Vulnerabilities	2 via 2 paths
Dependencies	29
Source	GitHub
Commit	b9d08e20

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications

Issue type

Vulnerabilities
2
License issues
2

Severity

Critical
High
1
Medium
3
Low

Status

Open
4
Patched
0
Ignored
0

high severity

new

Improper Resource Shutdown or Release

Vulnerable module: co.fs2:fs2-io_2.11
Introduced through: co.fs2:fs2-io_2.11@3.12.2

Detailed paths

Introduced through: laserdisc-io/laserdisc@laserdisc-io/laserdisc#b9d08e2070c5f00dc962cfb7033aac6e7948ff96 › co.fs2:fs2-io_2.11@3.12.2

Overview

Affected versions of this package are vulnerable to Improper Resource Shutdown or Release after establishing a TLS session. An attacker can cause excessive CPU utilization by initiating a half-shutdown of the connection during the handshake, leading the peer to enter a spin loop on socket read until the connection is closed.

Remediation

There is no fixed version for co.fs2:fs2-io_2.11.

References

Improper Resource Shutdown or Release vulnerability report

medium severity

new

External Initialization of Trusted Variables or Data Stores

Vulnerable module: ch.qos.logback:logback-core
Introduced through: ch.qos.logback:logback-classic@1.5.15

Detailed paths

Introduced through: laserdisc-io/laserdisc@laserdisc-io/laserdisc#b9d08e2070c5f00dc962cfb7033aac6e7948ff96 › ch.qos.logback:logback-classic@1.5.15 › ch.qos.logback:logback-core@1.5.15

Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.19.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the logback.xml configuration file when both the Janino library and Spring Framework are present on the class path. An attacker can execute arbitrary code by compromising an existing configuration file or injecting a malicious environment variable before program execution. This is only exploitable if the attacker has write access to a configuration file or can set a malicious environment variable.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.5.19 or higher.

References

External Initialization of Trusted Variables or Data Stores vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

Module: ch.qos.logback:logback-classic
Introduced through: ch.qos.logback:logback-classic@1.5.15

Detailed paths

Introduced through: laserdisc-io/laserdisc@laserdisc-io/laserdisc#b9d08e2070c5f00dc962cfb7033aac6e7948ff96 › ch.qos.logback:logback-classic@1.5.15

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

medium severity

Dual license: EPL-1.0, LGPL-2.1

Module: ch.qos.logback:logback-core
Introduced through: ch.qos.logback:logback-classic@1.5.15

Detailed paths

Introduced through: laserdisc-io/laserdisc@laserdisc-io/laserdisc#b9d08e2070c5f00dc962cfb7033aac6e7948ff96 › ch.qos.logback:logback-classic@1.5.15 › ch.qos.logback:logback-core@1.5.15

Dual license: EPL-1.0, LGPL-2.1

Dual license: EPL-1.0, LGPL-2.1 vulnerability report

Vulnerabilities

Dependencies

Source

Commit

Find, fix and prevent vulnerabilities in your code.

high severity new

Improper Resource Shutdown or Release

Detailed paths

Overview

Remediation

References

medium severity new

External Initialization of Trusted Variables or Data Stores

Detailed paths

Overview

Remediation

References

medium severity

Dual license: EPL-1.0, LGPL-2.1

Detailed paths

medium severity

Dual license: EPL-1.0, LGPL-2.1

Detailed paths

high severity

new

medium severity

new