Find, fix and prevent vulnerabilities in your code.
high severity
- Vulnerable module: org.apache.commons:commons-lang3
- Introduced through: org.apache.commons:commons-lang3@3.9
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.apache.commons:commons-lang3@3.9Remediation: Upgrade to org.apache.commons:commons-lang3@3.18.0.
Overview
Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.
Remediation
Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.
References
high severity
- Vulnerable module: com.google.protobuf:protobuf-java
- Introduced through: mysql:mysql-connector-java@8.0.16
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › mysql:mysql-connector-java@8.0.16 › com.google.protobuf:protobuf-java@3.6.1Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.
Overview
com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
Affected versions of this package are vulnerable to Stack-based Buffer Overflow via the parsing of nested groups or series of SGROUP tags as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. An attacker can cause infinite recursion by sending malicious Protocol Buffer data.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade com.google.protobuf:protobuf-java to version 3.25.5, 4.27.5, 4.28.2 or higher.
References
high severity
- Vulnerable module: com.google.protobuf:protobuf-java
- Introduced through: mysql:mysql-connector-java@8.0.16
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › mysql:mysql-connector-java@8.0.16 › com.google.protobuf:protobuf-java@3.6.1Remediation: Upgrade to mysql:mysql-connector-java@8.0.29.
Overview
com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
Affected versions of this package are vulnerable to Denial of Service (DoS). An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses.
Note: Protobuf javalite users are not affected.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade com.google.protobuf:protobuf-java to version 3.16.1, 3.18.2, 3.19.2 or higher.
References
high severity
- Vulnerable module: com.google.protobuf:protobuf-java
- Introduced through: mysql:mysql-connector-java@8.0.16
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › mysql:mysql-connector-java@8.0.16 › com.google.protobuf:protobuf-java@3.6.1Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.
Overview
com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
Affected versions of this package are vulnerable to Denial of Service (DoS) in MessageReflection.java due to a text format parsing issue. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade com.google.protobuf:protobuf-java to version 3.16.3, 3.19.6, 3.20.3, 3.21.7 or higher.
References
high severity
- Vulnerable module: javax.servlet:jstl
- Introduced through: javax.servlet:jstl@1.2
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › javax.servlet:jstl@1.2
Overview
javax.servlet:jstl is a collection of useful JSP tags which encapsulates the core functionality common to many JSP applications.
Affected versions of this package are vulnerable to XML External Entity (XXE) Injection. Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a <x:parse> or <x:transform> JSTL XML tag.
Details
XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.
Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.
For example, below is a sample XML document, containing an XML element- username.
<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<username>John</username>
</xml>
An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.
<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<username>&xxe;</username>
</xml>
Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.
Remediation
There is no fixed version for javax.servlet:jstl.
References
high severity
- Vulnerable module: ch.qos.logback:logback-classic
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.13.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3
Overview
ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.
Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.12, 1.4.12 or higher.
References
high severity
- Vulnerable module: ch.qos.logback:logback-classic
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.13.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3
Overview
ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.
Note:
Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.
Remediation
Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.14, 1.4.14 or higher.
References
high severity
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.13.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-core@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.12, 1.4.12 or higher.
References
high severity
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.13.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-core@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.
Note:
Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.14, 1.4.14 or higher.
References
high severity
- Module: mysql:mysql-connector-java
- Introduced through: mysql:mysql-connector-java@8.0.16
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › mysql:mysql-connector-java@8.0.16
GPL-2.0 license
medium severity
- Vulnerable module: mysql:mysql-connector-java
- Introduced through: mysql:mysql-connector-java@8.0.16
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › mysql:mysql-connector-java@8.0.16Remediation: Upgrade to mysql:mysql-connector-java@8.0.28.
Overview
mysql:mysql-connector-java is a provides connectivity for client applications developed in the Java programming language with MySQL Connector/J, a driver that implements the Java Database Connectivity (JDBC) API.
Affected versions of this package are vulnerable to Improper Authorization via the MysqlSQLXML::getSource() function. A malicious actor with high privileges can access all of the MySQL connector's accessible data and crash the connectors.
Remediation
Upgrade mysql:mysql-connector-java to version 8.0.28 or higher.
References
medium severity
- Vulnerable module: ch.qos.logback:logback-classic
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.3.15.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3
Overview
ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements via the JaninoEventEvaluator extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.
Remediation
Upgrade ch.qos.logback:logback-classic to version 1.3.15, 1.5.13 or higher.
References
medium severity
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.3.16.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-core@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores via the conditional processing of the logback.xml configuration file when both the Janino library and Spring Framework are present on the class path. An attacker can execute arbitrary code by compromising an existing configuration file or injecting a malicious environment variable before program execution. This is only exploitable if the attacker has write access to a configuration file or can set a malicious environment variable.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.3.16, 1.5.19 or higher.
References
medium severity
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.3.15.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-core@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to Improper Neutralization of Special Elements via the JaninoEventEvaluator extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.3.15, 1.5.13 or higher.
References
medium severity
- Vulnerable module: mysql:mysql-connector-java
- Introduced through: mysql:mysql-connector-java@8.0.16
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › mysql:mysql-connector-java@8.0.16Remediation: Upgrade to mysql:mysql-connector-java@8.0.27.
Overview
mysql:mysql-connector-java is a provides connectivity for client applications developed in the Java programming language with MySQL Connector/J, a driver that implements the Java Database Connectivity (JDBC) API.
Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the getSource() method, due to a missing check for external entities.
Details
XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.
Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.
For example, below is a sample XML document, containing an XML element- username.
<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<username>John</username>
</xml>
An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.
<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
<!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
<username>&xxe;</username>
</xml>
Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.
Remediation
Upgrade mysql:mysql-connector-java to version 8.0.27 or higher.
References
medium severity
- Vulnerable module: com.google.protobuf:protobuf-java
- Introduced through: mysql:mysql-connector-java@8.0.16
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › mysql:mysql-connector-java@8.0.16 › com.google.protobuf:protobuf-java@3.6.1Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.
Overview
com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
Affected versions of this package are vulnerable to Denial of Service (DoS) via the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields cause objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade com.google.protobuf:protobuf-java to version 3.16.3, 3.19.6, 3.20.3, 3.21.7 or higher.
References
medium severity
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.7.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-core@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to Insufficient Hostname Verification. X.509 are not properly validated. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.2.7 or higher.
References
medium severity
- Module: ch.qos.logback:logback-classic
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-core@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3
Dual license: EPL-1.0, LGPL-2.1
medium severity
- Module: javax.servlet:jstl
- Introduced through: javax.servlet:jstl@1.2
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › javax.servlet:jstl@1.2
CDDL-1.0 license
low severity
- Vulnerable module: commons-codec:commons-codec
- Introduced through: org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › commons-codec:commons-codec@1.11
Overview
commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.
Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.
Remediation
Upgrade commons-codec:commons-codec to version 1.14 or higher.
References
low severity
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.3.15.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-core@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the SaxEventRecorder process. An attacker can forge requests by compromising logback configuration files in XML.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.3.15, 1.5.13 or higher.
References
low severity
new
- Vulnerable module: ch.qos.logback:logback-core
- Introduced through: ch.qos.logback:logback-classic@1.2.3 and org.owasp:security-logging-logback@1.1.6
Detailed paths
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.25.
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-core@1.2.3
-
Introduced through: mykelangelo/bus-depot@mykelangelo/bus-depot#443937a247471ba5306069fa3fc02f84bffd5794 › org.owasp:security-logging-logback@1.1.6 › ch.qos.logback:logback-classic@1.2.3 › ch.qos.logback:logback-core@1.2.3
Overview
ch.qos.logback:logback-core is a logback-core module.
Affected versions of this package are vulnerable to External Initialization of Trusted Variables or Data Stores during the configuration file processing. An attacker can instantiate arbitrary classes already present on the class path by compromising an existing configuration file.
Remediation
Upgrade ch.qos.logback:logback-core to version 1.5.25 or higher.