[jira] [Updated] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability

Mon, 26 Apr 2021 00:34:04 -0700 


     [ 
https://issues.apache.org/jira/browse/TOMEE-2908?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jayaprakash updated TOMEE-2908:
-------------------------------
    Description: 
TomEE plus version is using the *cryptacular-1.0.jar* which is affected by 
vulnerability CVE-2020-7226 (BDSA-2020-2333) with a CVSS score of 6.5 which 
causes denial-of-service (DoS) due to the mismanagement of system memory 
resources.

*Issue:* _CiphertextHeader.java_ in Cryptacular 1.2.3, as used in Apereo CAS 
and other products, allows attackers to trigger excessive memory allocation 
during a decode operation, because the nonce array length associated with "new 
byte" may depend on untrusted input within the header of encoded data.

 

Please confirm if this vulnerability impacts version 7.0.7, 7.0.8, 7.1.2, and 
7.1.3?

  was:
TomEE plus version is using the *cryptacular-1.0.jar* which is affected by 
vulnerability CVE-2020-7226 (BDSA-2020-2333) with a CVSS score of 6.5 which 
causes denial-of-service (DoS) due to the mismanagement of system memory 
resources.


Please confirm if this vulnerability impacts version 7.0.7, 7.0.8, 7.1.2, and 
7.1.3?


> TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability
> ----------------------------------------------------------------------
>
>                 Key: TOMEE-2908
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2908
>             Project: TomEE
>          Issue Type: Bug
>            Reporter: Pardeep Kumar
>            Assignee: Jonathan Gallimore
>            Priority: Major
>
> TomEE plus version is using the *cryptacular-1.0.jar* which is affected by 
> vulnerability CVE-2020-7226 (BDSA-2020-2333) with a CVSS score of 6.5 which 
> causes denial-of-service (DoS) due to the mismanagement of system memory 
> resources.
> *Issue:* _CiphertextHeader.java_ in Cryptacular 1.2.3, as used in Apereo CAS 
> and other products, allows attackers to trigger excessive memory allocation 
> during a decode operation, because the nonce array length associated with 
> "new byte" may depend on untrusted input within the header of encoded data.
>  
> Please confirm if this vulnerability impacts version 7.0.7, 7.0.8, 7.1.2, and 
> 7.1.3?



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

Reply via email to