Skip to main content

Test Results

marklogic/ml-gradle

Vulnerabilities

 4 via 42 paths

Dependencies

 37

Source

 GitHub

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications
Severity
  • 4
Status
  • 4
  • 0
  • 0

low severity

Information Exposure

  • Vulnerable module: org.jetbrains.kotlin:kotlin-stdlib
  • Introduced through: com.marklogic:ml-app-deployer@5.0.0 and com.marklogic:marklogic-data-movement-components@2.8.0

Detailed paths

  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 io.github.rburgst:okhttp-digest@2.7 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 io.github.rburgst:okhttp-digest@2.7 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 io.github.rburgst:okhttp-digest@2.7 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 io.github.rburgst:okhttp-digest@2.7 com.squareup.okhttp3:okhttp@4.12.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 io.github.rburgst:okhttp-digest@2.7 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:marklogic-data-movement-components@2.8.0 com.marklogic:marklogic-client-api@6.6.0 io.github.rburgst:okhttp-digest@2.7 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 io.github.rburgst:okhttp-digest@2.7 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 com.squareup.okhttp3:logging-interceptor@4.12.0 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 com.marklogic:marklogic-client-api@6.6.0 io.github.rburgst:okhttp-digest@2.7 com.squareup.okhttp3:okhttp@4.12.0 com.squareup.okio:okio@3.6.0 com.squareup.okio:okio-jvm@3.6.0 org.jetbrains.kotlin:kotlin-stdlib-jdk8@1.8.21 org.jetbrains.kotlin:kotlin-stdlib-jdk7@1.8.21 org.jetbrains.kotlin:kotlin-stdlib@1.8.21

…and 29 more

Overview

org.jetbrains.kotlin:kotlin-stdlib is a Kotlin Standard Library for JVM.

Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using createTempDir or createTempFile and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system.

Note: As of version 1.4.21, the vulnerable functions have been marked as deprecated. Due to still being usable, this advisory is kept as "unfixed".

PoC by JLLeitschuh

package org.jlleitschuh.sandbox

import org.junit.jupiter.api.Test
import java.io.BufferedReader
import java.io.File
import java.io.IOException
import java.io.InputStreamReader
import java.nio.file.Files

class KotlinTempDirectoryPermissionCheck {
    @Test
    fun `kotlin check default directory permissions`() {
        val dir = createTempDir()
        runLS(dir.parentFile, dir) // Prints drwxr-xr-x
    }

    @Test
    fun `Files check default directory permissions`() {
        val dir = Files.createTempDirectory("random-directory")
        runLS(dir.toFile().parentFile, dir.toFile()) // Prints drwx------
    }

    @Test
    fun `kotlin check default file permissions`() {
        val file = createTempFile()
        runLS(file.parentFile, file) // Prints -rw-r--r--
    }

    @Test
    fun `Files check default file permissions`() {
        val file = Files.createTempFile("random-file", ".txt")
        runLS(file.toFile().parentFile, file.toFile()) // Prints -rw-------
    }

    private fun runLS(file: File, lookingFor: File) {
        val processBuilder = ProcessBuilder()
        processBuilder.command("ls", "-l", file.absolutePath)
        try {
            val process = processBuilder.start()
            val output = StringBuilder()
            val reader = BufferedReader(
                InputStreamReader(process.inputStream)
            )
            reader.lines().forEach { line ->
                if (line.contains("total")) {
                    output.append(line).append('\n')
                }
                if (line.contains(lookingFor.name)) {
                    output.append(line).append('\n')
                }
            }
            val exitVal = process.waitFor()
            if (exitVal == 0) {
                println("Success!")
                println(output)
            } else {
                //abnormal...
            }
        } catch (e: IOException) {
            e.printStackTrace()
        } catch (e: InterruptedException) {
            e.printStackTrace()
        }
    }
}

Remediation

Upgrade org.jetbrains.kotlin:kotlin-stdlib to version 2.1.0 or higher.

References

Information Exposure vulnerability report

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-context
  • Introduced through: com.marklogic:ml-app-deployer@5.0.0

Detailed paths

  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 org.springframework:spring-context@5.3.39

Overview

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-context to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-core
  • Introduced through: com.marklogic:mlcp-util@1.0.1 and com.marklogic:ml-app-deployer@5.0.0

Detailed paths

  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:mlcp-util@1.0.1 org.springframework:spring-beans@5.3.22 org.springframework:spring-core@5.3.39
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 org.springframework:spring-web@5.3.39 org.springframework:spring-core@5.3.39
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 org.springframework:spring-web@5.3.39 org.springframework:spring-beans@5.3.22 org.springframework:spring-core@5.3.39
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 org.springframework:spring-context@5.3.39 org.springframework:spring-core@5.3.39
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 org.springframework:spring-context@5.3.39 org.springframework:spring-beans@5.3.22 org.springframework:spring-core@5.3.39
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 org.springframework:spring-context@5.3.39 org.springframework:spring-aop@5.3.39 org.springframework:spring-core@5.3.39
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 org.springframework:spring-context@5.3.39 org.springframework:spring-expression@5.3.39 org.springframework:spring-core@5.3.39
  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 com.marklogic:ml-javaclient-util@5.0.0 org.springframework:spring-context@5.3.39 org.springframework:spring-aop@5.3.39 org.springframework:spring-beans@5.3.22 org.springframework:spring-core@5.3.39

…and 5 more

Overview

org.springframework:spring-core is a core package within the spring-framework that contains multiple classes and utilities.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-core to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report

low severity

Improper Handling of Case Sensitivity

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: com.marklogic:ml-app-deployer@5.0.0

Detailed paths

  • Introduced through: marklogic/ml-gradle@marklogic/ml-gradle com.marklogic:ml-app-deployer@5.0.0 org.springframework:spring-web@5.3.39

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Improper Handling of Case Sensitivity due to String.toLowerCase() having some Locale dependent exceptions that could potentially result in fields not protected as expected.

Note:

The fix for CVE-2022-22968 made disallowedFields patterns in DataBinder case insensitive.

This vulnerability was also fixed in commercial versions 5.3.41 and 6.0.25.

Remediation

Upgrade org.springframework:spring-web to version 6.1.14 or higher.

References

Improper Handling of Case Sensitivity vulnerability report