:53:27Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "062cc446-f4a0-40a5-8190-3c24987b065a",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-5781378",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 3.1,
+ "severity" : "low",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Access Restriction Bypass in the
`Networking` component, which allows unauthenticated attacker [...]
+ "recommendation" : "Upgrade the package version to 20.3.11,21.3.7,22.3.3
to fix this vulnerability",
+ "created" : "2023-07-19T10:46:42Z",
+ "published" : "2023-07-19T10:46:42Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "bb410885-83cd-4a8c-8232-2f99c3b70e0a",
+ "id" : "SNYK-JAVA-ORGGRAALVMSDK-5781369",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 3.7,
+ "severity" : "low",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.graalvm.sdk:graal-sdk](https://search.maven.org/artifact/org.graalvm.sdk/graal-sdk)
is a high-performance JDK distribution designed to accelerate the execution of
applications written in Java and other JVM languages along with support for
JavaScript, Ruby, Python, and a number of other popular languages. Affected
versions of this package are vulnerable to Access Restriction Bypass in the
`core-libs/java.io` component. Successful attacks of this vul [...]
+ "recommendation" : "Upgrade the package version to 20.3.11,21.3.7,22.3.3
to fix this vulnerability",
+ "created" : "2023-07-19T10:16:35Z",
+ "published" : "2023-07-19T10:33:47Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "4ead0905-39e8-4b79-986c-a827289dadd4",
+ "id" : "SNYK-JAVA-ORGJSON-5962464",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling. An attacker
can cause indefinite amounts of memory to be used by inputting a string of
modest size. This can lead to a Denial of Service. ## PoC ```java package
orgjsonbug; import org.json.JSONObject; /** * Illustrates a bug in JSON-Java.
*/ public class Bug { private static String makeNested(int depth) { if (depth
== 0) { return \"{\\\"a\\\":1}\"; [...]
+ "recommendation" : "Upgrade the package version to 20231013 to fix this
vulnerability",
+ "created" : "2023-10-13T06:42:49Z",
+ "published" : "2023-10-13T06:42:49Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "3105f865-1b87-4c40-a9de-01e787fd87a2",
+ "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5918282",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling due to a
missing upper bound check on chunk length in the `SnappyInputStream` function.
An attacker can decompress data with an excessively large chunk size. ##
Remediation Upgrade `org.xerial.snappy:snappy-java` to version 1.1.10.4 or
higher. ## References - [GitHub
Commit](https://github.com/xerial/snappy-java/commit/9f8c3cf74223ed0a8a834134be9c917
[...]
+ "recommendation" : "Upgrade the package version to 1.1.10.4 to fix this
vulnerability",
+ "created" : "2023-09-26T06:24:11Z",
+ "published" : "2023-09-26T09:05:16Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "16643a38-1b57-426e-b879-3fb71305aceb",
+ "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5710961",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Integer Overflow or Wraparound via the function `compress(char[]
input)` in `Snappy.java` due to improper validation of the array length.
Exploiting this vulnerability is possible when the “buf” array compiled by the
`maxCompressedLength` function is successfully allocated but its size might be
too small to use for the compression, causing a fatal Access Violation error.
**Note:** The issue most likely [...]
+ "recommendation" : "Upgrade the package version to 1.1.10.1 to fix this
vulnerability",
+ "created" : "2023-06-16T08:17:19Z",
+ "published" : "2023-06-16T08:17:19Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "dd3e4d18-72a9-4fa6-9afc-d0477b90aa0c",
+ "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5710960",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Denial of Service (DoS) via the `hasNextChunk` function due to
improper validation of the `chunkSize` variable value. Exploiting this
vulnerability is possible by passing a negative number (such as `0xFFFFFFFF`,
which is -1), which will cause the code to raise a
`java.lang.NegativeArraySizeException` exception. A worse case would happen
when passing a huge positive value (such as `0x7FFFFFFF`), raising [...]
+ "recommendation" : "Upgrade the package version to 1.1.10.1 to fix this
vulnerability",
+ "created" : "2023-06-16T08:05:41Z",
+ "published" : "2023-06-16T08:05:41Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8a5ad283-2082-4fda-8209-9466a598fc20",
+ "id" : "SNYK-JAVA-ORGXERIALSNAPPY-5710959",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Integer Overflow or Wraparound via the `shuffle(int[] input)`
function due to improper validation of the multiplications done on the input
length. Exploiting this vulnerability is possible by passing negative, zero,
float, very small, or very long values to the `shuffle` functions, which later
on are multiplicated by four. A successful exploration results in
“java.lang.ArrayIndexOutOfBoundsException\" [...]
+ "recommendation" : "Upgrade the package version to 1.1.10.1 to fix this
vulnerability",
+ "created" : "2023-06-16T07:52:47Z",
+ "published" : "2023-06-16T07:52:47Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f7d6d98d-008b-4bf9-8b2c-b0f193b30a39",
+ "id" : "SNYK-JAVA-ORGAPACHEAVRO-5926693",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.avro:avro](https://avro.apache.org/) is an Avro core components
Affected versions of this package are vulnerable to Improper Input Validation
when deserializing untrusted or corrupted data. An attacker can consume memory
beyond the allowed constraints, resulting in the system being out of memory. ##
Remediation Upgrade `org.apache.avro:avro` to version 1.11.3 or higher. ##
References - [Apache List](https://lists.apache.org/thread/q142wj99cw [...]
+ "recommendation" : "Upgrade the package version to 1.11.3 to fix this
vulnerability",
+ "created" : "2023-10-01T10:48:46Z",
+ "published" : "2023-10-01T11:21:06Z",
+ "updated" : "2024-03-11T09:54:02Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "6078f770-1c7f-4807-b496-2b2d6edeeb2c",
+ "id" : "CVE-2023-34453",
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv3",
+ "vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "cwes" : [
+ 190
+ ],
+ "description" : "snappy-java is a fast compressor/decompressor for Java.
Due to unchecked multiplications, an integer overflow may occur in versions
prior to 1.1.10.1, causing a fatal error. The function `shuffle(int[] input)`
in the file `BitShuffle.java` receives an array of integers and applies a bit
shuffle on it. It does so by multiplying the length by 4 and passing it to the
natively compiled shuffle function. Since the length is not tested, the
multiplication by four can cau [...]
+ "published" : "2023-06-15T17:15:00Z",
+ "updated" : "2023-06-27T15:59:00Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f4c1392e-4047-427f-900b-30d94c9409c5",
+ "id" : "CVE-2023-34455",
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "NVD",
+ "url" : "https://nvd.nist.gov/";
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv3",
+ "vector" : "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "cwes" : [
+ 770
+ ],
+ "description" : "snappy-java is a fast compressor/decompressor for Java.
Due to use of an unchecked chunk length, an unrecoverable fatal error can occur
in versions prior to 1.1.10.1. The code in the function hasNextChunk in the
fileSnappyInputStream.java checks if a given stream has more chunks to read. It
does that by attempting to read 4 bytes. If it wasn’t possible to read the 4
bytes, the function returns false. Otherwise, if 4 bytes were available, the
code treats them as the [...]
+ "published" : "2023-06-15T18:15:00Z",
+ "updated" : "2024-02-01T14:17:00Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Information Exposure due to missing validation
for the X.500 name of any certificate, subject, or issuer. The presence of a
wild card may lead to information disclosure. This could allow a malicious user
to obtain unauthorized information via blind [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-07-11T15:15:48Z",
+ "published" : "2023-06-30T08:15:58Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Uncontrolled Resource Consumption ('Resource
Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a
file that has crafted `ASN.1` data through the `PEMParser` causes an
`OutOfMemoryError`. ## Workaround The attack can be avoid [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-11-24T08:10:03Z",
+ "published" : "2023-11-24T08:21:18Z",
+ "updated" : "2024-06-19T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Uncontrolled Resource Consumption ('Resource
Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a
file that has crafted `ASN.1` data through the `PEMParser` causes an
`OutOfMemoryError`. ## Workaround The attack can be avoid [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-11-24T08:10:03Z",
+ "published" : "2023-11-24T08:21:18Z",
+ "updated" : "2024-06-19T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "ba9b5b48-9e9d-4b46-b885-92767e95af9a",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6475534",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-configuration2](https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2/2.0)
is a group of tools to assist in the reading of configuration/preferences
files in various formats. Affected versions of this package are vulnerable to
Out-of-Bounds Write due to the improper handling of certain configurations in
the `AbstractListDelimiterHandler.flattenIterator` method. An attacker can
trigger a stack overflow b [...]
+ "recommendation" : "Upgrade the package version to 2.10.1 to fix this
vulnerability",
+ "created" : "2024-03-21T15:04:18Z",
+ "published" : "2024-03-21T15:09:43Z",
+ "updated" : "2024-04-23T11:01:46Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "9b98e428-165c-4c49-84b3-0842e1c04dd8",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6475528",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-configuration2](https://mvnrepository.com/artifact/org.apache.commons/commons-configuration2/2.0)
is a group of tools to assist in the reading of configuration/preferences
files in various formats. Affected versions of this package are vulnerable to
Out-of-Bounds Write due to the improper handling of a cyclical object tree when
calling the `ListDelimiterHandler.flatten` method. An attacker can trigger a
StackOverflowError and [...]
+ "recommendation" : "Upgrade the package version to 2.10.1 to fix this
vulnerability",
+ "created" : "2024-03-21T15:01:49Z",
+ "published" : "2024-03-21T15:07:58Z",
+ "updated" : "2024-04-23T11:01:46Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Allocation of Resources Without Limits or
Throttling in the `solveQuadraticEquation()` function used for certificate
verification in `ECCurve.java`. Passing a large f2m parameter can cause
excessive CPU consumption. ## Remediation There is no fixed [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "f2bc40ca-8891-4e15-9d15-e6cc8a2e5e13",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-5771339",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Information Exposure due to missing validation
for the X.500 name of any certificate, subject, or issuer. The presence of a
wild card may lead to information disclosure. This could allow a malicious user
to obtain unauthorized information via blind [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-07-11T15:15:48Z",
+ "published" : "2023-06-30T08:15:58Z",
+ "updated" : "2024-03-11T09:54:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "32b6cce0-75c2-493e-990b-f218191d9fb7",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6084022",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Uncontrolled Resource Consumption ('Resource
Exhaustion') within the `org.bouncycastle.openssl.PEMParser` class. Parsing a
file that has crafted `ASN.1` data through the `PEMParser` causes an
`OutOfMemoryError`. ## Workaround The attack can be avoid [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2023-11-24T08:10:03Z",
+ "published" : "2023-11-24T08:21:18Z",
+ "updated" : "2024-06-19T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5
and OAEP decryption process. An attacker can recover ciphertexts via a
side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5
attack vector leaks data via `javax.crypto.Cipher` exc [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "2817c193-763d-4ecf-944c-d9972570e12f",
+ "id" : "SNYK-JAVA-COMNIMBUSDS-6247633",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[com.nimbusds:nimbus-jose-jwt](https://connect2id.com/products/nimbus-jose-jwt)
is a library for JSON Web Tokens (JWT) Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling due to a
large JWE `p2c` header value (AKA iteration count) for the
`PasswordBasedDecrypter` (PBKDF2) class. An attacker can cause resource
consumption by specifying an excessively large iteration count. ## Remediation
Upgrade `com.n [...]
+ "recommendation" : "Upgrade the package version to 9.37.2 to fix this
vulnerability",
+ "created" : "2024-02-15T08:19:31Z",
+ "published" : "2024-02-15T10:01:12Z",
+ "updated" : "2024-03-06T14:09:44Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "20728065-a4e7-4865-ab15-1cfbe8c7dfa6",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254297",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Allocation of Resources Without Limits or
Throttling due to an `OutOfMemoryError` during the handling of a broken
`Pack200` file. ## Remediation Upgrade `org.apache.commons:commons-compress` to
version 1.26.0 or higher. ## References - [Apache Lists](https://list [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:55:46Z",
+ "published" : "2024-02-20T10:55:46Z",
+ "updated" : "2024-05-09T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Infinite loop due to the improper handling of
certain inputs during the parsing of dump files. An attacker can cause the
application to enter an infinite loop by supplying crafted inputs. ##
Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:52:07Z",
+ "published" : "2024-02-20T10:52:07Z",
+ "updated" : "2024-04-27T13:35:10Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5
and OAEP decryption process. An attacker can recover ciphertexts via a
side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5
attack vector leaks data via `javax.crypto.Cipher` exc [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "69a1fb82-9ed0-4c6b-8366-4f39f47a9ef4",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277380",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5
and OAEP decryption process. An attacker can recover ciphertexts via a
side-channel attack by exploiting the Marvin security flaw. The PKCS#1 1.5
attack vector leaks data via `javax.crypto.Cipher` exc [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "c074adea-ec56-459b-8a73-0750ec2ebbde",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277381",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP
decryption process. An attacker can recover ciphertexts via a side-channel
attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector
leaks data via `javax.crypto.Cipher` exceptions and the OAEP interface vector
leaks via the bit size of the decrypted data. ## Remediation Upgrade
`org.bouncycastle:bcprov-jdk18on` to version 1.78 [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "c074adea-ec56-459b-8a73-0750ec2ebbde",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277381",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP
decryption process. An attacker can recover ciphertexts via a side-channel
attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector
leaks data via `javax.crypto.Cipher` exceptions and the OAEP interface vector
leaks via the bit size of the decrypted data. ## Remediation Upgrade
`org.bouncycastle:bcprov-jdk18on` to version 1.78 [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "c074adea-ec56-459b-8a73-0750ec2ebbde",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6277381",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Timing Discrepancy via the PKCS#1 1.5 and OAEP
decryption process. An attacker can recover ciphertexts via a side-channel
attack by exploiting the Marvin security flaw. The PKCS#1 1.5 attack vector
leaks data via `javax.crypto.Cipher` exceptions and the OAEP interface vector
leaks via the bit size of the decrypted data. ## Remediation Upgrade
`org.bouncycastle:bcprov-jdk18on` to version 1.78 [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-02-26T18:00:10Z",
+ "published" : "2024-03-03T21:08:12Z",
+ "updated" : "2024-04-21T07:48:52Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "20728065-a4e7-4865-ab15-1cfbe8c7dfa6",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254297",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Allocation of Resources Without Limits or
Throttling due to an `OutOfMemoryError` during the handling of a broken
`Pack200` file. ## Remediation Upgrade `org.apache.commons:commons-compress` to
version 1.26.0 or higher. ## References - [Apache Lists](https://list [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:55:46Z",
+ "published" : "2024-02-20T10:55:46Z",
+ "updated" : "2024-05-09T13:32:28Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "6f944446-3332-440c-9eb2-967f6f500727",
+ "id" : "SNYK-JAVA-ORGAPACHECOMMONS-6254296",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.5,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview
[org.apache.commons:commons-compress](https://github.com/apache/commons-compress)
is an API for working with compression and archive formats. Affected versions
of this package are vulnerable to Infinite loop due to the improper handling of
certain inputs during the parsing of dump files. An attacker can cause the
application to enter an infinite loop by supplying crafted inputs. ##
Remediation Upgrade `org.apache.commons:commons-compress` to version 1.2 [...]
+ "recommendation" : "Upgrade the package version to 1.26.0 to fix this
vulnerability",
+ "created" : "2024-02-20T10:52:07Z",
+ "published" : "2024-02-20T10:52:07Z",
+ "updated" : "2024-04-27T13:35:10Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "273d894b-8c64-4b0b-ad86-6ce592d32b53",
+ "id" : "SNYK-JAVA-JODATIME-6595834",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the component
`org.joda.time.format.PeriodFormat::wordBased(Locale)`. An attacker can trigger
a `NullPointerException` by supplying a null value to the `Locale` parameter.
## Remediation There is no fixed version for `joda-time:joda-time`. ##
References - [GitHub
Gist](https://gist.github.com/LLM4IG/6614bfa658295d7af07a6d37e06db27f) -
[Vulnerable Code](https://github.com/Jo [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-11T06:34:09Z",
+ "published" : "2024-04-11T06:34:09Z",
+ "updated" : "2024-04-11T13:35:26Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "5828b7c6-47de-4c98-83b4-9f0a5e50f642",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612984",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Infinite loop in ED25519 verification in the `ScalarUtil` class.
An attacker can send a malicious signature and public key to trigger denial of
service. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version
1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49)
- [GitHub Issue](https://github.com/bcgit/bc-java/issu [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T09:52:22Z",
+ "published" : "2024-04-14T13:27:01Z",
+ "updated" : "2024-04-14T13:27:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "5828b7c6-47de-4c98-83b4-9f0a5e50f642",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612984",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Infinite loop in ED25519 verification in the `ScalarUtil` class.
An attacker can send a malicious signature and public key to trigger denial of
service. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version
1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49)
- [GitHub Issue](https://github.com/bcgit/bc-java/issu [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T09:52:22Z",
+ "published" : "2024-04-14T13:27:01Z",
+ "updated" : "2024-04-14T13:27:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "5828b7c6-47de-4c98-83b4-9f0a5e50f642",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6612984",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 7.5,
+ "severity" : "high",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Infinite loop in ED25519 verification in the `ScalarUtil` class.
An attacker can send a malicious signature and public key to trigger denial of
service. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to version
1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/9c165791b68a204678b48ec11e4e579754c2ea49)
- [GitHub Issue](https://github.com/bcgit/bc-java/issu [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T09:52:22Z",
+ "published" : "2024-04-14T13:27:01Z",
+ "updated" : "2024-04-14T13:27:01Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Allocation of Resources Without Limits or
Throttling in the `solveQuadraticEquation()` function used for certificate
verification in `ECCurve.java`. Passing a large f2m parameter can cause
excessive CPU consumption. ## Remediation There is no fixed [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "8e38c018-71df-4acf-a966-d97abcc7d886",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613080",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview
[org.bouncycastle:bcprov-jdk15on](https://mvnrepository.com/artifact/org.bouncycastle/bcprov-jdk15on)
is a Java implementation of cryptographic algorithms. Affected versions of
this package are vulnerable to Allocation of Resources Without Limits or
Throttling in the `solveQuadraticEquation()` function used for certificate
verification in `ECCurve.java`. Passing a large f2m parameter can cause
excessive CPU consumption. ## Remediation There is no fixed [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "bcaa7ef6-85c8-4348-801e-385ac4aad4cb",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613079",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling in the
`solveQuadraticEquation()` function used for certificate verification in
`ECCurve.java`. Passing a large f2m parameter can cause excessive CPU
consumption. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to
version 1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a
[...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "08f699d3-ac78-4ff2-a4c7-5c602d37e21f",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613076",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Discrepancy due to the timing difference between
exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
**Note:** The implemented fix mitigates the leakage of data via the PKCS#1
interface, but does not fully alleviate the side-channel as it allows cases in
which the padding check fails but the handshake succeeds. ## Remediation
Upgrade `org.bouncycastle:bcprov-jdk18on` t [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T14:45:29Z",
+ "published" : "2024-04-14T14:45:29Z",
+ "updated" : "2024-05-29T14:05:06Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "bcaa7ef6-85c8-4348-801e-385ac4aad4cb",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613079",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling in the
`solveQuadraticEquation()` function used for certificate verification in
`ECCurve.java`. Passing a large f2m parameter can cause excessive CPU
consumption. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to
version 1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a
[...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "08f699d3-ac78-4ff2-a4c7-5c602d37e21f",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613076",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Discrepancy due to the timing difference between
exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
**Note:** The implemented fix mitigates the leakage of data via the PKCS#1
interface, but does not fully alleviate the side-channel as it allows cases in
which the padding check fails but the handshake succeeds. ## Remediation
Upgrade `org.bouncycastle:bcprov-jdk18on` t [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T14:45:29Z",
+ "published" : "2024-04-14T14:45:29Z",
+ "updated" : "2024-05-29T14:05:06Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "bcaa7ef6-85c8-4348-801e-385ac4aad4cb",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613079",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Allocation of Resources Without Limits or Throttling in the
`solveQuadraticEquation()` function used for certificate verification in
`ECCurve.java`. Passing a large f2m parameter can cause excessive CPU
consumption. ## Remediation Upgrade `org.bouncycastle:bcprov-jdk18on` to
version 1.78 or higher. ## References - [GitHub
Commit](https://github.com/bcgit/bc-java/commit/efc498ca4caa340ac2fe11f2efee06c1a
[...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T15:09:02Z",
+ "published" : "2024-04-14T15:09:02Z",
+ "updated" : "2024-04-14T15:09:03Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "08f699d3-ac78-4ff2-a4c7-5c602d37e21f",
+ "id" : "SNYK-JAVA-ORGBOUNCYCASTLE-6613076",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.9,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N/E:P"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Observable Discrepancy due to the timing difference between
exceptions thrown when processing RSA key exchange handshakes, AKA Marvin.
**Note:** The implemented fix mitigates the leakage of data via the PKCS#1
interface, but does not fully alleviate the side-channel as it allows cases in
which the padding check fails but the handshake succeeds. ## Remediation
Upgrade `org.bouncycastle:bcprov-jdk18on` t [...]
+ "recommendation" : "Upgrade the package version to 1.78 to fix this
vulnerability",
+ "created" : "2024-04-14T14:45:29Z",
+ "published" : "2024-04-14T14:45:29Z",
+ "updated" : "2024-05-29T14:05:06Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "b9ddb5ce-ece9-42e4-b836-38b61c4f8386",
+ "id" : "SNYK-JAVA-ORGTHREETEN-6592149",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 5.3,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to NULL Pointer Dereference via the
`org.threeten.bp.LocalDate::compareTo(ChronoLocalDate)` method. An attacker can
trigger a `NullPointerException` by supplying a null object as an argument to
the `other` parameter. ## Remediation There is no fixed version for
`org.threeten:threetenbp`. ## References - [GitHub
Gist](https://gist.github.com/LLM4IG/3cc9183dcd887020368a0bafeafec5e3) -
[Vulnerable Code](http [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-09T06:33:27Z",
+ "published" : "2024-04-09T06:50:04Z",
+ "updated" : "2024-04-09T07:07:18Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ },
+ {
+ "bom-ref" : "554bc189-75fa-429f-a2d4-727c886c157e",
+ "id" : "SNYK-JAVA-ORGTHREETEN-6591891",
+ "source" : {
+ "name" : "SNYK"
+ },
+ "ratings" : [
+ {
+ "source" : {
+ "name" : "SNYK"
+ },
+ "score" : 6.2,
+ "severity" : "medium",
+ "method" : "CVSSv31",
+ "vector" : "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H"
+ }
+ ],
+ "description" : "## Overview Affected versions of this package are
vulnerable to Integer Overflow or Wraparound in the
`org.threeten.bp.format.DateTimeFormatter::parse(CharSequence, ParsePosition)`
method, when the string is empty, the parameter index is 10, and the
`errorIndex` is 10. ## Remediation There is no fixed version for
`org.threeten:threetenbp`. ## References - [GitHub
Gist](https://gist.github.com/LLM4IG/d2618f5f4e5ac37eb75cff5617e58b90) -
[Vulnerable Code](https://gith [...]
+ "recommendation" : "Upgrade the package version to to fix this
vulnerability",
+ "created" : "2024-04-08T19:36:37Z",
+ "published" : "2024-04-09T06:16:54Z",
+ "updated" : "2024-04-09T06:16:54Z",
+ "affects" : [
+ {
+ "ref" : "5f245b7e-9ef5-4de2-a835-7c46b6efd100"
+ }
+ ]
+ }
+ ]
+}
\ No newline at end of file
