lint-gradle-27.2.2.jar: 24 vulnerabilities (highest severity is: 7.7)

[mend-bolt-for-github]

Vulnerable Library - lint-gradle-27.2.2.jar

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (lint-gradle version)	Remediation Possible**
WS-2021-0419	High	7.7	gson-2.8.6.jar	Transitive	N/A*	❌
CVE-2022-3509	High	7.5	protobuf-java-3.10.0.jar	Transitive	N/A*	❌
CVE-2022-3171	High	7.5	protobuf-java-3.10.0.jar	Transitive	N/A*	❌
CVE-2022-25647	High	7.5	gson-2.8.6.jar	Transitive	N/A*	❌
CVE-2021-36090	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-35517	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-35516	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-35515	High	7.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2019-17359	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2018-1000180	High	7.5	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2023-2976	High	7.1	guava-28.1-jre.jar	Transitive	N/A*	❌
WS-2019-0379	Medium	6.5	commons-codec-1.10.jar	Transitive	N/A*	❌
CVE-2022-23437	Medium	6.5	xercesImpl-2.12.0.jar	Transitive	N/A*	❌
CVE-2020-15522	Medium	5.9	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2024-25710	Medium	5.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2021-22569	Medium	5.5	protobuf-java-3.10.0.jar	Transitive	N/A*	❌
CVE-2020-17521	Medium	5.5	groovy-all-2.4.15.jar	Transitive	N/A*	❌
CVE-2018-1324	Medium	5.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2018-11771	Medium	5.5	commons-compress-1.12.jar	Transitive	N/A*	❌
CVE-2023-33201	Medium	5.3	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2022-24329	Medium	5.3	kotlin-stdlib-1.4.31.jar	Transitive	N/A*	❌
CVE-2020-26939	Medium	5.3	bcprov-jdk15on-1.56.jar	Transitive	N/A*	❌
CVE-2020-13956	Medium	5.3	httpclient-4.5.6.jar	Transitive	N/A*	❌
CVE-2020-8908	Low	3.3	guava-28.1-jre.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

WS-2021-0419

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

Step up your Open Source Security Game with Mend here

CVE-2022-3509

Vulnerable Library - protobuf-java-3.10.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • protos-27.2.2.jar
      • ❌ protobuf-java-3.10.0.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-12-12

URL: CVE-2022-3509

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7

Step up your Open Source Security Game with Mend here

CVE-2022-3171

Vulnerable Library - protobuf-java-3.10.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • protos-27.2.2.jar
      • ❌ protobuf-java-3.10.0.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7

Step up your Open Source Security Game with Mend here

CVE-2022-25647

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.6/9180733b7df8542621dc12e21e87557e8c99b8cb/gson-2.8.6.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9

Step up your Open Source Security Game with Mend here

CVE-2021-36090

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with Mend here

CVE-2021-35517

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with Mend here

CVE-2021-35516

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with Mend here

CVE-2021-35515

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution: org.apache.commons:commons-compress:1.21

Step up your Open Source Security Game with Mend here

CVE-2019-17359

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.

Publish Date: 2019-10-08

URL: CVE-2019-17359

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359

Release Date: 2019-10-08

Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64

Step up your Open Source Security Game with Mend here

CVE-2018-1000180

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180

Release Date: 2018-06-05

Fix Resolution: org.bouncycastle:bc-fips:1.0.2;org.bouncycastle:bcprov-jdk15on:1.60;org.bouncycastle:bcprov-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk15on:1.60;org.bouncycastle:bcprov-debug-jdk14:1.60;org.bouncycastle:bcprov-debug-jdk15on:1.60

Step up your Open Source Security Game with Mend here

CVE-2023-2976

Vulnerable Library - guava-28.1-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.1-jre/b0e91dcb6a44ffb6221b5027e12a5cb34b841145/guava-28.1-jre.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • apkzlib-4.2.2.jar
      • ❌ guava-28.1-jre.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-7g45-4rm6-3mm3

Release Date: 2023-06-14

Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre

Step up your Open Source Security Game with Mend here

WS-2019-0379

Vulnerable Library - commons-codec-1.10.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • httpmime-4.5.6.jar
        • httpclient-4.5.6.jar
          • ❌ commons-codec-1.10.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

Step up your Open Source Security Game with Mend here

CVE-2022-23437

Vulnerable Library - xercesImpl-2.12.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>

Library home page: https://xerces.apache.org/xerces2-j/

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/xerces/xercesImpl/2.12.0/f02c844149fd306601f20e0b34853a670bef7fa2/xercesImpl-2.12.0.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • sdk-common-27.2.2.jar
    • ❌ xercesImpl-2.12.0.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Publish Date: 2022-01-24

URL: CVE-2022-23437

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h65f-jvqw-m9fj

Release Date: 2022-01-24

Fix Resolution: xerces:xercesImpl:2.12.2

Step up your Open Source Security Game with Mend here

CVE-2020-15522

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.

Publish Date: 2021-05-20

URL: CVE-2020-15522

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522

Release Date: 2021-05-20

Fix Resolution: org.bouncycastle:bc-fips:1.0.2.1;org.bouncycastle:bcprov-ext-jdk14:1.66;org.bouncycastle:bcprov-ext-jdk15on:1.66;org.bouncycastle:bcprov-jdk14:1.66;org.bouncycastle:bcprov-jdk15on:1.66;BouncyCastle - 1.8.9;Portable.BouncyCastle - 1.8.8

Step up your Open Source Security Game with Mend here

CVE-2024-25710

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-25710

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

Step up your Open Source Security Game with Mend here

CVE-2021-22569

Vulnerable Library - protobuf-java-3.10.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • protos-27.2.2.jar
      • ❌ protobuf-java-3.10.0.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

Publish Date: 2022-01-10

URL: CVE-2021-22569

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wrvw-hg22-4m67

Release Date: 2022-01-10

Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2

Step up your Open Source Security Game with Mend here

CVE-2020-17521

Vulnerable Library - groovy-all-2.4.15.jar

Groovy: A powerful, dynamic language for the JVM

Library home page: http://groovy-lang.org

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.15/423a17aeb2f64bc6f76e8e44265a548bec80fd42/groovy-all-2.4.15.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • ❌ groovy-all-2.4.15.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Publish Date: 2020-12-07

URL: CVE-2020-17521

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/GROOVY-9824

Release Date: 2020-12-07

Fix Resolution: org.codehaus.groovy:groovy-all:2.4.21,2.5.14,3.0.7

Step up your Open Source Security Game with Mend here

CVE-2018-1324

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-03-16

URL: CVE-2018-1324

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324

Release Date: 2018-03-16

Fix Resolution: 1.16

Step up your Open Source Security Game with Mend here

CVE-2018-11771

Vulnerable Library - commons-compress-1.12.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • sdklib-27.2.2.jar
      • ❌ commons-compress-1.12.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-08-16

URL: CVE-2018-11771

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771

Release Date: 2018-08-16

Fix Resolution: 1.18

Step up your Open Source Security Game with Mend here

CVE-2023-33201

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.

Publish Date: 2023-07-05

URL: CVE-2023-33201

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-07-05

Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74

Step up your Open Source Security Game with Mend here

CVE-2022-24329

Vulnerable Library - kotlin-stdlib-1.4.31.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.4.31/a58e0fb9812a6a93ca24b5da75e4b5a0cb89c957/kotlin-stdlib-1.4.31.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • kotlin-stdlib-jdk8-1.4.31.jar
    • ❌ kotlin-stdlib-1.4.31.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0

Step up your Open Source Security Game with Mend here

CVE-2020-26939

Vulnerable Library - bcprov-jdk15on-1.56.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /app/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar

Dependency Hierarchy:

• lint-gradle-27.2.2.jar (Root Library)
  • builder-4.2.2.jar
    • ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)

Found in HEAD commit: d068b1b6a2c79e3d6d543bfd59f5bb33fb224967

Found in base branch: main

Vulnerability Details

In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.

Publish Date: 2020-11-02

URL: CVE-2020-26939

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-02

Fix Resolution: org.bouncycastle:bcprov-jdk14:1.61,org.bouncycastle:bcprov-ext-debug-jdk15on:1.61,org.bouncycastle:bcprov-debug-jdk15on:1.61,org.bouncycastle:bcprov-ext-jdk15on:1.61,org.bouncycastle:bcprov-jdk15on:1.61

Step up your Open Source Security Game with Mend here