Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

camunda-message-streaming-0.6.8-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) reachable #5

Open
mend-for-github-com bot opened this issue Dec 18, 2024 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link

mend-for-github-com bot commented Dec 18, 2024

Vulnerable Library - camunda-message-streaming-0.6.8-SNAPSHOT.jar

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (camunda-message-streaming version) Remediation Possible** Reachability
CVE-2020-10683 Critical 9.8 dom4j-2.1.1.jar Transitive N/A*

Reachable

CVE-2022-1471 High 8.3 snakeyaml-1.25.jar Transitive N/A*

Reachable

CVE-2020-26945 High 8.1 mybatis-3.4.4.jar Transitive N/A*

Reachable

WS-2021-0419 High 7.7 gson-2.8.6.jar Transitive N/A*

Reachable

CVE-2022-25647 High 7.7 gson-2.8.6.jar Transitive N/A*

Reachable

CVE-2023-1370 High 7.5 json-smart-2.3.jar Transitive N/A*

Reachable

CVE-2022-25857 High 7.5 snakeyaml-1.25.jar Transitive N/A*

Reachable

CVE-2017-18640 High 7.5 snakeyaml-1.25.jar Transitive N/A*

Reachable

CVE-2020-25638 High 7.4 hibernate-core-5.4.12.Final.jar Transitive N/A*

Reachable

CVE-2023-6481 High 7.1 logback-core-1.2.3.jar Transitive N/A*

Reachable

CVE-2023-6378 High 7.1 logback-classic-1.2.3.jar Transitive N/A*

Reachable

CVE-2021-42550 Medium 6.6 detected in multiple dependencies Transitive N/A*

Reachable

CVE-2022-38752 Medium 6.5 snakeyaml-1.25.jar Transitive N/A*

Reachable

CVE-2022-38751 Medium 6.5 snakeyaml-1.25.jar Transitive N/A*

Reachable

CVE-2022-38750 Medium 6.5 snakeyaml-1.25.jar Transitive N/A*

Reachable

CVE-2022-38749 Medium 6.5 snakeyaml-1.25.jar Transitive N/A*

Reachable

CVE-2019-14900 Medium 6.5 hibernate-core-5.4.12.Final.jar Transitive N/A*

Reachable

WS-2021-0616 Medium 5.9 jackson-core-2.10.2.jar Transitive N/A*

Reachable

CVE-2021-27568 Medium 5.9 json-smart-2.3.jar Transitive N/A*

Reachable

CVE-2022-41854 Medium 5.8 snakeyaml-1.25.jar Transitive N/A*

Reachable

CVE-2022-27772 High 7.8 spring-boot-2.2.5.RELEASE.jar Transitive N/A*

Unreachable

CVE-2023-20883 High 7.5 spring-boot-autoconfigure-2.2.5.RELEASE.jar Transitive N/A*

Unreachable

WS-2022-0468 High 7.5 jackson-core-2.10.2.jar Transitive N/A*
CVE-2024-12798 Medium 6.6 detected in multiple dependencies Transitive N/A*
CVE-2024-12801 Medium 4.4 logback-core-1.2.3.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (18 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2020-10683

Vulnerable Library - dom4j-2.1.1.jar

flexible XML framework for Java

Library home page: http://dom4j.github.io/

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/dom4j/dom4j/2.1.1/dom4j-2.1.1.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-data-jpa-2.2.5.RELEASE.jar
      • hibernate-core-5.4.12.Final.jar
        • dom4j-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.CamundaMessagingAutoConfiguration (Application)
  -> org.camunda.bpm.spring.boot.starter.CamundaBpmAutoConfiguration (Extension)
   -> org.camunda.bpm.spring.boot.starter.CamundaBpmConfiguration (Extension)
    -> org.hibernate.cfg.annotations.reflection.JPAMetadataProvider (Extension)
    ...
      -> org.dom4j.XPath (Extension)
       -> org.dom4j.swing.XMLTableDefinition (Extension)
        -> ❌ org.dom4j.DocumentHelper (Vulnerable Component)

Vulnerability Details

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Publish Date: 2020-05-01

URL: CVE-2020-10683

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-05-01

Fix Resolution: org.dom4j:dom4j:2.1.3,org.dom4j:dom4j:2.0.3

CVE-2022-1471

Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • snakeyaml-1.25.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.boot.context.config.ConfigFileApplicationListener (Extension)
   -> org.springframework.boot.context.config.ConfigFileApplicationListener$Loader (Extension)
    -> org.springframework.boot.env.YamlPropertySourceLoader (Extension)
     -> org.springframework.boot.env.OriginTrackedYamlLoader (Extension)
      -> org.yaml.snakeyaml.resolver.Resolver (Extension)
       -> ❌ org.yaml.snakeyaml.nodes.Tag (Vulnerable Component)

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (8.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution: org.yaml:snakeyaml:2.0

CVE-2020-26945

Vulnerable Library - mybatis-3.4.4.jar

The MyBatis SQL mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.

Library home page: http://www.mybatis.org/

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.4.4/mybatis-3.4.4.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • camunda-engine-7.12.0.jar
      • mybatis-3.4.4.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.bpmnparsing.PostBpmnDeployExtensionDataInitializerPlugin (Application)
  -> org.camunda.bpm.engine.impl.persistence.entity.DeploymentEntity (Extension)
   -> org.camunda.bpm.engine.impl.interceptor.CommandContext (Extension)
    -> org.apache.ibatis.javassist.util.proxy.RuntimeSupport$DefaultMethodHandler (Extension)
    ...
      -> org.apache.ibatis.javassist.util.proxy.ProxyFactory (Extension)
       -> org.apache.ibatis.javassist.bytecode.CodeAttribute (Extension)
        -> ❌ org.apache.ibatis.javassist.bytecode.CodeAnalyzer (Vulnerable Component)

Vulnerability Details

MyBatis before 3.5.6 mishandles deserialization of object streams.

Publish Date: 2020-10-10

URL: CVE-2020-26945

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-10

Fix Resolution: org.mybatis:mybatis:3.5.6

WS-2021-0419

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • camunda-engine-7.12.0.jar
      • gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.correlation.CorrelationDataUtils (Application)
  -> com.jayway.jsonpath.JsonPath (Extension)
   -> com.jayway.jsonpath.Configuration$ConfigurationBuilder (Extension)
    -> com.jayway.jsonpath.spi.mapper.GsonMappingProvider (Extension)
    ...
      -> com.google.gson.internal.bind.JsonTreeWriter (Extension)
       -> com.google.gson.JsonPrimitive (Extension)
        -> ❌ com.google.gson.internal.LazilyParsedNumber (Vulnerable Component)

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

CVE-2022-25647

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • camunda-engine-7.12.0.jar
      • gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.correlation.CorrelationDataUtils (Application)
  -> com.jayway.jsonpath.Configuration (Extension)
   -> com.jayway.jsonpath.spi.mapper.GsonMappingProvider (Extension)
    -> com.google.gson.TypeAdapter (Extension)
     -> com.google.gson.internal.bind.JsonTreeReader (Extension)
      -> com.google.gson.JsonObject (Extension)
       -> ❌ com.google.gson.internal.LinkedTreeMap (Vulnerable Component)

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9

CVE-2023-1370

Vulnerable Library - json-smart-2.3.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: http://www.minidev.net/

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/minidev/json-smart/2.3/json-smart-2.3.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • json-path-2.4.0.jar
      • json-smart-2.3.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

net.minidev.json.writer.DefaultMapperCollection (Application)
  -> net.minidev.json.parser.JSONParser (Extension)
   -> com.jayway.jsonpath.spi.json.JsonSmartJsonProvider (Extension)
    -> com.jayway.jsonpath.JsonPath (Extension)
     -> ❌ com.ultimatesoftware.workflow.messaging.correlation.CorrelationDataUtils (Vulnerable Component)

Vulnerability Details

Json-smart is a performance focused, JSON processor lib.

When reaching a ‘[‘ or ‘{‘ character in the JSON input, the code parses an array or an object respectively.

It was discovered that the code does not have any limit to the nesting of such arrays or objects. Since the parsing of nested arrays and objects is done recursively, nesting too many of them can cause a stack exhaustion (stack overflow) and crash the software.

Publish Date: 2023-03-13

URL: CVE-2023-1370

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://research.jfrog.com/vulnerabilities/stack-exhaustion-in-json-smart-leads-to-denial-of-service-when-parsing-malformed-json-xray-427633/

Release Date: 2023-03-13

Fix Resolution: net.minidev:json-smart:2.4.9

CVE-2022-25857

Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • snakeyaml-1.25.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.boot.context.config.ConfigFileApplicationListener (Extension)
   -> org.springframework.boot.context.config.ConfigFileApplicationListener$Loader (Extension)
    -> org.springframework.boot.env.YamlPropertySourceLoader (Extension)
     -> org.springframework.boot.env.OriginTrackedYamlLoader (Extension)
      -> ❌ org.yaml.snakeyaml.LoaderOptions (Vulnerable Component)

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2017-18640

Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • snakeyaml-1.25.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.data.repository.init.AbstractRepositoryPopulatorFactoryBean (Extension)
   -> org.springframework.beans.factory.config.AbstractFactoryBean (Extension)
    -> org.springframework.beans.factory.support.AbstractBeanFactory (Extension)
     -> org.springframework.beans.factory.config.YamlMapFactoryBean (Extension)
      -> ❌ org.yaml.snakeyaml.Yaml (Vulnerable Component)

Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution: org.yaml:snakeyaml:1.26

CVE-2020-25638

Vulnerable Library - hibernate-core-5.4.12.Final.jar

Hibernate's core ORM functionality

Library home page: http://hibernate.org

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/5.4.12.Final/hibernate-core-5.4.12.Final.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-data-jpa-2.2.5.RELEASE.jar
      • hibernate-core-5.4.12.Final.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.CamundaMessagingAutoConfiguration (Application)
  -> org.camunda.bpm.spring.boot.starter.CamundaBpmAutoConfiguration (Extension)
   -> org.camunda.bpm.spring.boot.starter.property.CamundaBpmProperties (Extension)
    -> org.hibernate.internal.CriteriaImpl (Extension)
    ...
      -> org.hibernate.hql.internal.ast.tree.MapEntryNode (Extension)
       -> org.hibernate.hql.internal.ast.SqlASTFactory (Extension)
        -> ❌ org.hibernate.hql.internal.ast.tree.DotNode (Vulnerable Component)

Vulnerability Details

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Publish Date: 2020-12-02

URL: CVE-2020-25638

CVSS 3 Score Details (7.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://in.relation.to/2020/11/19/hibernate-orm-5424-final-release/

Release Date: 2020-12-02

Fix Resolution: org.hibernate:hibernate-core:5.3.20.Final,5.4.24.Final

CVE-2023-6481

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /webapp/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • spring-boot-starter-logging-2.2.5.RELEASE.jar
          • logback-classic-1.2.3.jar
            • logback-core-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.data.repository.init.UnmarshallerRepositoryPopulatorFactoryBean (Extension)
   -> org.springframework.data.repository.init.ResourceReaderRepositoryPopulator (Extension)
    -> ch.qos.logback.core.util.StatusPrinter (Extension)
    ...
      -> ch.qos.logback.core.util.ContextUtil (Extension)
       -> ch.qos.logback.core.rolling.helper.FileNamePattern (Extension)
        -> ❌ ch.qos.logback.core.pattern.parser.Parser (Vulnerable Component)

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14

CVE-2023-6378

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • spring-boot-starter-logging-2.2.5.RELEASE.jar
          • logback-classic-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.kafka.core.DefaultKafkaProducerFactory (Extension)
   -> org.apache.kafka.clients.producer.KafkaProducer (Extension)
    -> ch.qos.logback.classic.gaffer.GafferConfigurator (Extension)
    ...
      -> ch.qos.logback.classic.net.SocketReceiver (Extension)
       -> ch.qos.logback.classic.net.server.HardenedLoggingEventInputStream (Extension)
        -> ❌ ch.qos.logback.classic.spi.LoggingEventVO (Vulnerable Component)

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

CVSS 3 Score Details (7.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution: ch.qos.logback:logback-classic:1.3.12,1.4.12

CVE-2021-42550

Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar

logback-core-1.2.3.jar

logback-core module

Library home page: http://www.qos.ch

Path to dependency file: /webapp/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.3/logback-core-1.2.3.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • spring-boot-starter-logging-2.2.5.RELEASE.jar
          • logback-classic-1.2.3.jar
            • logback-core-1.2.3.jar (Vulnerable Library)

logback-classic-1.2.3.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /messaging-kafka/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.3/logback-classic-1.2.3.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • spring-boot-starter-logging-2.2.5.RELEASE.jar
          • logback-classic-1.2.3.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.kafka.core.DefaultKafkaProducerFactory (Extension)
   -> org.apache.kafka.clients.producer.KafkaProducer (Extension)
    -> org.apache.kafka.common.utils.KafkaThread (Extension)
    ...
      -> org.slf4j.impl.StaticLoggerBinder (Extension)
       -> ch.qos.logback.classic.util.ContextSelectorStaticBinder (Extension)
        -> ❌ ch.qos.logback.core.util.OptionHelper (Vulnerable Component)

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution: ch.qos.logback:logback-classic:1.2.9;ch.qos.logback:logback-core:1.2.9

CVE-2022-38752

Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • snakeyaml-1.25.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.boot.context.config.ConfigFileApplicationListener (Extension)
   -> org.springframework.boot.context.config.ConfigFileApplicationListener$Loader (Extension)
    -> org.springframework.boot.env.YamlPropertySourceLoader (Extension)
    ...
      -> org.yaml.snakeyaml.Yaml (Extension)
       -> org.yaml.snakeyaml.parser.ParserImpl (Extension)
        -> ❌ org.yaml.snakeyaml.scanner.ScannerImpl (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.32

CVE-2022-38751

Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • snakeyaml-1.25.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.boot.context.config.ConfigFileApplicationListener (Extension)
   -> org.springframework.boot.context.config.ConfigFileApplicationListener$Loader (Extension)
    -> org.springframework.boot.env.YamlPropertySourceLoader (Extension)
     -> org.springframework.boot.env.OriginTrackedYamlLoader (Extension)
      -> ❌ org.yaml.snakeyaml.LoaderOptions (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2022-38750

Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • snakeyaml-1.25.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.boot.context.config.ConfigFileApplicationListener (Extension)
   -> org.springframework.boot.context.config.ConfigFileApplicationListener$Loader (Extension)
    -> org.springframework.boot.env.YamlPropertySourceLoader (Extension)
     -> org.springframework.boot.env.OriginTrackedYamlLoader (Extension)
      -> ❌ org.yaml.snakeyaml.LoaderOptions (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2022-38749

Vulnerable Library - snakeyaml-1.25.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.25/snakeyaml-1.25.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-jdbc-2.2.5.RELEASE.jar
      • spring-boot-starter-2.2.5.RELEASE.jar
        • snakeyaml-1.25.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.webapp.WebappApplication (Application)
  -> org.springframework.boot.context.config.ConfigFileApplicationListener (Extension)
   -> org.springframework.boot.context.config.ConfigFileApplicationListener$Loader (Extension)
    -> org.springframework.boot.env.YamlPropertySourceLoader (Extension)
     -> org.springframework.boot.env.OriginTrackedYamlLoader (Extension)
      -> ❌ org.yaml.snakeyaml.LoaderOptions (Vulnerable Component)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution: org.yaml:snakeyaml:1.31

CVE-2019-14900

Vulnerable Library - hibernate-core-5.4.12.Final.jar

Hibernate's core ORM functionality

Library home page: http://hibernate.org

Path to dependency file: /messaging/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/5.4.12.Final/hibernate-core-5.4.12.Final.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • spring-boot-starter-data-jpa-2.2.5.RELEASE.jar
      • hibernate-core-5.4.12.Final.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.CamundaMessagingAutoConfiguration (Application)
  -> org.camunda.bpm.spring.boot.starter.CamundaBpmAutoConfiguration (Extension)
   -> org.camunda.bpm.spring.boot.starter.CamundaBpmConfiguration (Extension)
    -> org.hibernate.boot.model.source.internal.hbm.ResultSetMappingBinder (Extension)
    ...
      -> org.hibernate.internal.SessionFactoryImpl (Extension)
       -> org.hibernate.query.criteria.internal.CriteriaBuilderImpl (Extension)
        -> ❌ org.hibernate.query.criteria.internal.expression.LiteralExpression (Vulnerable Component)

Vulnerability Details

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

Publish Date: 2020-07-06

URL: CVE-2019-14900

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14900

Release Date: 2020-07-06

Fix Resolution: org.hibernate:hibernate-core:5.4.18.Final

WS-2021-0616

Vulnerable Library - jackson-core-2.10.2.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: http://fasterxml.com/

Path to dependency file: /webapp/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.10.2/jackson-core-2.10.2.jar

Dependency Hierarchy:

  • camunda-message-streaming-0.6.8-SNAPSHOT.jar (Root Library)
    • jackson-databind-2.10.2.jar
      • jackson-core-2.10.2.jar (Vulnerable Library)

Found in HEAD commit: 41e27a1fe9f0949f331a284bafd06fdaefba62e0

Found in base branch: develop

Reachability Analysis

This vulnerability is potentially reachable

com.ultimatesoftware.workflow.messaging.correlation.JsonNodeEvaluator (Application)
  -> com.fasterxml.jackson.databind.ObjectMapper (Extension)
   -> com.fasterxml.jackson.core.JsonFactory (Extension)
    -> ❌ com.fasterxml.jackson.core.FormatFeature (Vulnerable Component)

Vulnerability Details

FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.

Publish Date: 2021-11-20

URL: WS-2021-0616

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-11-20

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6, 2.13.1; com.fasterxml.jackson.core:jackson-core:2.12.6, 2.13.1

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Dec 18, 2024
@mend-for-github-com mend-for-github-com bot changed the title camunda-message-streaming-0.6.8-SNAPSHOT.jar: 22 vulnerabilities (highest severity is: 9.8) camunda-message-streaming-0.6.8-SNAPSHOT.jar: 22 vulnerabilities (highest severity is: 9.8) reachable Dec 18, 2024
@mend-for-github-com mend-for-github-com bot changed the title camunda-message-streaming-0.6.8-SNAPSHOT.jar: 22 vulnerabilities (highest severity is: 9.8) reachable camunda-message-streaming-0.6.8-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) reachable Dec 22, 2024
@mend-for-github-com mend-for-github-com bot changed the title camunda-message-streaming-0.6.8-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) reachable camunda-message-streaming-0.6.8-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) reachable Dec 24, 2024
@mend-for-github-com mend-for-github-com bot changed the title camunda-message-streaming-0.6.8-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) reachable camunda-message-streaming-0.6.8-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) reachable Jan 24, 2025
@mend-for-github-com mend-for-github-com bot changed the title camunda-message-streaming-0.6.8-SNAPSHOT.jar: 24 vulnerabilities (highest severity is: 9.8) reachable camunda-message-streaming-0.6.8-SNAPSHOT.jar: 25 vulnerabilities (highest severity is: 9.8) reachable Jan 24, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

0 participants