siesta-server-2.3.2.jar: 5 vulnerabilities (highest severity is: 7.5) #20
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
dev-mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - resteasy-jaxrs-3.1.4.Final.jar
Resteasy
Library home page: http://rest-easy.org/resteasy-jaxrs
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
A flaw was found in all resteasy 3.x.x versions prior to 3.12.0.Final and all resteasy 4.x.x versions prior to 4.6.0.Final, where an improper input validation results in returning an illegal header that integrates into the server's response. This flaw may result in an injection, which leads to unexpected behavior when the HTTP response is constructed.
Publish Date: 2020-05-19
URL: CVE-2020-1695
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-1695
Release Date: 2020-05-19
Fix Resolution: org.jboss.resteasy:resteasy-jaxrs:3.12.0.Final,4.6.0.Final,org.jboss.resteasy:resteasy-core:3.12.0.Final,4.6.0.Final
Vulnerable Library - resteasy-jaxrs-3.1.4.Final.jar
Resteasy
Library home page: http://rest-easy.org/resteasy-jaxrs
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-jaxrs/3.1.4.Final/resteasy-jaxrs-3.1.4.Final.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
Red Hat JBoss EAP version 3.0.7 through before 4.0.0.Beta1 is vulnerable to a server-side cache poisoning or CORS requests in the JAX-RS component resulting in a moderate impact.
Publish Date: 2017-08-22
URL: CVE-2017-7561
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://issues.jboss.org/browse/RESTEASY-1704
Release Date: 2017-08-22
Fix Resolution: 3.0.25.Final,3.5.0.CR1,4.0.0.Beta1
Vulnerable Library - resteasy-client-3.1.4.Final.jar
Resteasy
Library home page: http://rest-easy.org/resteasy-client
Path to dependency file: /server/dist/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar,/home/wss-scanner/.m2/repository/org/jboss/resteasy/resteasy-client/3.1.4.Final/resteasy-client-3.1.4.Final.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
A flaw was found in RESTEasy client in all versions of RESTEasy up to 4.5.6.Final. It may allow client users to obtain the server's potentially sensitive information when the server got WebApplicationException from the RESTEasy client call. The highest threat from this vulnerability is to data confidentiality.
Publish Date: 2020-09-18
URL: CVE-2020-25633
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1879042#c13
Release Date: 2020-09-18
Fix Resolution: 4.5.7.Final
Vulnerable Library - hibernate-validator-5.1.2.Final.jar
Hibernate's Bean Validation (JSR-303) reference implementation.
Library home page: http://validator.hibernate.org
Path to dependency file: /server/plugins/noderoster/impl/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.1.2.Final/hibernate-validator-5.1.2.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.1.2.Final/hibernate-validator-5.1.2.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.1.2.Final/hibernate-validator-5.1.2.Final.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
Publish Date: 2020-05-06
URL: CVE-2020-10693
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://hibernate.atlassian.net/projects/HV/issues/HV-1774
Release Date: 2020-05-06
Fix Resolution: org.hibernate.validator:hibernate-validator:6.0.20.Final,org.hibernate.validator:hibernate-validator:6.1.5.Final,org.hibernate.validator:hibernate-validator:7.0.0.Alpha2
Vulnerable Library - commons-io-2.6.jar
The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/proper/commons-io/
Path to dependency file: /server/plugins/noderoster/impl/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
Dependency Hierarchy:
Found in HEAD commit: cfb756aae811651de93ac8a69c7191e48bb4960f
Found in base branch: master
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: commons-io:commons-io:2.7
The text was updated successfully, but these errors were encountered: