lint-gradle-27.0.0.jar: 18 vulnerabilities (highest severity is: 8.1) #5
Description
Vulnerable Library - lint-gradle-27.0.0.jar
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Vulnerabilities
| Vulnerability | Severity |  CVSS |
Exploit Maturity | EPSS | Dependency | Type | Fixed in (lint-gradle version) | Remediation Possible** | Reachability |
|---|---|---|---|---|---|---|---|---|---|
| CVE-2024-25710 |  High |
8.1 | Not Defined | 0.0% | commons-compress-1.12.jar | Transitive | N/A* | ❌ | |
| WS-2021-0419 | High |
7.7 | Not Defined | gson-2.8.5.jar | Transitive | N/A* | ❌ | ||
| CVE-2024-7254 | High |
7.5 | Not Defined | 0.1% | protobuf-java-3.10.0.jar | Transitive | N/A* | ❌ | |
| CVE-2024-30172 | High |
7.5 | Not Defined | 0.1% | bcprov-jdk15on-1.56.jar | Transitive | N/A* | ❌ | |
| CVE-2024-29857 | High |
7.5 | Not Defined | 0.3% | bcprov-jdk15on-1.56.jar | Transitive | N/A* | ❌ | |
| CVE-2022-3510 | High |
7.5 | Not Defined | 0.1% | protobuf-java-3.10.0.jar | Transitive | N/A* | ❌ | |
| CVE-2022-3509 | High |
7.5 | Not Defined | 0.1% | protobuf-java-3.10.0.jar | Transitive | N/A* | ❌ | |
| CVE-2019-17359 | High |
7.5 | Not Defined | 7.6% | bcprov-jdk15on-1.56.jar | Transitive | N/A* | ❌ | |
| CVE-2018-1000180 | High |
7.5 | Not Defined | 0.2% | bcprov-jdk15on-1.56.jar | Transitive | N/A* | ❌ | |
| WS-2019-0379 |  Medium |
6.5 | Not Defined | commons-codec-1.10.jar | Transitive | N/A* | ❌ | ||
| CVE-2024-30171 | Medium |
5.9 | Not Defined | 0.1% | bcprov-jdk15on-1.56.jar | Transitive | N/A* | ❌ | |
| CVE-2023-33202 | Medium |
5.5 | Not Defined | 0.1% | bcprov-jdk15on-1.56.jar | Transitive | N/A* | ❌ | |
| CVE-2023-2976 | Medium |
5.5 | Not Defined | 0.1% | guava-28.1-jre.jar | Transitive | N/A* | ❌ | |
| CVE-2018-11771 | Medium |
5.5 | Not Defined | 1.3000001% | commons-compress-1.12.jar | Transitive | N/A* | ❌ | |
| CVE-2023-33201 | Medium |
5.3 | Not Defined | 0.3% | bcprov-jdk15on-1.56.jar | Transitive | N/A* | ❌ | |
| CVE-2020-26939 | Medium |
5.3 | Not Defined | 1.4000001% | bcprov-jdk15on-1.56.jar | Transitive | N/A* | ❌ | |
| CVE-2020-13956 | Medium |
5.3 | Not Defined | 0.5% | httpclient-4.5.6.jar | Transitive | N/A* | ❌ | |
| CVE-2022-3171 | Medium |
4.3 | Not Defined | 0.1% | protobuf-java-3.10.0.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-25710
Vulnerable Library - commons-compress-1.12.jar
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: http://commons.apache.org/proper/commons-compress/
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- sdklib-27.0.0.jar
- ❌ commons-compress-1.12.jar (Vulnerable Library)
- sdklib-27.0.0.jar
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2024-02-19
URL: CVE-2024-25710
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710
Release Date: 2024-02-19
Fix Resolution: org.apache.commons:commons-compress:1.26.0
WS-2021-0419
Vulnerable Library - gson-2.8.5.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /GetStartedCalls-Start/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- shared-27.0.0.jar
- ❌ gson-2.8.5.jar (Vulnerable Library)
- shared-27.0.0.jar
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
CVE-2024-7254
Vulnerable Library - protobuf-java-3.10.0.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ protobuf-java-3.10.0.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.
Publish Date: 2024-09-19
URL: CVE-2024-7254
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2024-7254
Release Date: 2024-09-19
Fix Resolution: com.google.protobuf:protobuf-javalite - 3.25.5,4.28.2,4.27.5;com.google.protobuf:protobuf-java - 4.27.5,3.25.5,4.28.2
CVE-2024-30172
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.
Publish Date: 2024-05-09
URL: CVE-2024-30172
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2024-05-09
Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78, BouncyCastle.Cryptography - 2.3.1
CVE-2024-29857
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.
Publish Date: 2024-05-09
URL: CVE-2024-29857
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-8xfc-gm6g-vgpv
Release Date: 2024-05-09
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1
CVE-2022-3510
Vulnerable Library - protobuf-java-3.10.0.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ protobuf-java-3.10.0.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: 2022-11-11
URL: CVE-2022-3510
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-4gg5-vx3j-xwc7
Release Date: 2022-11-11
Fix Resolution: com.google.protobuf:protobuf-java:3.21.7,3.20.3,3.19.6,3.16.3,https://github.com/protocolbuffers/protobuf.git - 3.16.3,com.google.protobuf:protobuf-java:3.19.6,com.google.protobuf:protobuf-java:3.16.3,com.google.protobuf:protobuf-javalite:3.19.6,https://github.com/protocolbuffers/protobuf.git - v3.20.3,com.google.protobuf:protobuf-java:3.21.7,com.google.protobuf:protobuf-java:3.20.3,https://github.com/protocolbuffers/protobuf.git - v3.21.7,com.google.protobuf:protobuf-javalite:3.20.3,https://github.com/protocolbuffers/protobuf.git - v3.19.6,com.google.protobuf:protobuf-javalite:3.16.3,com.google.protobuf:protobuf-javalite:3.21.7
CVE-2022-3509
Vulnerable Library - protobuf-java-3.10.0.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ protobuf-java-3.10.0.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-11-01
URL: CVE-2022-3509
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509
Release Date: 2022-11-01
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7
CVE-2019-17359
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Publish Date: 2019-10-08
URL: CVE-2019-17359
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 7.6%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
Release Date: 2019-10-08
Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64
CVE-2018-1000180
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Publish Date: 2018-06-05
URL: CVE-2018-1000180
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180
Release Date: 2018-06-05
Fix Resolution: org.bouncycastle:bc-fips:1.0.2;org.bouncycastle:bcprov-jdk15on:1.60;org.bouncycastle:bcprov-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk15on:1.60;org.bouncycastle:bcprov-debug-jdk14:1.60;org.bouncycastle:bcprov-debug-jdk15on:1.60
WS-2019-0379
Vulnerable Library - commons-codec-1.10.jar
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://www.apache.org/
Path to dependency file: /GetStartedCalls-Start/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- sdklib-27.0.0.jar
- httpmime-4.5.6.jar
- httpclient-4.5.6.jar
- ❌ commons-codec-1.10.jar (Vulnerable Library)
- httpclient-4.5.6.jar
- httpmime-4.5.6.jar
- sdklib-27.0.0.jar
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
CVE-2024-30171
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.
Publish Date: 2024-05-09
URL: CVE-2024-30171
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-v435-xc8x-wvr9
Release Date: 2024-05-09
Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1
CVE-2023-33202
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
Bouncy Castle for Java before 1.73 contains a potential Denial of Service (DoS) issue within the Bouncy Castle org.bouncycastle.openssl.PEMParser class. This class parses OpenSSL PEM encoded streams containing X.509 certificates, PKCS8 encoded keys, and PKCS7 objects. Parsing a file that has crafted ASN.1 data through the PEMParser causes an OutOfMemoryError, which can enable a denial of service attack. (For users of the FIPS Java API: BC-FJA 1.0.2.3 and earlier are affected; BC-FJA 1.0.2.4 is fixed.)
Publish Date: 2023-11-23
URL: CVE-2023-33202
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-wjxj-5m7g-mg7q
Release Date: 2023-11-23
Fix Resolution: org.bouncycastle:bcprov-jdk14:1.73, org.bouncycastle:bcprov-jdk15to18: 1.73, org.bouncycastle:bcprov-jdk18on:1.73
CVE-2023-2976
Vulnerable Library - guava-28.1-jre.jar
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/28.1-jre/b0e91dcb6a44ffb6221b5027e12a5cb34b841145/guava-28.1-jre.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- shared-27.0.0.jar
- ❌ guava-28.1-jre.jar (Vulnerable Library)
- shared-27.0.0.jar
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
Use of Java's default temporary directory for file creation in "FileBackedOutputStream" in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre
CVE-2018-11771
Vulnerable Library - commons-compress-1.12.jar
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: http://commons.apache.org/proper/commons-compress/
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- sdklib-27.0.0.jar
- ❌ commons-compress-1.12.jar (Vulnerable Library)
- sdklib-27.0.0.jar
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2018-08-16
URL: CVE-2018-11771
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.3000001%
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771
Release Date: 2018-08-16
Fix Resolution: 1.18
CVE-2023-33201
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
Publish Date: 2023-07-05
URL: CVE-2023-33201
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2023-07-05
Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74
CVE-2020-26939
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
Publish Date: 2020-11-02
URL: CVE-2020-26939
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.4000001%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-02
Fix Resolution: org.bouncycastle:bcprov-jdk14:1.61,org.bouncycastle:bcprov-ext-debug-jdk15on:1.61,org.bouncycastle:bcprov-debug-jdk15on:1.61,org.bouncycastle:bcprov-ext-jdk15on:1.61,org.bouncycastle:bcprov-jdk15on:1.61
CVE-2020-13956
Vulnerable Library - httpclient-4.5.6.jar
Apache HttpComponents Client
Library home page: http://www.apache.org/
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.6/1afe5621985efe90a92d0fbc9be86271efbe796f/httpclient-4.5.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.6/1afe5621985efe90a92d0fbc9be86271efbe796f/httpclient-4.5.6.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- sdklib-27.0.0.jar
- httpmime-4.5.6.jar
- ❌ httpclient-4.5.6.jar (Vulnerable Library)
- httpmime-4.5.6.jar
- sdklib-27.0.0.jar
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Publish Date: 2020-12-02
URL: CVE-2020-13956
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.5%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
Release Date: 2020-12-02
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3
CVE-2022-3171
Vulnerable Library - protobuf-java-3.10.0.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /GetStartedCalls-Complete/app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.10.0/410b61dd0088aab4caa05739558d43df248958c9/protobuf-java-3.10.0.jar
Dependency Hierarchy:
- lint-gradle-27.0.0.jar (Root Library)
- sdk-common-27.0.0.jar
- ❌ protobuf-java-3.10.0.jar (Vulnerable Library)
- sdk-common-27.0.0.jar
Found in HEAD commit: 6b0a1b571d34259a8bc23b0af1c97dbbb952d31f
Found in base branch: main
Vulnerability Details
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-10-12
URL: CVE-2022-3171
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (4.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4h5-3hr4-j3g2
Release Date: 2022-10-12
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7