infinispan-remote-query-client-9.4.8.Final.jar: 6 vulnerabilities (highest severity is: 8.8) - autoclosed #190
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Vulnerable Library - infinispan-remote-query-client-9.4.8.Final.jar
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-infinispan/infinispan-remote-query/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2015-5237
Vulnerable Library - protobuf-java-3.0.2.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-infinispan/infinispan-remote-query/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Found in base branch: master
Vulnerability Details
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
Publish Date: 2017-09-25
URL: CVE-2015-5237
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2017-09-25
Fix Resolution (com.google.protobuf:protobuf-java): 3.4.0
Direct dependency fix Resolution (org.infinispan:infinispan-remote-query-client): 9.4.17.Final
Step up your Open Source Security Game with Mend here
WS-2021-0419
Vulnerable Library - gson-2.8.1.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-infinispan/infinispan-remote-query/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.1/gson-2.8.1.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.1/gson-2.8.1.jar
Dependency Hierarchy:
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Found in base branch: master
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (org.infinispan:infinispan-remote-query-client): 9.4.17.Final
Step up your Open Source Security Game with Mend here
CVE-2022-3509
Vulnerable Library - protobuf-java-3.0.2.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-infinispan/infinispan-remote-query/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Found in base branch: master
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-12-12
URL: CVE-2022-3509
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509
Release Date: 2022-12-12
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3
Direct dependency fix Resolution (org.infinispan:infinispan-remote-query-client): 9.4.17.Final
Step up your Open Source Security Game with Mend here
CVE-2022-3171
Vulnerable Library - protobuf-java-3.0.2.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-infinispan/infinispan-remote-query/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Found in base branch: master
Vulnerability Details
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-10-12
URL: CVE-2022-3171
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4h5-3hr4-j3g2
Release Date: 2022-10-12
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3
Direct dependency fix Resolution (org.infinispan:infinispan-remote-query-client): 9.4.17.Final
Step up your Open Source Security Game with Mend here
CVE-2022-25647
Vulnerable Library - gson-2.8.1.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-infinispan/infinispan-remote-query/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.1/gson-2.8.1.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.1/gson-2.8.1.jar
Dependency Hierarchy:
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Found in base branch: master
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (org.infinispan:infinispan-remote-query-client): 9.4.17.Final
Step up your Open Source Security Game with Mend here
CVE-2021-22569
Vulnerable Library - protobuf-java-3.0.2.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-infinispan/infinispan-remote-query/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.0.2/protobuf-java-3.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3
Found in base branch: master
Vulnerability Details
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Publish Date: 2022-01-10
URL: CVE-2021-22569
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-wrvw-hg22-4m67
Release Date: 2022-01-10
Fix Resolution (com.google.protobuf:protobuf-java): 3.16.1
Direct dependency fix Resolution (org.infinispan:infinispan-remote-query-client): 9.4.17.Final
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: