This repository has been archived by the owner on Dec 28, 2024. It is now read-only.
wiremock-3.0.1.pom: 7 vulnerabilities (highest severity is: 7.5) #524
Labels
invalid
This doesn't seem right
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
test dependency only
The discovered security advisory affects only a test dependency
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
nagyesta
added
invalid
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
mend-bolt-for-github
bot
changed the title
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-servlets/11.0.15/9acae297f89bd6611fc2e31d53990c1ede541c20/jetty-servlets-11.0.15.jar
Found in HEAD commit: 19caed1ffb4d04f5ebf9462f10a36297dc3cae88
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - http2-common-11.0.15.jar
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty.http2/http2-common/11.0.15/17d3db573c9821cb3b7977ee8441824bdee7bc21/http2-common-11.0.15.jar
Dependency Hierarchy:
Found in HEAD commit: 19caed1ffb4d04f5ebf9462f10a36297dc3cae88
Found in base branch: main
Vulnerability Details
Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.
Publish Date: 2024-02-26
URL: CVE-2024-22201
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rggv-cv7r-mw98
Release Date: 2024-02-26
Fix Resolution: org.eclipse.jetty.http2:http2-common:9.4.54,10.0.20,11.0.20, org.eclipse.jetty.http2:jetty-http2-common:12.0.6, org.eclipse.jetty.http3:http3-common:10.0.20,11.0.20, org.eclipse.jetty.http3:jetty-http3-common:12.0.6
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - http2-server-11.0.15.jar, http2-common-11.0.15.jar
http2-server-11.0.15.jar
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty.http2/http2-server/11.0.15/e23e5c355137815dea19ae8fd7258c9612ebc91a/http2-server-11.0.15.jar
Dependency Hierarchy:
http2-common-11.0.15.jar
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty.http2/http2-common/11.0.15/17d3db573c9821cb3b7977ee8441824bdee7bc21/http2-common-11.0.15.jar
Dependency Hierarchy:
Found in HEAD commit: 19caed1ffb4d04f5ebf9462f10a36297dc3cae88
Found in base branch: main
Vulnerability Details
The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.
Publish Date: 2023-10-10
URL: CVE-2023-44487
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - http2-hpack-11.0.15.jar, jetty-http-11.0.15.jar
http2-hpack-11.0.15.jar
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty.http2/http2-hpack/11.0.15/15f65174546636aa985d5c42fa8af49ab5824dba/http2-hpack-11.0.15.jar
Dependency Hierarchy:
jetty-http-11.0.15.jar
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/11.0.15/6eb099ce51496de87ecfe9b8c62c2e8f3f5e848/jetty-http-11.0.15.jar
Dependency Hierarchy:
Found in HEAD commit: 19caed1ffb4d04f5ebf9462f10a36297dc3cae88
Found in base branch: main
Vulnerability Details
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in
MetaDataBuilder.checkSizeallows for HTTP/2 HPACK header values toexceed their size limit.
MetaDataBuilder.javadetermines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295will overflow, and length will become negative.
(_size+length)will now be negative, and the check on line 296 will not be triggered. Furthermore,MetaDataBuilder.checkSizeallows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.Publish Date: 2023-10-10
URL: CVE-2023-36478
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wgh7-54f2-x98r
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-hpack:9.4.53.v20231009,10.0.16,11.0.16;org.eclipse.jetty.http3:http3-qpack:10.0.16,11.0.16;org.eclipse.jetty:jetty-http:9.4.53.v20231009,10.0.16,11.0.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - wiremock-3.0.1.jar
A web service test double for all occasions
Library home page: http://wiremock.org
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.wiremock/wiremock/3.0.1/d2d53be1e1710812e3fca3f437c277928e60fdf4/wiremock-3.0.1.jar
Dependency Hierarchy:
Found in HEAD commit: 19caed1ffb4d04f5ebf9462f10a36297dc3cae88
Found in base branch: main
Vulnerability Details
WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Users are advised to upgrade. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names.
Publish Date: 2023-09-06
URL: CVE-2023-41329
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-pmxq-pj47-j8j4
Release Date: 2023-09-06
Fix Resolution: com.tomakehurst.wiremock:wiremock-jre8-standalone:2.35.1, com.tomakehurst.wiremock:wiremock-jre8:2.35.1, org.wiremock:wiremock-standalone:3.0.3, org.wiremock:wiremock:3.0.3, wiremock - 2.6.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jetty-http-11.0.15.jar
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/11.0.15/6eb099ce51496de87ecfe9b8c62c2e8f3f5e848/jetty-http-11.0.15.jar
Dependency Hierarchy:
Found in HEAD commit: 19caed1ffb4d04f5ebf9462f10a36297dc3cae88
Found in base branch: main
Vulnerability Details
Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the
+character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.Publish Date: 2023-09-15
URL: CVE-2023-40167
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hmr7-m48g-48f6
Release Date: 2023-09-15
Fix Resolution: org.eclipse.jetty:jetty-http:9.4.52.v20230823,10.0.16,11.0.16,12.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jetty-servlets-11.0.15.jar
Utility Servlets from Jetty
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-servlets/11.0.15/9acae297f89bd6611fc2e31d53990c1ede541c20/jetty-servlets-11.0.15.jar
Dependency Hierarchy:
Found in HEAD commit: 19caed1ffb4d04f5ebf9462f10a36297dc3cae88
Found in base branch: main
Vulnerability Details
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Publish Date: 2023-09-15
URL: CVE-2023-36479
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3gh6-v5v9-6v9j
Release Date: 2023-09-15
Fix Resolution: org.eclipse.jetty:jetty-servlets:9.4.52.v20230823,10.0.16,11.0.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - jetty-xml-11.0.15.jar
The jetty xml utilities.
Library home page: https://eclipse.org/jetty
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-xml/11.0.15/8189a8dfd871415b768d6568476e33a553e80b3/jetty-xml-11.0.15.jar
Dependency Hierarchy:
Found in HEAD commit: 19caed1ffb4d04f5ebf9462f10a36297dc3cae88
Found in base branch: main
Vulnerability Details
XmlParser is vulnerable to XML external entity (XXE) vulnerability.
XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit this vulnerability in order to achieve SSRF or cause a denial of service. One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the WAR includes a malicious web.xml. The vulnerability is patched in versions 10.0.16, 11.0.16, and 12.0.0.
Publish Date: 2023-07-10
URL: WS-2023-0236
CVSS 3 Score Details (3.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-58qw-p7qm-5rvh
Release Date: 2023-07-10
Fix Resolution: org.eclipse.jetty:jetty-xml:10.0.16,11.0.16,12.0.0
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: