dropwizard-guicier-1.3.5.1.jar: 11 vulnerabilities (highest severity is: 8.0) #290
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /SingularityService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - dropwizard-validation-1.3.12.jar
Dropwizard is a Java framework for developing ops-friendly, high-performance, RESTful web applications.
Library home page: http://www.dropwizard.io/1.3.12
Path to dependency file: /SingularityRunnerBase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
dropwizard-validation before versions 2.0.3 and 1.3.21 has a remote code execution vulnerability. A server-side template injection was identified in the self-validating feature enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you are using a self-validating bean an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 for CVE-2020-5245 unfortunately did not fix the underlying issue completely. The issue has been fixed in dropwizard-validation 1.3.21 and 2.0.3 or later. We strongly recommend upgrading to one of these versions.
Publish Date: 2020-04-10
URL: CVE-2020-11002
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 7.4%
CVSS 3 Score Details (8.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-8jpx-m2wh-2v34
Release Date: 2020-04-10
Fix Resolution: io.dropwizard:dropwizard-validation:2.0.3,1.3.21
Vulnerable Library - dropwizard-validation-1.3.12.jar
Dropwizard is a Java framework for developing ops-friendly, high-performance, RESTful web applications.
Library home page: http://www.dropwizard.io/1.3.12
Path to dependency file: /SingularityRunnerBase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar,/home/wss-scanner/.m2/repository/io/dropwizard/dropwizard-validation/1.3.12/dropwizard-validation-1.3.12.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature.
The issue has been fixed in dropwizard-validation 1.3.19 and 2.0.2.
Publish Date: 2020-02-24
URL: CVE-2020-5245
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.6%
CVSS 3 Score Details (7.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5245
Release Date: 2020-02-24
Fix Resolution: 1.3.19,2.0.2
Vulnerable Library - jetty-io-9.4.18.v20190429.jar
The Eclipse Jetty Project
Library home page: https://webtide.com
Path to dependency file: /EmbedSingularityExample/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.18.v20190429/jetty-io-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Publish Date: 2021-04-01
URL: CVE-2021-28165
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 55.5%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-26vr-8j45-3r4w
Release Date: 2021-04-01
Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2
Vulnerable Library - jetty-webapp-9.4.18.v20190429.jar
Jetty web application support
Library home page: https://webtide.com
Path to dependency file: /EmbedSingularityExample/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.18.v20190429/jetty-webapp-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-webapp/9.4.18.v20190429/jetty-webapp-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.
Publish Date: 2020-10-23
URL: CVE-2020-27216
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (7.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921
Release Date: 2020-10-23
Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.33,10.0.0.beta3,11.0.0.beta3;org.eclipse.jetty:jetty-webapp:9.4.33,10.0.0.beta3,11.0.0.beta3
Vulnerable Library - hibernate-validator-5.4.3.Final.jar
Hibernate's Bean Validation (JSR-303) reference implementation.
Library home page: http://hibernate.org/validator
Path to dependency file: /SingularityRunnerBase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A vulnerability was found in hibernate-validator version 6.1.2.Final, where the method 'isValid' in the class org.hibernate.validator.internal.constraintvalidators.hv.SafeHtmlValidator can by bypassed by omitting the tag end (less than sign). Browsers typically still render the invalid html which leads to attacks like HTML injection and Cross-Site-Scripting.
Publish Date: 2024-11-07
URL: CVE-2023-1932
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1809444
Release Date: 2024-11-07
Fix Resolution: org.hibernate.validator:hibernate-validator:6.2.0.Final
Vulnerable Library - jetty-servlets-9.4.18.v20190429.jar
Utility Servlets from Jetty
Library home page: https://webtide.com
Path to dependency file: /SingularityService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.18.v20190429/jetty-servlets-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.18.v20190429/jetty-servlets-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
There exists a security vulnerability in Jetty's DosFilter which can be exploited by unauthorized users to cause remote denial-of-service (DoS) attack on the server using DosFilter. By repeatedly sending crafted requests, attackers can trigger OutofMemory errors and exhaust the server's memory finally.
Publish Date: 2024-10-14
URL: CVE-2024-9823
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-7hcf-ppf8-5w5h
Release Date: 2024-10-14
Fix Resolution: org.eclipse.jetty:jetty-servlets:10.0.18,11.0.18,9.4.54.v20240208, org.eclipse.jetty.ee8:jetty-ee8-servlets:12.0.3, org.eclipse.jetty.ee9:jetty-ee9-servlets:12.0.3, org.eclipse.jetty.ee10:jetty-ee10-servlets:12.0.3
Vulnerable Library - javax.el-3.0.0.jar
Java.net - The Source for Java Technology Collaboration
Library home page: http://glassfish.org
Path to dependency file: /SingularityRunnerBase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/glassfish/javax.el/3.0.0/javax.el-3.0.0.jar,/home/wss-scanner/.m2/repository/org/glassfish/javax.el/3.0.0/javax.el-3.0.0.jar,/home/wss-scanner/.m2/repository/org/glassfish/javax.el/3.0.0/javax.el-3.0.0.jar,/home/wss-scanner/.m2/repository/org/glassfish/javax.el/3.0.0/javax.el-3.0.0.jar,/home/wss-scanner/.m2/repository/org/glassfish/javax.el/3.0.0/javax.el-3.0.0.jar,/home/wss-scanner/.m2/repository/org/glassfish/javax.el/3.0.0/javax.el-3.0.0.jar,/home/wss-scanner/.m2/repository/org/glassfish/javax.el/3.0.0/javax.el-3.0.0.jar,/home/wss-scanner/.m2/repository/org/glassfish/javax.el/3.0.0/javax.el-3.0.0.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
Publish Date: 2021-05-26
URL: CVE-2021-28170
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-28170
Release Date: 2021-05-26
Fix Resolution: org.glassfish:jakarta.el:3.0.4, com.sun.el:el-ri:3.0.4
Vulnerable Library - jetty-servlets-9.4.18.v20190429.jar
Utility Servlets from Jetty
Library home page: https://webtide.com
Path to dependency file: /SingularityService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.18.v20190429/jetty-servlets-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.18.v20190429/jetty-servlets-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to
/concat?/%2557EB-INF/web.xmlcan retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.Publish Date: 2021-06-09
URL: CVE-2021-28169
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.0%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3
Vulnerable Library - hibernate-validator-5.4.3.Final.jar
Hibernate's Bean Validation (JSR-303) reference implementation.
Library home page: http://hibernate.org/validator
Path to dependency file: /SingularityRunnerBase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-validator/5.4.3.Final/hibernate-validator-5.4.3.Final.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.
Publish Date: 2020-05-06
URL: CVE-2020-10693
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.1%
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://in.relation.to/2020/05/07/hibernate-validator-615-6020-released/
Release Date: 2020-05-06
Fix Resolution: org.hibernate:hibernate-validator:6.0.20.Final,6.1.5.Final
Vulnerable Library - jetty-xml-9.4.18.v20190429.jar
The jetty xml utilities.
Library home page: https://webtide.com
Path to dependency file: /EmbedSingularityExample/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-xml/9.4.18.v20190429/jetty-xml-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-xml/9.4.18.v20190429/jetty-xml-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
XmlParser is vulnerable to XML external entity (XXE) vulnerability.
XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit this vulnerability in order to achieve SSRF or cause a denial of service. One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the WAR includes a malicious web.xml. The vulnerability is patched in versions 10.0.16, 11.0.16, and 12.0.0.
Publish Date: 2024-12-02
URL: WS-2023-0236
Threat Assessment
Exploit Maturity: Not Defined
EPSS:
CVSS 3 Score Details (3.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-58qw-p7qm-5rvh
Release Date: 2024-12-02
Fix Resolution: org.eclipse.jetty:jetty-xml:10.0.16,11.0.16,12.0.0
Vulnerable Library - jetty-servlets-9.4.18.v20190429.jar
Utility Servlets from Jetty
Library home page: https://webtide.com
Path to dependency file: /SingularityService/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.18.v20190429/jetty-servlets-9.4.18.v20190429.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-servlets/9.4.18.v20190429/jetty-servlets-9.4.18.v20190429.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Eclipse Jetty Canonical Repository is the canonical repository for the Jetty project. Users of the CgiServlet with a very specific command structure may have the wrong command executed. If a user sends a request to a org.eclipse.jetty.servlets.CGI Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. This issue was patched in version 9.4.52, 10.0.16, 11.0.16 and 12.0.0-beta2.
Publish Date: 2023-09-15
URL: CVE-2023-36479
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (3.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-3gh6-v5v9-6v9j
Release Date: 2023-09-15
Fix Resolution: org.eclipse.jetty:jetty-servlets:9.4.52.v20230823,10.0.16,11.0.16
The text was updated successfully, but these errors were encountered: