Vulnerabilities

 2 via 2 paths

Dependencies

 38

Source

 GitHub

Commit

 8e0ad4a9

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 2
  • 3
Severity
  • 1
  • 1
  • 3
Status
  • 5
  • 0
  • 0

critical severity

SQL Injection

  • Vulnerable module: org.postgresql:postgresql
  • Introduced through: org.postgresql:postgresql@42.5.4

Detailed paths

  • Introduced through: RedisGears/rghibernate@RedisGears/rghibernate#8e0ad4a93bd31d8ec32445c1b22dc273c7fbdaed org.postgresql:postgresql@42.5.4
    Remediation: Upgrade to org.postgresql:postgresql@42.5.5.

Overview

org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.

Affected versions of this package are vulnerable to SQL Injection when using PreferQueryMode=SIMPLE, which is not the default setting. By passing in a numeric value placeholder immediately preceded by a minus and followed by a second placeholder for a string value, on the same line, an attacker can construct a payload that alters the parameterized query into which it is interpolated. This effectively bypasses the protections against SQL Injection that parameterized queries offer.

Remediation

Upgrade org.postgresql:postgresql to version 42.2.28.jre7, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2 or higher.

References

SQL Injection vulnerability report

high severity

Improper Validation of Certificate with Host Mismatch

  • Vulnerable module: com.microsoft.sqlserver:mssql-jdbc
  • Introduced through: com.microsoft.sqlserver:mssql-jdbc@11.1.2.jre8-preview

Detailed paths

  • Introduced through: RedisGears/rghibernate@RedisGears/rghibernate#8e0ad4a93bd31d8ec32445c1b22dc273c7fbdaed com.microsoft.sqlserver:mssql-jdbc@11.1.2.jre8-preview
    Remediation: Upgrade to com.microsoft.sqlserver:mssql-jdbc@11.2.4.jre8.

Overview

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch via the parseCommonName() method . An attacker can gain unauthorized access or impersonate users by crafting malicious X.509 certificates that bypass hostname validation through embedding of fake hostnames within other certificate attributes.

Remediation

Upgrade com.microsoft.sqlserver:mssql-jdbc to version 10.2.4.jre8, 11.2.4.jre8, 12.2.1.jre8, 12.4.3.jre8, 12.6.5.jre8, 12.8.2.jre8, 12.10.2.jre8, 13.2.1.jre8 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

medium severity

LGPL-2.1 license

  • Module: org.hibernate:hibernate-core
  • Introduced through: org.hibernate:hibernate-core@5.6.7.Final

Detailed paths

  • Introduced through: RedisGears/rghibernate@RedisGears/rghibernate#8e0ad4a93bd31d8ec32445c1b22dc273c7fbdaed org.hibernate:hibernate-core@5.6.7.Final

LGPL-2.1 license

LGPL-2.1 license vulnerability report

medium severity

LGPL-2.1 license

  • Module: org.hibernate.common:hibernate-commons-annotations
  • Introduced through: org.hibernate:hibernate-core@5.6.7.Final

Detailed paths

  • Introduced through: RedisGears/rghibernate@RedisGears/rghibernate#8e0ad4a93bd31d8ec32445c1b22dc273c7fbdaed org.hibernate:hibernate-core@5.6.7.Final org.hibernate.common:hibernate-commons-annotations@5.1.2.Final

LGPL-2.1 license

LGPL-2.1 license vulnerability report

medium severity

LGPL-2.1 license

  • Module: org.mariadb.jdbc:mariadb-java-client
  • Introduced through: org.mariadb.jdbc:mariadb-java-client@2.7.5

Detailed paths

  • Introduced through: RedisGears/rghibernate@RedisGears/rghibernate#8e0ad4a93bd31d8ec32445c1b22dc273c7fbdaed org.mariadb.jdbc:mariadb-java-client@2.7.5

LGPL-2.1 license

LGPL-2.1 license vulnerability report