pacphi/cf-butler

Vulnerabilities

4 via 37 paths

Dependencies

122

Source

GitHub

Commit

93082b93

Find, fix and prevent vulnerabilities in your code.

Severity
  • 1
  • 2
  • 1
Status
  • 4
  • 0
  • 0

high severity

Remote Code Execution (RCE)

  • Vulnerable module: com.h2database:h2
  • Introduced through: io.r2dbc:r2dbc-h2@0.8.4.RELEASE

Detailed paths

  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a io.r2dbc:r2dbc-h2@0.8.4.RELEASE com.h2database:h2@1.4.200

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It provides a web console for managing the database, and by default it does not have a password set. The CREATE ALIAS function calls a java code, allowing an attacker to execute arbitrary java code on projects running the h2 database.

PoC

CREATE ALIAS REVERSE AS $$ String reverse(String s) { return new StringBuilder(s).reverse().toString(); } $$;
CALL REVERSE('Test');

Remediation

There is no fixed version for com.h2database:h2.

References

medium severity

Improper Certificate Validation

  • Vulnerable module: io.netty:netty-handler
  • Introduced through: org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE and org.springframework.boot:spring-boot-starter-webflux@2.4.5

Detailed paths

  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-reactor-netty@2.4.5 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-reactor-netty@2.4.5 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-reactor-netty@2.4.5 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-codec-http2@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-reactor-netty@2.4.5 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-codec-http2@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-handler-proxy@4.1.63.Final io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-codec-http2@4.1.63.Final io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-reactor-netty@2.4.5 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-codec-http2@4.1.63.Final io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http-brave@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-resolver-dns-native-macos@4.1.63.Final io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-resolver-dns-native-macos@4.1.63.Final io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-reactor-netty@2.4.5 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-resolver-dns-native-macos@4.1.63.Final io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-reactor-netty@2.4.5 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http-brave@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http-brave@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http-brave@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-codec-http2@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-handler-proxy@4.1.63.Final io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-reactor-netty@2.4.5 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-handler-proxy@4.1.63.Final io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http-brave@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-codec-http2@4.1.63.Final io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-resolver-dns-native-macos@4.1.63.Final io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-reactor-netty@2.4.5 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-resolver-dns-native-macos@4.1.63.Final io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http-brave@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.netty:netty-resolver-dns-native-macos@4.1.63.Final io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http-brave@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http-brave@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-handler-proxy@4.1.63.Final io.netty:netty-codec-http@4.1.63.Final io.netty:netty-handler@4.1.63.Final
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE io.projectreactor.netty:reactor-netty@1.0.7 io.projectreactor.netty:reactor-netty-http-brave@1.0.7 io.projectreactor.netty:reactor-netty-http@1.0.6 io.projectreactor.netty:reactor-netty-core@1.0.7 io.netty:netty-resolver-dns-native-macos@4.1.63.Final io.netty:netty-resolver-dns@4.1.63.Final io.netty:netty-handler@4.1.63.Final

Overview

io.netty:netty-handler is a library that provides an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.

Affected versions of this package are vulnerable to Improper Certificate Validation. Certificate hostname validation is disabled by default in Netty 4.1.x which makes it potentially susceptible to Man-in-the-Middle attacks.

Remediation

There is no fixed version for io.netty:netty-handler.

References

medium severity
new

Privilege Escalation

  • Vulnerable module: org.springframework:spring-web
  • Introduced through: org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE and org.springframework.boot:spring-boot-starter-webflux@2.4.5

Detailed paths

  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE org.springframework:spring-web@5.3.6
    Remediation: Upgrade to org.cloudfoundry:cloudfoundry-client-reactor@5.1.0.RELEASE.
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework:spring-web@5.3.6
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-webflux@2.4.6.
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework.boot:spring-boot-starter-json@2.4.5 org.springframework:spring-web@5.3.6
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-webflux@2.4.6.
  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.springframework.boot:spring-boot-starter-webflux@2.4.5 org.springframework:spring-webflux@5.3.6 org.springframework:spring-web@5.3.6
    Remediation: Upgrade to org.springframework.boot:spring-boot-starter-webflux@2.4.6.

Overview

org.springframework:spring-web is a package that provides a comprehensive programming and configuration model for modern Java-based enterprise applications - on any kind of deployment platform.

Affected versions of this package are vulnerable to Privilege Escalation. By recreating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.

Remediation

Upgrade org.springframework:spring-web to version 5.3.7, 5.2.15.RELEASE or higher.

References

low severity

Information Exposure

  • Vulnerable module: commons-codec:commons-codec
  • Introduced through: org.apache.httpcomponents:httpclient@4.5.13

Detailed paths

  • Introduced through: pacphi/cf-butler@pacphi/cf-butler#93082b93da70e17c99b27f461203257c2e1d087a org.apache.httpcomponents:httpclient@4.5.13 commons-codec:commons-codec@1.11

Overview

commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.

Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.

Remediation

Upgrade commons-codec:commons-codec to version 1.13 or higher.

References