Vulnerabilities	3 via 4 paths
Dependencies	31
Source	GitHub
Commit	75a17f1f

Find, fix and prevent vulnerabilities in your code.

Test and protect my applications

Issue type

Vulnerabilities
3
License issues
3

Severity

Critical
High
2
Medium
4
Low

Status

Open
6
Patched
0
Ignored
0

high severity

Uncontrolled Recursion

Vulnerable module: org.apache.commons:commons-lang3
Introduced through: dev.openfeature:sdk@1.0.0

Detailed paths

Introduced through: rollout/cloudbees-openfeature-provider-java@rollout/cloudbees-openfeature-provider-java#75a17f1f9c64b98829780c34cb032563443f3eed › dev.openfeature:sdk@1.0.0 › com.github.spotbugs:spotbugs@4.7.3 › org.apache.commons:commons-lang3@3.12.0

Remediation: Upgrade to dev.openfeature:sdk@1.18.0.
Introduced through: rollout/cloudbees-openfeature-provider-java@rollout/cloudbees-openfeature-provider-java#75a17f1f9c64b98829780c34cb032563443f3eed › dev.openfeature:sdk@1.0.0 › com.github.spotbugs:spotbugs@4.7.3 › org.apache.commons:commons-text@1.10.0 › org.apache.commons:commons-lang3@3.12.0

Remediation: Upgrade to dev.openfeature:sdk@1.18.0.

Overview

Affected versions of this package are vulnerable to Uncontrolled Recursion via the ClassUtils.getClass function. An attacker can cause the application to terminate unexpectedly by providing excessively long input values.

Remediation

Upgrade org.apache.commons:commons-lang3 to version 3.18.0 or higher.

References

Uncontrolled Recursion vulnerability report

high severity

Out-of-bounds Write

Vulnerable module: org.apache.bcel:bcel
Introduced through: dev.openfeature:sdk@1.0.0

Detailed paths

Introduced through: rollout/cloudbees-openfeature-provider-java@rollout/cloudbees-openfeature-provider-java#75a17f1f9c64b98829780c34cb032563443f3eed › dev.openfeature:sdk@1.0.0 › com.github.spotbugs:spotbugs@4.7.3 › org.apache.bcel:bcel@6.5.0

Remediation: Upgrade to dev.openfeature:sdk@1.7.0.

Overview

Affected versions of this package are vulnerable to Out-of-bounds Write where a number of APIs can be used to produce arbitrary bytecode. This can be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected.

Remediation

Upgrade org.apache.bcel:bcel to version 6.6.0 or higher.

References

Out-of-bounds Write vulnerability report

medium severity

new

Improper Validation of Certificate with Host Mismatch

Vulnerable module: org.apache.logging.log4j:log4j-core
Introduced through: dev.openfeature:sdk@1.0.0

Detailed paths

Introduced through: rollout/cloudbees-openfeature-provider-java@rollout/cloudbees-openfeature-provider-java#75a17f1f9c64b98829780c34cb032563443f3eed › dev.openfeature:sdk@1.0.0 › com.github.spotbugs:spotbugs@4.7.3 › org.apache.logging.log4j:log4j-core@2.19.0

Overview

org.apache.logging.log4j:log4j-core is a logging library for Java.

Affected versions of this package are vulnerable to Improper Validation of Certificate with Host Mismatch due to the lack of TLS hostname verification in the SocketAppender component. An attacker can intercept or redirect log traffic by performing a man-in-the-middle attack if they are able to intercept or redirect network traffic between the client and the log receiver and can present a server certificate issued by a certification authority trusted by the configured trust store or the default Java trust store.

Workaround

This vulnerability can be mitigated by configuring the SocketAppender to use a private or restricted trust root to limit the set of trusted certificates.

Remediation

Upgrade org.apache.logging.log4j:log4j-core to version 2.25.3 or higher.

References

Improper Validation of Certificate with Host Mismatch vulnerability report

medium severity

LGPL-2.1 license

Module: com.github.spotbugs:spotbugs
Introduced through: dev.openfeature:sdk@1.0.0

Detailed paths

Introduced through: rollout/cloudbees-openfeature-provider-java@rollout/cloudbees-openfeature-provider-java#75a17f1f9c64b98829780c34cb032563443f3eed › dev.openfeature:sdk@1.0.0 › com.github.spotbugs:spotbugs@4.7.3

LGPL-2.1 license

LGPL-2.1 license vulnerability report

medium severity

LGPL-2.1 license

Module: com.github.spotbugs:spotbugs-annotations
Introduced through: dev.openfeature:sdk@1.0.0

Detailed paths

Introduced through: rollout/cloudbees-openfeature-provider-java@rollout/cloudbees-openfeature-provider-java#75a17f1f9c64b98829780c34cb032563443f3eed › dev.openfeature:sdk@1.0.0 › com.github.spotbugs:spotbugs@4.7.3 › com.github.spotbugs:spotbugs-annotations@4.7.3

LGPL-2.1 license

LGPL-2.1 license vulnerability report

medium severity

MPL-2.0 license

Module: net.sf.saxon:Saxon-HE
Introduced through: dev.openfeature:sdk@1.0.0

Detailed paths

Introduced through: rollout/cloudbees-openfeature-provider-java@rollout/cloudbees-openfeature-provider-java#75a17f1f9c64b98829780c34cb032563443f3eed › dev.openfeature:sdk@1.0.0 › com.github.spotbugs:spotbugs@4.7.3 › net.sf.saxon:Saxon-HE@11.4

MPL-2.0 license

MPL-2.0 license vulnerability report

Vulnerabilities

Dependencies

Source

Commit

Find, fix and prevent vulnerabilities in your code.

high severity

Uncontrolled Recursion

Detailed paths

Overview

Remediation

References

high severity

Out-of-bounds Write

Detailed paths

Overview

Remediation

References

medium severity new

Improper Validation of Certificate with Host Mismatch

Detailed paths

Overview

Workaround

Remediation

References

medium severity

LGPL-2.1 license

Detailed paths

medium severity

LGPL-2.1 license

Detailed paths

medium severity

MPL-2.0 license

Detailed paths

medium severity

new