Vulnerabilities |
2 via 2 paths |
|---|---|
Dependencies |
22 |
Source |
GitHub |
Find, fix and prevent vulnerabilities in your code.
high severity
new
- Vulnerable module: org.eclipse.parsson:parsson
- Introduced through: org.glassfish.jersey.media:jersey-media-moxy@5.0.0-M1
Detailed paths
-
Introduced through: mixaverros88/java-api@mixaverros88/java-api › org.glassfish.jersey.media:jersey-media-moxy@5.0.0-M1 › org.eclipse.parsson:parsson@1.1.7
Overview
Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling due to the lack of enforced limits in the parser when processing JSON input. An attacker can cause excessive CPU and memory consumption by submitting very large or deeply nested JSON documents, potentially leading to resource exhaustion and service unavailability.
Remediation
Upgrade org.eclipse.parsson:parsson to version 1.1.8 or higher.
References
medium severity
- Vulnerable module: org.eclipse.angus:angus-mail
- Introduced through: org.glassfish.jersey.media:jersey-media-moxy@5.0.0-M1
Detailed paths
-
Introduced through: mixaverros88/java-api@mixaverros88/java-api › org.glassfish.jersey.media:jersey-media-moxy@5.0.0-M1 › org.eclipse.persistence:org.eclipse.persistence.moxy@5.0.0-B09 › org.eclipse.angus:angus-mail@2.0.3
Overview
org.eclipse.angus:angus-mail is an Angus Mail Provider.
Affected versions of this package are vulnerable to Improper Neutralization via the handling of SMTP message input. An attacker can inject arbitrary SMTP commands by supplying specially crafted input containing carriage return and line feed characters.
Note:
This is only exploitable if the provided dependency org.eclipse.angus:smtp is used.
Remediation
Upgrade org.eclipse.angus:angus-mail to version 2.0.4 or higher.
References
medium severity
- Module: junit:junit
- Introduced through: org.glassfish.jersey.media:jersey-media-moxy@5.0.0-M1
Detailed paths
-
Introduced through: mixaverros88/java-api@mixaverros88/java-api › org.glassfish.jersey.media:jersey-media-moxy@5.0.0-M1 › jakarta.json.bind:jakarta.json.bind-api@3.0.1 › junit:junit@4.13.2
EPL-1.0 license