Vulnerabilities

 2 via 2 paths

Dependencies

 29

Source

 GitHub

Commit

 a2e2097c

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Issue type
  • 2
  • 2
Severity
  • 1
  • 2
  • 1
Status
  • 4
  • 0
  • 0

high severity

Improper Resource Shutdown or Release

  • Vulnerable module: co.fs2:fs2-io_2.11
  • Introduced through: co.fs2:fs2-io_2.11@3.12.2

Detailed paths

  • Introduced through: laserdisc-io/laserdisc@laserdisc-io/laserdisc#a2e2097c20b23ab8e9a124a99472dacd122be160 co.fs2:fs2-io_2.11@3.12.2

Overview

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release after establishing a TLS session. An attacker can cause excessive CPU utilization by initiating a half-shutdown of the connection during the handshake, leading the peer to enter a spin loop on socket read until the connection is closed.

Remediation

There is no fixed version for co.fs2:fs2-io_2.11.

References

Improper Resource Shutdown or Release vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-classic
  • Introduced through: ch.qos.logback:logback-classic@1.5.19

Detailed paths

  • Introduced through: laserdisc-io/laserdisc@laserdisc-io/laserdisc#a2e2097c20b23ab8e9a124a99472dacd122be160 ch.qos.logback:logback-classic@1.5.19

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-core
  • Introduced through: ch.qos.logback:logback-classic@1.5.19

Detailed paths

  • Introduced through: laserdisc-io/laserdisc@laserdisc-io/laserdisc#a2e2097c20b23ab8e9a124a99472dacd122be160 ch.qos.logback:logback-classic@1.5.19 ch.qos.logback:logback-core@1.5.19

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

low severity
new

External Initialization of Trusted Variables or Data Stores

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: ch.qos.logback:logback-classic@1.5.19

Detailed paths

  • Introduced through: laserdisc-io/laserdisc@laserdisc-io/laserdisc#a2e2097c20b23ab8e9a124a99472dacd122be160 ch.qos.logback:logback-classic@1.5.19 ch.qos.logback:logback-core@1.5.19
    Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.25.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores during the configuration file processing. An attacker can instantiate arbitrary classes already present on the class path by compromising an existing configuration file.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.5.25 or higher.

References

External Initialization of Trusted Variables or Data Stores vulnerability report