wiremock-jre8-2.34.0.jar: 15 vulnerabilities (highest severity is: 7.5) reachable

[mend-for-github-com]

Vulnerable Library - wiremock-jre8-2.34.0.jar

A web service test double for all occasions

Library home page: http://wiremock.org

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8/2.34.0/b170d86932f5923d2f9de64bf80b77364288304/wiremock-jre8-2.34.0.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (wiremock-jre8 version)	Remediation Possible**	Reachability
CVE-2023-24998	High	7.5	commons-fileupload-1.4.jar	Transitive	N/A*	❌	Reachable
CVE-2024-8184	Medium	5.9	jetty-server-9.4.51.v20230217.jar	Transitive	N/A*	❌	Reachable
CVE-2024-31573	Medium	5.6	xmlunit-core-2.9.1.jar	Transitive	N/A*	❌	Reachable
CVE-2023-51074	Medium	5.3	json-path-2.7.0.jar	Transitive	N/A*	❌	Reachable
CVE-2023-40167	Medium	5.3	jetty-http-9.4.51.v20230217.jar	Transitive	N/A*	❌	Reachable
CVE-2024-6763	Low	3.7	detected in multiple dependencies	Transitive	N/A*	❌	Reachable
CVE-2024-22201	High	7.5	http2-common-9.4.51.v20230217.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-44487	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌	Unreachable
CVE-2023-36478	High	7.5	detected in multiple dependencies	Transitive	N/A*	❌	Unreachable
CVE-2023-3894	Medium	5.8	jackson-dataformat-properties-2.14.1.jar	Transitive	2.35.0	✅	Unreachable
CVE-2024-9823	Medium	5.3	jetty-servlets-9.4.51.v20230217.jar	Transitive	N/A*	❌	Unreachable
WS-2023-0236	Low	3.9	jetty-xml-9.4.51.v20230217.jar	Transitive	N/A*	❌	Unreachable
CVE-2023-41329	Low	3.9	wiremock-jre8-2.34.0.jar	Direct	2.35.1	✅	Unreachable
CVE-2023-36479	Low	3.5	jetty-servlets-9.4.51.v20230217.jar	Transitive	N/A*	❌	Unreachable
WS-2022-0468	High	7.5	jackson-core-2.14.1.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-24998

Vulnerable Library - commons-fileupload-1.4.jar

The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Library home page: https://www.apache.org/

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/commons-fileupload/commons-fileupload/1.4/f95188e3d372e20e7328706c37ef366e5d7859b0/commons-fileupload-1.4.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • ❌ commons-fileupload-1.4.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.symphony.bdk.workflow.WorkflowBotApplication (Application)
  -> org.springframework.boot.autoconfigure.SpringBootApplication (Extension)
   -> org.springframework.boot.autoconfigure.AutoConfigurationPackages$Registrar (Extension)
    -> org.springframework.web.method.annotation.ModelAttributeMethodProcessor$FieldAwareConstructorParameter (Extension)
    ...
      -> org.springframework.web.multipart.commons.CommonsMultipartResolver$1 (Extension)
       -> org.springframework.web.multipart.commons.CommonsMultipartResolver (Extension)
        -> ❌ org.apache.commons.fileupload.FileUploadBase (Vulnerable Component)

Vulnerability Details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.

Publish Date: 2023-02-20

URL: CVE-2023-24998

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-10.html

Release Date: 2023-02-20

Fix Resolution: commons-fileupload:commons-fileupload:1.5;org.apache.tomcat:tomcat-coyote:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat.embed:tomcat-embed-core:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-util:8.5.85,9.0.71,10.1.5,11.0.0-M3;org.apache.tomcat:tomcat-catalina:8.5.85,9.0.71,10.1.5,11.0.0-M3

CVE-2024-8184

Vulnerable Library - jetty-server-9.4.51.v20230217.jar

The core jetty server artifact.

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.51.v20230217/d0572c8460eb26adf8420e78535d95859c89a936/jetty-server-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • ❌ jetty-server-9.4.51.v20230217.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.symphony.bdk.workflow.WorkflowBotApplication (Application)
  -> org.springframework.boot.SpringApplication (Extension)
   -> org.springframework.context.support.AbstractApplicationContext (Extension)
    -> org.eclipse.jetty.server.HttpOutput (Extension)
    ...
      -> org.eclipse.jetty.server.CustomRequestLog (Extension)
       -> org.eclipse.jetty.server.handler.ThreadLimitHandler$RFC7239 (Extension)
        -> ❌ org.eclipse.jetty.server.handler.ThreadLimitHandler (Vulnerable Component)

Vulnerability Details

There exists a security vulnerability in Jetty's ThreadLimitHandler.getRemote() which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory.

Publish Date: 2024-10-14

URL: CVE-2024-8184

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g8m5-722r-8whq

Release Date: 2024-10-14

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.56,10.0.24,11.0.24,12.0.9, org.eclipse.jetty.ee9:jetty-ee9-nested:9.4.56,10.0.24,11.0.24,12.0.9

CVE-2024-31573

Vulnerable Library - xmlunit-core-2.9.1.jar

XMLUnit for Java

Library home page: https://www.xmlunit.org/

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.xmlunit/xmlunit-core/2.9.1/e5833662d9a1279a37da3ef6f62a1da29fcd68c4/xmlunit-core-2.9.1.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • ❌ xmlunit-core-2.9.1.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

org.xmlunit.util.TransformerFactoryConfigurer (Application)
  -> org.xmlunit.diff.DefaultComparisonFormatter (Extension)
   -> org.xmlunit.diff.Diff (Extension)
    -> org.springframework.orm.jpa.JpaTransactionManager (Extension)
    ...
      -> org.springframework.transaction.annotation.TransactionManagementConfigurationSelector (Extension)
       -> org.springframework.transaction.annotation.EnableTransactionManagement (Extension)
        -> ❌ com.symphony.bdk.workflow.WorkflowBotApplication (Vulnerable Component)

Vulnerability Details

When performing XSLT transformations XMLUnit for Java before 2.10.0 did not disable XSLT extension functions by default. Depending on the XSLT processor being used this could allow arbitrary code to be executed when XMLUnit is used to transform data with a stylesheet who's source can not be trusted. If the stylesheet can be provided externally this may even lead to a remote code execution.

Publish Date: 2024-12-05

URL: CVE-2024-31573

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-chfm-68vv-pvw5

Release Date: 2024-12-05

Fix Resolution: org.xmlunit:xmlunit-core:2.10.0

CVE-2023-51074

Vulnerable Library - json-path-2.7.0.jar

Java port of Stefan Goessner JsonPath.

Library home page: https://github.com/

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.jayway.jsonpath/json-path/2.7.0/f9d7d9659f2694e61142046ff8a216c047f263e8/json-path-2.7.0.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • ❌ json-path-2.7.0.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.jayway.jsonpath.internal.path.PathCompiler (Application)
  -> com.jayway.jsonpath.JsonPath (Extension)
   -> org.springframework.test.util.JsonPathExpectationsHelper (Extension)
    -> org.springframework.context.annotation.AnnotationConfigUtils (Extension)
    ...
      -> org.springframework.data.jpa.repository.config.JpaRepositoriesRegistrar (Extension)
       -> org.springframework.data.jpa.repository.config.EnableJpaRepositories (Extension)
        -> ❌ com.symphony.bdk.workflow.configuration.WorkflowDataSourceConfiguration (Vulnerable Component)

Vulnerability Details

json-path v2.8.0 was discovered to contain a stack overflow via the Criteria.parse() method.

Publish Date: 2023-12-27

URL: CVE-2023-51074

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-51074

Release Date: 2023-12-27

Fix Resolution: com.jayway.jsonpath:json-path:2.9.0

CVE-2023-40167

Vulnerable Library - jetty-http-9.4.51.v20230217.jar

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.51.v20230217/fe37568aded59dd8e437e0f670fe5f809071fe8f/jetty-http-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • jetty-proxy-9.4.51.v20230217.jar
    • jetty-client-9.4.51.v20230217.jar
      • ❌ jetty-http-9.4.51.v20230217.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.symphony.bdk.workflow.WorkflowBotApplication (Application)
  -> org.springframework.boot.SpringApplication (Extension)
   -> org.springframework.boot.web.servlet.support.SpringBootServletInitializer$WebEnvironmentPropertySourceInitializer (Extension)
    -> org.springframework.web.filter.reactive.HiddenHttpMethodFilter (Extension)
    ...
      -> org.eclipse.jetty.server.Request (Extension)
       -> org.eclipse.jetty.server.HttpChannelOverHttp (Extension)
        -> ❌ org.eclipse.jetty.http.HttpParser (Vulnerable Component)

Vulnerability Details

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

Publish Date: 2023-09-15

URL: CVE-2023-40167

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hmr7-m48g-48f6

Release Date: 2023-09-15

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.52.v20230823,10.0.16,11.0.16,12.0.1

CVE-2024-6763

Vulnerable Libraries - jetty-server-9.4.51.v20230217.jar, jetty-http-9.4.51.v20230217.jar

jetty-server-9.4.51.v20230217.jar

The core jetty server artifact.

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.51.v20230217/d0572c8460eb26adf8420e78535d95859c89a936/jetty-server-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • ❌ jetty-server-9.4.51.v20230217.jar (Vulnerable Library)

jetty-http-9.4.51.v20230217.jar

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.51.v20230217/fe37568aded59dd8e437e0f670fe5f809071fe8f/jetty-http-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • jetty-proxy-9.4.51.v20230217.jar
    • jetty-client-9.4.51.v20230217.jar
      • ❌ jetty-http-9.4.51.v20230217.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

This vulnerability is potentially reachable

com.symphony.bdk.workflow.WorkflowBotApplication (Application)
  -> org.springframework.boot.SpringApplication (Extension)
   -> org.springframework.boot.web.servlet.support.SpringBootServletInitializer$WebEnvironmentPropertySourceInitializer (Extension)
    -> org.springframework.boot.web.reactive.filter.OrderedHiddenHttpMethodFilter (Extension)
    ...
      -> org.springframework.web.server.DefaultServerWebExchangeBuilder (Extension)
       -> org.springframework.http.server.reactive.JettyHttpHandlerAdapter$JettyServerHttpResponse (Extension)
        -> ❌ org.eclipse.jetty.server.Response (Vulnerable Component)

Vulnerability Details

Eclipse Jetty is a lightweight, highly scalable, Java-based web server and Servlet engine . It includes a utility class, HttpURI, for URI/URL parsing. The HttpURI class does insufficient validation on the authority segment of a URI. However the behaviour of HttpURI differs from the common browsers in how it handles a URI that would be considered invalid if fully validated against the RRC. Specifically HttpURI and the browser may differ on the value of the host extracted from an invalid URI and thus a combination of Jetty and a vulnerable browser may be vulnerable to a open redirect attack or to a SSRF attack if the URI is used after passing validation checks.

Publish Date: 2024-10-14

URL: CVE-2024-6763

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qh8g-58pp-2wxh

Release Date: 2024-10-14

Fix Resolution: org.eclipse.jetty:jetty-http:12.0.12;org.eclipse.jetty:jetty-server:12.0.12

CVE-2024-22201

Vulnerable Library - http2-common-9.4.51.v20230217.jar

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty.http2/http2-common/9.4.51.v20230217/23852d5ddd24619f9ee616069f21be41654edb7e/http2-common-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • jetty-bom-9.4.48.v20220622.pom
    • ❌ http2-common-9.4.51.v20230217.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Jetty is a Java based web server and servlet engine. An HTTP/2 SSL connection that is established and TCP congested will be leaked when it times out. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The vulnerability is patched in 9.4.54, 10.0.20, 11.0.20, and 12.0.6.

Publish Date: 2024-02-26

URL: CVE-2024-22201

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rggv-cv7r-mw98

Release Date: 2024-02-26

Fix Resolution: org.eclipse.jetty.http2:http2-common:9.4.54,10.0.20,11.0.20, org.eclipse.jetty.http2:jetty-http2-common:12.0.6, org.eclipse.jetty.http3:http3-common:10.0.20,11.0.20, org.eclipse.jetty.http3:jetty-http3-common:12.0.6

CVE-2023-44487

Vulnerable Libraries - http2-common-9.4.51.v20230217.jar, http2-server-9.4.51.v20230217.jar

http2-common-9.4.51.v20230217.jar

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty.http2/http2-common/9.4.51.v20230217/23852d5ddd24619f9ee616069f21be41654edb7e/http2-common-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • jetty-bom-9.4.48.v20220622.pom
    • ❌ http2-common-9.4.51.v20230217.jar (Vulnerable Library)

http2-server-9.4.51.v20230217.jar

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty.http2/http2-server/9.4.51.v20230217/b71b2fb2d8764f0794fb71a171cd54579156bd78/http2-server-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • ❌ http2-server-9.4.51.v20230217.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0, kubernetes/apiserver- v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0

CVE-2023-36478

Vulnerable Libraries - http2-hpack-9.4.51.v20230217.jar, jetty-http-9.4.51.v20230217.jar

http2-hpack-9.4.51.v20230217.jar

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty.http2/http2-hpack/9.4.51.v20230217/5cdd9183dc2449a309b198ace0795738a9b4e0a8/http2-hpack-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • jetty-bom-9.4.48.v20220622.pom
    • ❌ http2-hpack-9.4.51.v20230217.jar (Vulnerable Library)

jetty-http-9.4.51.v20230217.jar

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.51.v20230217/fe37568aded59dd8e437e0f670fe5f809071fe8f/jetty-http-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • jetty-proxy-9.4.51.v20230217.jar
    • jetty-client-9.4.51.v20230217.jar
      • ❌ jetty-http-9.4.51.v20230217.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to
exceed their size limit. MetaDataBuilder.java determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, MetaDataBuilder.checkSize allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.

Publish Date: 2023-10-10

URL: CVE-2023-36478

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wgh7-54f2-x98r

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-hpack:9.4.53.v20231009,10.0.16,11.0.16;org.eclipse.jetty.http3:http3-qpack:10.0.16,11.0.16;org.eclipse.jetty:jetty-http:9.4.53.v20231009,10.0.16,11.0.16

CVE-2023-3894

Vulnerable Library - jackson-dataformat-properties-2.14.1.jar

Support for reading and writing content of "Java Properties" style configuration files as if there was implied nesting structure (by default using dots as separators).

Library home page: http://fasterxml.com/

Path to dependency file: /workflow-language/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.dataformat/jackson-dataformat-properties/2.14.1/36de33fa1870eccd3a7899a41866b69b7b7cfd5b/jackson-dataformat-properties-2.14.1.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • jackson-bom-2.14.1.pom
    • ❌ jackson-dataformat-properties-2.14.1.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Those using jackson-dataformats-text to parse TOML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Publish Date: 2023-08-08

URL: CVE-2023-3894

CVSS 3 Score Details (5.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-08-08

Fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-properties): 2.15.0-rc1

Direct dependency fix Resolution (com.github.tomakehurst:wiremock-jre8): 2.35.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-9823

Vulnerable Library - jetty-servlets-9.4.51.v20230217.jar

Utility Servlets from Jetty

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-servlets/9.4.51.v20230217/b056ab57a23034e05339ecddabe4d96cee3c9b8c/jetty-servlets-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • ❌ jetty-servlets-9.4.51.v20230217.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.

Publish Date: 2024-10-14

URL: CVE-2024-9823

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7hcf-ppf8-5w5h

Release Date: 2024-10-14

Fix Resolution: org.eclipse.jetty:jetty-servlets:10.0.18,11.0.18,9.4.54.v20240208, org.eclipse.jetty.ee8:jetty-ee8-servlets:12.0.3, org.eclipse.jetty.ee9:jetty-ee9-servlets:12.0.3, org.eclipse.jetty.ee10:jetty-ee10-servlets:12.0.3

WS-2023-0236

Vulnerable Library - jetty-xml-9.4.51.v20230217.jar

The jetty xml utilities.

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-xml/9.4.51.v20230217/54572d542f3a9e943ebf50f34df5ef1420b0b045/jetty-xml-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • jetty-bom-9.4.48.v20220622.pom
    • ❌ jetty-xml-9.4.51.v20230217.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

XmlParser is vulnerable to XML external entity (XXE) vulnerability.
XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit this vulnerability in order to achieve SSRF or cause a denial of service. One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the WAR includes a malicious web.xml. The vulnerability is patched in versions 10.0.16, 11.0.16, and 12.0.0.

Publish Date: 2024-12-02

URL: WS-2023-0236

CVSS 3 Score Details (3.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-58qw-p7qm-5rvh

Release Date: 2024-12-02

Fix Resolution: org.eclipse.jetty:jetty-xml:10.0.16,11.0.16,12.0.0

CVE-2023-41329

Vulnerable Library - wiremock-jre8-2.34.0.jar

A web service test double for all occasions

Library home page: http://wiremock.org

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.github.tomakehurst/wiremock-jre8/2.34.0/b170d86932f5923d2f9de64bf80b77364288304/wiremock-jre8-2.34.0.jar

Dependency Hierarchy:

• ❌ wiremock-jre8-2.34.0.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

WireMock is a tool for mocking HTTP services. The proxy mode of WireMock, can be protected by the network restrictions configuration, as documented in Preventing proxying to and recording from specific target addresses. These restrictions can be configured using the domain names, and in such a case the configuration is vulnerable to the DNS rebinding attacks. A similar patch was applied in WireMock 3.0.0-beta-15 for the WireMock Webhook Extensions. The root cause of the attack is a defect in the logic which allows for a race condition triggered by a DNS server whose address expires in between the initial validation and the outbound network request that might go to a domain that was supposed to be prohibited. Control over a DNS service is required to exploit this attack, so it has high execution complexity and limited impact. This issue has been addressed in version 2.35.1 of wiremock-jre8 and wiremock-jre8-standalone, version 3.0.3 of wiremock and wiremock-standalone, version 2.6.1 of the python version of wiremock, and versions 2.35.1-1 and 3.0.3-1 of the wiremock/wiremock Docker container. Users are advised to upgrade. Users unable to upgrade should either configure firewall rules to define the list of permitted destinations or to configure WireMock to use IP addresses instead of the domain names.

Publish Date: 2023-09-06

URL: CVE-2023-41329

CVSS 3 Score Details (3.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Adjacent
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-pmxq-pj47-j8j4

Release Date: 2023-09-06

Fix Resolution: 2.35.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-36479

Vulnerable Library - jetty-servlets-9.4.51.v20230217.jar

Utility Servlets from Jetty

Library home page: https://webtide.com

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-servlets/9.4.51.v20230217/b056ab57a23034e05339ecddabe4d96cee3c9b8c/jetty-servlets-9.4.51.v20230217.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • ❌ jetty-servlets-9.4.51.v20230217.jar (Vulnerable Library)

Found in base branch: master

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.

Publish Date: 2023-09-15

URL: CVE-2023-36479

CVSS 3 Score Details (3.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3gh6-v5v9-6v9j

Release Date: 2023-09-15

Fix Resolution: org.eclipse.jetty:jetty-servlets:9.4.52.v20230823,10.0.16,11.0.16

WS-2022-0468

Vulnerable Library - jackson-core-2.14.1.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: http://fasterxml.com/

Path to dependency file: /workflow-bot-app/build.gradle

Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.14.1/7a07bc535ccf0b7f6929c4d0f2ab9b294ef7c4a3/jackson-core-2.14.1.jar,/tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.14.1/7a07bc535ccf0b7f6929c4d0f2ab9b294ef7c4a3/jackson-core-2.14.1.jar

Dependency Hierarchy:

• wiremock-jre8-2.34.0.jar (Root Library)
  • ❌ jackson-core-2.14.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The jackson-core package is vulnerable to a Denial of Service (DoS) attack. The methods in the classes listed below fail to restrict input size when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values. Deserializing many of the aforementioned objects may cause the application to exhaust all available resources, resulting in a DoS condition.

Publish Date: 2022-12-07

URL: WS-2022-0468

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-07

Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.15.0

---

⛑️Automatic Remediation will be attempted for this issue.