Find, fix and prevent vulnerabilities in your code.
critical severity
- Vulnerable module: org.postgresql:postgresql
- Introduced through: org.postgresql:postgresql@42.6.0
Detailed paths
-
Introduced through: ursinn/java-databaselib@ursinn/java-databaselib#45fa5f4f6c41f8913e72c36a8e33ff2fceb4214d › org.postgresql:postgresql@42.6.0Remediation: Upgrade to org.postgresql:postgresql@42.6.1.
Overview
org.postgresql:postgresql is a Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database.
Affected versions of this package are vulnerable to SQL Injection when using PreferQueryMode=SIMPLE, which is not the default setting. By passing in a numeric value placeholder immediately preceded by a minus and followed by a second placeholder for a string value, on the same line, an attacker can construct a payload that alters the parameterized query into which it is interpolated. This effectively bypasses the protections against SQL Injection that parameterized queries offer.
Remediation
Upgrade org.postgresql:postgresql to version 42.2.28.jre7, 42.3.9, 42.4.4, 42.5.5, 42.6.1, 42.7.2 or higher.
References
high severity
- Vulnerable module: com.google.protobuf:protobuf-java
- Introduced through: mysql:mysql-connector-java@8.0.30
Detailed paths
-
Introduced through: ursinn/java-databaselib@ursinn/java-databaselib#45fa5f4f6c41f8913e72c36a8e33ff2fceb4214d › mysql:mysql-connector-java@8.0.30 › com.google.protobuf:protobuf-java@3.19.4Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.
Overview
com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
Affected versions of this package are vulnerable to Stack-based Buffer Overflow via the parsing of nested groups or series of SGROUP tags as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields. An attacker can cause infinite recursion by sending malicious Protocol Buffer data.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade com.google.protobuf:protobuf-java to version 3.25.5, 4.27.5, 4.28.2 or higher.
References
high severity
- Vulnerable module: com.google.protobuf:protobuf-java
- Introduced through: mysql:mysql-connector-java@8.0.30
Detailed paths
-
Introduced through: ursinn/java-databaselib@ursinn/java-databaselib#45fa5f4f6c41f8913e72c36a8e33ff2fceb4214d › mysql:mysql-connector-java@8.0.30 › com.google.protobuf:protobuf-java@3.19.4Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.
Overview
com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
Affected versions of this package are vulnerable to Denial of Service (DoS) in MessageReflection.java due to a text format parsing issue. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade com.google.protobuf:protobuf-java to version 3.16.3, 3.19.6, 3.20.3, 3.21.7 or higher.
References
high severity
- Vulnerable module: com.google.protobuf:protobuf-java
- Introduced through: mysql:mysql-connector-java@8.0.30
Detailed paths
-
Introduced through: ursinn/java-databaselib@ursinn/java-databaselib#45fa5f4f6c41f8913e72c36a8e33ff2fceb4214d › mysql:mysql-connector-java@8.0.30 › com.google.protobuf:protobuf-java@3.19.4Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.
Overview
com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
Affected versions of this package are vulnerable to Denial of Service (DoS) when providing inputs containing multiple instances of non-repeated embedded messages, with repeated or unknown fields. The vulnerability exists due to a parsing issue in the Message-Type Extensions. Exploiting this vulnerability causes objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade com.google.protobuf:protobuf-java to version 3.16.3, 3.19.6, 3.20.3, 3.21.7 or higher.
References
high severity
- Module: mysql:mysql-connector-java
- Introduced through: mysql:mysql-connector-java@8.0.30
Detailed paths
-
Introduced through: ursinn/java-databaselib@ursinn/java-databaselib#45fa5f4f6c41f8913e72c36a8e33ff2fceb4214d › mysql:mysql-connector-java@8.0.30
GPL-2.0 license
medium severity
- Vulnerable module: com.google.protobuf:protobuf-java
- Introduced through: mysql:mysql-connector-java@8.0.30
Detailed paths
-
Introduced through: ursinn/java-databaselib@ursinn/java-databaselib#45fa5f4f6c41f8913e72c36a8e33ff2fceb4214d › mysql:mysql-connector-java@8.0.30 › com.google.protobuf:protobuf-java@3.19.4Remediation: Upgrade to mysql:mysql-connector-java@8.0.31.
Overview
com.google.protobuf:protobuf-java is a Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.
Affected versions of this package are vulnerable to Denial of Service (DoS) via the parsing procedure for binary and text format data. Input streams containing multiple instances of non-repeated embedded messages with repeated or unknown fields cause objects to be converted back and forth between mutable and immutable forms, resulting in potentially long garbage collection pauses.
Details
Denial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.
Unlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.
One popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.
When it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.
Two common types of DoS vulnerabilities:
High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, commons-fileupload:commons-fileupload.
Crash - An attacker sending crafted requests that could cause the system to crash. For Example, npm
wspackage
Remediation
Upgrade com.google.protobuf:protobuf-java to version 3.16.3, 3.19.6, 3.20.3, 3.21.7 or higher.