Vulnerabilities

37 via 52 paths

Dependencies

21

Source

GitHub

Commit

96b54cb4

Find, fix and prevent vulnerabilities in your code.

Issue type
  • 37
  • 4
Severity
  • 1
  • 17
  • 17
  • 6
Status
  • 41
  • 0
  • 0

critical severity

Remote Code Execution (RCE)

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.199

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 com.h2database:h2@1.4.199
    Remediation: Upgrade to com.h2database:h2@2.1.210.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE) via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring.

Remediation

Upgrade com.h2database:h2 to version 2.1.210 or higher.

References

high severity

Stack-based Buffer Overflow

  • Vulnerable module: com.google.protobuf:protobuf-java
  • Introduced through: mysql:mysql-connector-java@8.0.16

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 mysql:mysql-connector-java@8.0.16 com.google.protobuf:protobuf-java@3.6.1
    Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Stack-based Buffer Overflow via the parsing of nested groups or series of SGROUP tags as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. An attacker can cause infinite recursion by sending malicious Protocol Buffer data.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.25.5, 4.27.5, 4.28.2 or higher.

References

high severity

Denial of Service (DoS)

  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.56.v20240826.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.56.v20240826.

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the ThreadLimitHandler.getRemote() method. An attacker can exhaust the server's memory and trigger OutofMemory errors by repeatedly sending crafted requests.

Workaround

This vulnerability can be mitigated by not using ThreadLimitHandler and considering the use of QoSHandler instead to artificially limit resource utilization.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.4.56, 10.0.24, 11.0.24, 12.0.9 or higher.

References

high severity

Remote Code Execution (RCE)

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.199

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 com.h2database:h2@1.4.199
    Remediation: Upgrade to com.h2database:h2@2.0.206.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE). H2 Console allows loading of custom classes from remote servers through JNDI. This can lead to code execution

If remote access was enabled explicitly and some protection method (such as security constraint) are not set, an intruder can load their own custom class and execute their code in a process using H2 Console (a H2 Server process or a web server with H2 Console servlet).

Note: It should be noted that H2 Console doesn't accept remote connections by default.

Workarounds

  • H2 Console should never be available to untrusted users.

  • -webAllowOthers is a dangerous setting that should be avoided.

  • H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If webAllowOthers is specified, you need to uncomment and edit and as necessary. See documentation of your web server for more details.

All these workaround are mitigatory and unlikely to prevent all attack vectors, upgrade to a fixed version for full remediation.

Remediation

Upgrade com.h2database:h2 to version 2.0.206 or higher.

References

high severity

XML External Entity (XXE) Injection

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.199

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 com.h2database:h2@1.4.199
    Remediation: Upgrade to com.h2database:h2@2.0.202.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade com.h2database:h2 to version 2.0.202 or higher.

References

high severity

Denial of Service (DoS)

  • Vulnerable module: com.google.protobuf:protobuf-java
  • Introduced through: mysql:mysql-connector-java@8.0.16

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 mysql:mysql-connector-java@8.0.16 com.google.protobuf:protobuf-java@3.6.1
    Remediation: Upgrade to mysql:mysql-connector-java@8.0.29.

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Denial of Service (DoS). An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses.

Note: Protobuf javalite users are not affected.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.16.1, 3.18.2, 3.19.2 or higher.

References

high severity

Denial of Service (DoS)

  • Vulnerable module: com.google.protobuf:protobuf-java
  • Introduced through: mysql:mysql-connector-java@8.0.16

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 mysql:mysql-connector-java@8.0.16 com.google.protobuf:protobuf-java@3.6.1
    Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Denial of Service (DoS) in MessageReflection.java due to a text format parsing issue. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.16.3, 3.19.6, 3.20.3, 3.21.7 or higher.

References

high severity

Remote Code Execution (RCE)

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.199

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 com.h2database:h2@1.4.199

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Remote Code Execution (RCE). It provides a web console for managing the database, and by default it does not have a password set. The CREATE ALIAS function calls Java code, allowing an attacker to execute arbitrary Java code on projects running the h2 database.

NOTE: To be remotely exploitable, the affected application must be configured with the non-default setting webAllowOthers=true, either in a config file or as a parameter passed in when the servlet is invoked. The vulnerability can be avoided by setting a password on the database and/or restricting access to localhost using the above setting.

PoC

CREATE ALIAS REVERSE AS $$ String reverse(String s) { return new StringBuilder(s).reverse().toString(); } $$;
CALL REVERSE('Test');

Remediation

There is no fixed version for com.h2database:h2.

References

high severity

Denial of Service (DoS)

  • Vulnerable module: org.eclipse.jetty:jetty-http
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.53.v20231009.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.53.v20231009.

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Denial of Service (DoS) in the MetaDataBuilder.checkSize function. An attacker provide a very large or negative length value for the HTTP/2 HPACK header values. This can lead to an integer overflow, resulting in a very large buffer allocation on the server.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.53.v20231009, 10.0.16, 11.0.16 or higher.

References

high severity

Denial of Service (DoS)

  • Vulnerable module: org.eclipse.jetty:jetty-io
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-io@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.39.v20210325.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429 org.eclipse.jetty:jetty-io@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.39.v20210325.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-io@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.39.v20210325.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429 org.eclipse.jetty:jetty-io@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.39.v20210325.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS). CPU usage can reach 100% upon receiving a large invalid TLS frame.

PoC

// server 
public class MyServer {
    public static void startServer() throws Exception {
         SslContextFactory sslContextFactory = new SslContextFactory.Server();
         HttpConnectionFactory httpFactory = new HttpConnectionFactory();
         Server server = new Server();
         ServerConnector connector = new 
         ServerConnector(server,null,null,null,1,-1,AbstractConnectionFactory.getFactories(sslContextFactory ,httpFactory));
         connector.setPort(9988);
         connector.setHost("localhost");
         server.setConnectors(new Connector[]{connector});
         ServletContextHandler context = new ServletContextHandler();
         context.setContextPath("/");
         HandlerCollection handlerCollection= new HandlerCollection();
         handlerCollection.setHandlers(new Handler[]{context,new DefaultHandler()});
         server.setHandler(handlerCollection);
         server.start();
         server.join();
    }
     public static void main(String[] args) throws Exception {
        startServer();
     }
}



public class MyClient {
    // client 
    private static byte[] buildMessage() {
       byte[] bytes = new byte[20005];
       bytes[0] = 22;  // record type
       bytes[1] = 3;   // major version
       bytes[2] = 3;   // minor version
       bytes[3] = 78; // record length 2 bytes
       bytes[4] = 32;  // record length
    
       bytes[5] = 1; // message type
       bytes[6] = 0; // message length 3 bytes
       bytes[7] = 78;
       bytes[8] = 23;
      
      for( int i = 9; i < bytes.length; i++) {
          bytes[i] = 1;
      }
      return bytes;
    }
    
    public static void sendMessage() throws Exception {
        byte[] bytes = buildMessage();
        SocketFactory socketFactory = SocketFactory.getDefault();
        Socket socket = socketFactory.createSocket("localhost",9988);
        socket.getOutputStream().write(bytes);
        socket.close();
    }

    public static void main(String[] args) throws Exception {
        sendMessage();
    }
}

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-io to version 9.4.39.v20210325, 10.0.2, 11.0.2 or higher.

References

high severity

XML External Entity (XXE) Injection

  • Vulnerable module: org.jdom:jdom2
  • Introduced through: org.jdom:jdom2@2.0.6

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.jdom:jdom2@2.0.6
    Remediation: Upgrade to org.jdom:jdom2@2.0.6.1.

Overview

org.jdom:jdom2 is a Java manipulation of XML made easy.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via a crafted HTTP request.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade org.jdom:jdom2 to version 2.0.6.1 or higher.

References

high severity

Allocation of Resources Without Limits or Throttling

  • Vulnerable module: org.json:json
  • Introduced through: org.json:json@20180813

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.json:json@20180813
    Remediation: Upgrade to org.json:json@20231013.

Overview

Affected versions of this package are vulnerable to Allocation of Resources Without Limits or Throttling. An attacker can cause indefinite amounts of memory to be used by inputting a string of modest size. This can lead to a Denial of Service.

PoC

package orgjsonbug;

import org.json.JSONObject;

/**
 * Illustrates a bug in JSON-Java.
 */
public class Bug {
  private static String makeNested(int depth) {
    if (depth == 0) {
      return "{\"a\":1}";
    }
    return "{\"a\":1;\t\0" + makeNested(depth - 1) + ":1}";
  }

  public static void main(String[] args) {
    String input = makeNested(30);
    System.out.printf("Input string has length %d: %s\n", input.length(), input);
    JSONObject output = new JSONObject(input);
    System.out.printf("Output JSONObject has length %d: %s\n", output.toString().length(), output);
  }
}

Remediation

Upgrade org.json:json to version 20231013 or higher.

References

high severity

Denial of Service (DoS)

  • Vulnerable module: org.json:json
  • Introduced through: org.json:json@20180813

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.json:json@20180813
    Remediation: Upgrade to org.json:json@20230227.

Overview

Affected versions of this package are vulnerable to Denial of Service (DoS) in the XML.toJSONObject component via crafted JSON or XML data.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.json:json to version 20230227 or higher.

References

high severity

Denial of Service (DoS)

  • Vulnerable module: ch.qos.logback:logback-classic
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3
    Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.13.

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.12, 1.4.12 or higher.

References

high severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: ch.qos.logback:logback-classic
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3
    Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.13.

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.

Note:

Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.2.13, 1.3.14, 1.4.14 or higher.

References

high severity

Denial of Service (DoS)

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3 ch.qos.logback:logback-core@1.2.3
    Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.13.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Denial of Service (DoS). An attacker can mount a denial-of-service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.12, 1.4.12 or higher.

References

high severity

Uncontrolled Resource Consumption ('Resource Exhaustion')

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3 ch.qos.logback:logback-core@1.2.3
    Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.13.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Uncontrolled Resource Consumption ('Resource Exhaustion') via the logback receiver component. An attacker can mount a denial-of-service attack by sending poisoned data.

Note:

Successful exploitation requires the logback-receiver component being enabled and also reachable by the attacker.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.2.13, 1.3.14, 1.4.14 or higher.

References

high severity

GPL-2.0 license

  • Module: mysql:mysql-connector-java
  • Introduced through: mysql:mysql-connector-java@8.0.16

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 mysql:mysql-connector-java@8.0.16

GPL-2.0 license

medium severity

Improper Authorization

  • Vulnerable module: mysql:mysql-connector-java
  • Introduced through: mysql:mysql-connector-java@8.0.16

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 mysql:mysql-connector-java@8.0.16
    Remediation: Upgrade to mysql:mysql-connector-java@8.0.28.

Overview

mysql:mysql-connector-java is a provides connectivity for client applications developed in the Java programming language with MySQL Connector/J, a driver that implements the Java Database Connectivity (JDBC) API.

Affected versions of this package are vulnerable to Improper Authorization via the MysqlSQLXML::getSource() function. A malicious actor with high privileges can access all of the MySQL connector's accessible data and crash the connectors.

Remediation

Upgrade mysql:mysql-connector-java to version 8.0.28 or higher.

References

medium severity

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: org.eclipse.jetty:jetty-http
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@12.0.12.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.

Notes:

  1. This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the HttpURI class used directly;

  2. The Jetty usage of the HttpURI class is not vulnerable.

Workaround

This vulnerability can be mitigated by not passing decoded user data as encoded URIs to any URI class/method, including HttpURI.

PoC

http://browser.check &@vulndetector.com/
http://browser.check #@vulndetector.com/
http://browser.check?@vulndetector.com/
http://browser.check#@vulndetector.com/
http://vulndetector.com\\/

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 12.0.12 or higher.

References

medium severity

Improper Validation of Syntactic Correctness of Input

  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@12.0.12.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Improper Validation of Syntactic Correctness of Input via the HttpURI class due to insufficient validation on the authority segment of a URI. An attacker can manipulate the URI parsing to redirect requests or initiate server-side requests to unintended destinations by supplying malformed URIs that bypass validation checks.

Notes:

  1. This is only exploitable if the application uses decoded user data as encoded URIs in conjunction with the HttpURI class used directly;

  2. The Jetty usage of the HttpURI class is not vulnerable.

Workaround

This vulnerability can be mitigated by not passing decoded user data as encoded URIs to any URI class/method, including HttpURI.

PoC

http://browser.check &@vulndetector.com/
http://browser.check #@vulndetector.com/
http://browser.check?@vulndetector.com/
http://browser.check#@vulndetector.com/
http://vulndetector.com\\/

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 12.0.12 or higher.

References

medium severity
new

Improper Neutralization of Special Elements

  • Vulnerable module: ch.qos.logback:logback-classic
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3
    Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.13.

Overview

ch.qos.logback:logback-classic is a reliable, generic, fast and flexible logging library for Java.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements via the JaninoEventEvaluator extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.

Remediation

Upgrade ch.qos.logback:logback-classic to version 1.5.13 or higher.

References

medium severity
new

Improper Neutralization of Special Elements

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3 ch.qos.logback:logback-core@1.2.3
    Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.13.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Improper Neutralization of Special Elements via the JaninoEventEvaluator extension. An attacker can execute arbitrary code by compromising an existing logback configuration file or injecting an environment variable before program execution.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.5.13 or higher.

References

medium severity

XML External Entity (XXE) Injection

  • Vulnerable module: mysql:mysql-connector-java
  • Introduced through: mysql:mysql-connector-java@8.0.16

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 mysql:mysql-connector-java@8.0.16
    Remediation: Upgrade to mysql:mysql-connector-java@8.0.27.

Overview

mysql:mysql-connector-java is a provides connectivity for client applications developed in the Java programming language with MySQL Connector/J, a driver that implements the Java Database Connectivity (JDBC) API.

Affected versions of this package are vulnerable to XML External Entity (XXE) Injection via the getSource() method, due to a missing check for external entities.

Details

XXE Injection is a type of attack against an application that parses XML input. XML is a markup language that defines a set of rules for encoding documents in a format that is both human-readable and machine-readable. By default, many XML processors allow specification of an external entity, a URI that is dereferenced and evaluated during XML processing. When an XML document is being parsed, the parser can make a request and include the content at the specified URI inside of the XML document.

Attacks can include disclosing local files, which may contain sensitive data such as passwords or private user data, using file: schemes or relative paths in the system identifier.

For example, below is a sample XML document, containing an XML element- username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
   <username>John</username>
</xml>

An external XML entity - xxe, is defined using a system identifier and present within a DOCTYPE header. These entities can access local or remote content. For example the below code contains an external XML entity that would fetch the content of /etc/passwd and display it to the user rendered by username.

<xml>
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE foo [
   <!ENTITY xxe SYSTEM "file:///etc/passwd" >]>
   <username>&xxe;</username>
</xml>

Other XXE Injection attacks can access local resources that may not stop returning data, possibly impacting application availability and leading to Denial of Service.

Remediation

Upgrade mysql:mysql-connector-java to version 8.0.27 or higher.

References

medium severity

Denial of Service (DoS)

  • Vulnerable module: com.google.protobuf:protobuf-java
  • Introduced through: mysql:mysql-connector-java@8.0.16

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 mysql:mysql-connector-java@8.0.16 com.google.protobuf:protobuf-java@3.6.1
    Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.

Overview

com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Affected versions of this package are vulnerable to Denial of Service (DoS) via the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields cause objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade com.google.protobuf:protobuf-java to version 3.16.3, 3.19.6, 3.20.3, 3.21.7 or higher.

References

medium severity

Information Exposure

  • Vulnerable module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.199

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 com.h2database:h2@1.4.199
    Remediation: Upgrade to com.h2database:h2@2.2.220.

Overview

com.h2database:h2 is a database engine

Affected versions of this package are vulnerable to Information Exposure when H2 web-based admin console was started via the CLI with the argument -webAdminPassword, which allows a local user to specify the password in plaintext for the web admin console. Consequently, a malicious local user or an attacker that has obtained local access through some means would be able to get the password for the H2 web admin console by looking at the running processes.

Vendor Statement: "This is not a vulnerability of the H2 Console, this is an example of how not to use it. I think there is nothing to do with it on the H2 side. Passwords should never be passed on the command line, and every qualified DBA or system administrator is expected to know that."

Remediation

Upgrade com.h2database:h2 to version 2.2.220 or higher.

References

medium severity

Improper Handling of Length Parameter Inconsistency

  • Vulnerable module: org.eclipse.jetty:jetty-http
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.52.v20230823.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.52.v20230823.

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Improper Handling of Length Parameter Inconsistency via the HttpParser.java component due to accepting the + character proceeding the content-length value in a HTTP/1 header field. An attacker can use jetty in combination with a server that does not close the connection after rejecting such request and after sending a 400 response. This could result in request smuggling.

PoC

 POST / HTTP/1.1
 Host: a.com
 Content-Length: +16
 Connection: close
 ​
 0123456789abcdef

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.52.v20230823, 10.0.16, 11.0.16, 12.0.1 or higher.

References

medium severity

Denial of Service (DoS)

  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.37.v20210219.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.37.v20210219.

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS). When Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.4.37.v20210219, 10.0.1, 11.0.1 or higher.

References

medium severity

Denial of Service (DoS)

  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.51.v20230217.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.51.v20230217.

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Denial of Service (DoS) such that servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content.

Note: This happens even with the default settings of fileSizeThreshold=0, which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time.

Workaround

Users unable to upgrade can set the multipart parameter maxRequestSize, which must be set to a non-negative value.

Details

Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.

Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.

One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.

When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.

Two common types of DoS vulnerabilities:

  • High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.

  • Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm ws package

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

References

medium severity

Improper Locking

  • Vulnerable module: org.jetbrains.kotlin:kotlin-stdlib
  • Introduced through: org.jetbrains.kotlin:kotlin-stdlib@1.3.40

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.jetbrains.kotlin:kotlin-stdlib@1.3.40
    Remediation: Upgrade to org.jetbrains.kotlin:kotlin-stdlib@1.6.0.

Overview

org.jetbrains.kotlin:kotlin-stdlib is a Kotlin Standard Library for JVM.

Affected versions of this package are vulnerable to Improper Locking due to inability to lock dependencies for Multiplatform Gradle Projects.

Remediation

Upgrade org.jetbrains.kotlin:kotlin-stdlib to version 1.6.0 or higher.

References

medium severity

Insufficient Hostname Verification

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3 ch.qos.logback:logback-core@1.2.3
    Remediation: Upgrade to ch.qos.logback:logback-classic@1.2.7.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Insufficient Hostname Verification. X.509 are not properly validated. By spoofing the TLS/SSL server via a certificate that appears valid, an attacker with the ability to intercept network traffic (e.g. MitM, DNS cache poisoning) can disclose and optionally manipulate transmitted data.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.2.7 or higher.

References

medium severity

HTTP Request Smuggling

  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.35.v20201120.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.35.v20201120.

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to HTTP Request Smuggling. If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.4.35.v20201120, 10.0.0.beta3, 11.0.0.beta3 or higher.

References

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-classic
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3

Dual license: EPL-1.0, LGPL-2.1

medium severity

Dual license: EPL-1.0, LGPL-2.1

  • Module: ch.qos.logback:logback-core
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3 ch.qos.logback:logback-core@1.2.3

Dual license: EPL-1.0, LGPL-2.1

medium severity

Dual license: MPL-2.0, EPL-1.0

  • Module: com.h2database:h2
  • Introduced through: com.h2database:h2@1.4.199

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 com.h2database:h2@1.4.199

Dual license: MPL-2.0, EPL-1.0

low severity

Information Exposure

  • Vulnerable module: org.jetbrains.kotlin:kotlin-stdlib
  • Introduced through: org.jetbrains.kotlin:kotlin-stdlib@1.3.40

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.jetbrains.kotlin:kotlin-stdlib@1.3.40
    Remediation: Upgrade to org.jetbrains.kotlin:kotlin-stdlib@2.1.0.

Overview

org.jetbrains.kotlin:kotlin-stdlib is a Kotlin Standard Library for JVM.

Affected versions of this package are vulnerable to Information Exposure. A Kotlin application using createTempDir or createTempFile and placing sensitive information within either of these locations would be leaking this information in a read-only way to other users also on this system.

Note: As of version 1.4.21, the vulnerable functions have been marked as deprecated. Due to still being usable, this advisory is kept as "unfixed".

PoC by JLLeitschuh

package org.jlleitschuh.sandbox

import org.junit.jupiter.api.Test
import java.io.BufferedReader
import java.io.File
import java.io.IOException
import java.io.InputStreamReader
import java.nio.file.Files

class KotlinTempDirectoryPermissionCheck {
    @Test
    fun `kotlin check default directory permissions`() {
        val dir = createTempDir()
        runLS(dir.parentFile, dir) // Prints drwxr-xr-x
    }

    @Test
    fun `Files check default directory permissions`() {
        val dir = Files.createTempDirectory("random-directory")
        runLS(dir.toFile().parentFile, dir.toFile()) // Prints drwx------
    }

    @Test
    fun `kotlin check default file permissions`() {
        val file = createTempFile()
        runLS(file.parentFile, file) // Prints -rw-r--r--
    }

    @Test
    fun `Files check default file permissions`() {
        val file = Files.createTempFile("random-file", ".txt")
        runLS(file.toFile().parentFile, file.toFile()) // Prints -rw-------
    }

    private fun runLS(file: File, lookingFor: File) {
        val processBuilder = ProcessBuilder()
        processBuilder.command("ls", "-l", file.absolutePath)
        try {
            val process = processBuilder.start()
            val output = StringBuilder()
            val reader = BufferedReader(
                InputStreamReader(process.inputStream)
            )
            reader.lines().forEach { line ->
                if (line.contains("total")) {
                    output.append(line).append('\n')
                }
                if (line.contains(lookingFor.name)) {
                    output.append(line).append('\n')
                }
            }
            val exitVal = process.waitFor()
            if (exitVal == 0) {
                println("Success!")
                println(output)
            } else {
                //abnormal...
            }
        } catch (e: IOException) {
            e.printStackTrace()
        } catch (e: InterruptedException) {
            e.printStackTrace()
        }
    }
}

Remediation

Upgrade org.jetbrains.kotlin:kotlin-stdlib to version 2.1.0 or higher.

References

low severity

Information Exposure

  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.41.v20210516.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.41.v20210516.

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure. If an exception is thrown by the SessionListener#sessionDestroyed() method, the session ID will not be validated in the manager, which may allow the application to be left logged in on a shared computer.

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 11.0.3, 10.0.3, 9.4.41 or higher.

References

low severity

Improper Input Validation

  • Vulnerable module: org.eclipse.jetty:jetty-http
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.47.v20220610.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.47.v20220610.

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Improper Input Validation due to improper URI paring in the HttpURI class.

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.47, 10.0.10, 11.0.10 or higher.

References

low severity
new

Server-side Request Forgery (SSRF)

  • Vulnerable module: ch.qos.logback:logback-core
  • Introduced through: ch.qos.logback:logback-classic@1.2.3

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 ch.qos.logback:logback-classic@1.2.3 ch.qos.logback:logback-core@1.2.3
    Remediation: Upgrade to ch.qos.logback:logback-classic@1.5.13.

Overview

ch.qos.logback:logback-core is a logback-core module.

Affected versions of this package are vulnerable to Server-side Request Forgery (SSRF) through the SaxEventRecorder process. An attacker can forge requests by compromising logback configuration files in XML.

Remediation

Upgrade ch.qos.logback:logback-core to version 1.5.13 or higher.

References

low severity

Information Exposure

  • Vulnerable module: org.eclipse.jetty:jetty-http
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.51.v20230217.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429 org.eclipse.jetty:jetty-http@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.51.v20230217.

Overview

org.eclipse.jetty:jetty-http is an is a http module for jetty server.

Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass.

Note: A cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies.

Remediation

Upgrade org.eclipse.jetty:jetty-http to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

References

low severity

Information Exposure

  • Vulnerable module: org.eclipse.jetty:jetty-server
  • Introduced through: org.eclipse.jetty:jetty-server@9.4.18.v20190429 and org.eclipse.jetty:jetty-servlet@9.4.18.v20190429

Detailed paths

  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-server@9.4.51.v20230217.
  • Introduced through: ray-eldath/avalon@ray-eldath/avalon#96b54cb435fa73a842beaa1a954b216e2ac42384 org.eclipse.jetty:jetty-servlet@9.4.18.v20190429 org.eclipse.jetty:jetty-security@9.4.18.v20190429 org.eclipse.jetty:jetty-server@9.4.18.v20190429
    Remediation: Upgrade to org.eclipse.jetty:jetty-servlet@9.4.51.v20230217.

Overview

org.eclipse.jetty:jetty-server is a lightweight highly scalable java based web server and servlet engine.

Affected versions of this package are vulnerable to Information Exposure such that nonstandard cookie parsing may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with " (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. Exploiting this vulnerability results in cookies exfiltration and policy based on cookies bypass.

Note: A cookie header such as: DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies.

Remediation

Upgrade org.eclipse.jetty:jetty-server to version 9.4.51, 10.0.14, 11.0.14, 12.0.0.beta0 or higher.

References