Vulnerabilities

 2 via 3 paths

Dependencies

 14

Source

 GitHub

Commit

 88539e5c

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
  • 1
Status
  • 2
  • 0
  • 0

high severity

Uncontrolled Recursion

  • Vulnerable module: org.apache.commons:commons-lang3
  • Introduced through: org.apache.commons:commons-lang3@3.13.0 and org.apache.poi:poi-ooxml@5.4.1

Detailed paths

  • Introduced through: Bismi-Solutions/Excel@Bismi-Solutions/Excel#88539e5ca74047338516191a603dc9d3be771230 org.apache.commons:commons-lang3@3.13.0
    Remediation: Upgrade to org.apache.commons:commons-lang3@3.18.0.
  • Introduced through: Bismi-Solutions/Excel@Bismi-Solutions/Excel#88539e5ca74047338516191a603dc9d3be771230 org.apache.poi:poi-ooxml@5.4.1 org.apache.commons:commons-compress@1.27.1 org.apache.commons:commons-lang3@3.13.0
    Remediation: Upgrade to org.apache.poi:poi-ooxml@5.5.0.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: org.apache.logging.log4j:log4j-core
  • Introduced through: org.apache.logging.log4j:log4j-core@2.20.0

Detailed paths

  • Introduced through: Bismi-Solutions/Excel@Bismi-Solutions/Excel#88539e5ca74047338516191a603dc9d3be771230 org.apache.logging.log4j:log4j-core@2.20.0
    Remediation: Upgrade to org.apache.logging.log4j:log4j-core@2.25.3.

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component. An attacker can intercept or redirect log traffic by performing a man-in-the-middle attack if they are able to intercept or redirect network traffic between the client and the log receiver and can present a server certificate issued by a certification authority trusted by the configured trust store or the default Java trust store.

Workaround

This vulnerability can be mitigated by configuring the SocketAppender to use a private or restricted trust root to limit the set of trusted certificates.

Remediation

Upgrade org.apache.logging.log4j:log4j-core to version 2.25.3 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report