Vulnerabilities

 1 via 2 paths

Dependencies

 28

Source

 GitHub

Commit

 b89bc61e

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 1
Status
  • 1
  • 0
  • 0

low severity

Information Exposure

  • Vulnerable module: commons-codec:commons-codec
  • Introduced through: org.apache.httpcomponents:httpclient@4.5.14 and org.apache.httpcomponents:httpmime@4.5.14

Detailed paths

  • Introduced through: JavaChat/OakBot@JavaChat/OakBot#b89bc61e696d5692320a7b73370b71a1295b26c2 org.apache.httpcomponents:httpclient@4.5.14 commons-codec:commons-codec@1.11
  • Introduced through: JavaChat/OakBot@JavaChat/OakBot#b89bc61e696d5692320a7b73370b71a1295b26c2 org.apache.httpcomponents:httpmime@4.5.14 org.apache.httpcomponents:httpclient@4.5.14 commons-codec:commons-codec@1.11

Overview

commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.

Remediation

Upgrade commons-codec:commons-codec to version 1.13 or higher.

References

Information Exposure vulnerability report