You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Filename: rubygems-0.2.3.war/META-INF/maven/org.jruby.mains/jruby-mains/pom.xml | Reference: CVE-2011-4838 | CVSS Score: 7.8 | Category: CWE-20 Improper Input Validation | JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.
It seems like the current POM for 0.2.4-SNAPSHOT would fix this?
The text was updated successfully, but these errors were encountered:
@EarthCitizen I can cut a new release. but I am not aware that rubygems-servlets ever came bundled with a jruby-1.6.x version. so jruby-mains has maybe a dependency to jruby-1.6.x but we overwrite this by the pom.xml for the servlets.
I can dump versions of jruby-mains as well and satisfy Sonar :) but Sonar should IMO look for the versions used by the war not what is declared on each artifact without resolving the dependency-graph altogether.
@mkristian I am not sure how the OWASP scanner determines threat dependencies. I am guessing it does not consider what actually gets resolved and just looks directly at all the POMs.
Sonar picks up a vulnerability in version 0.2.3:
It seems like the current POM for 0.2.4-SNAPSHOT would fix this?
The text was updated successfully, but these errors were encountered: