darkgran1 / synopsys-detect Goto Github PK

Vulnerable Library - spring-beans-5.1.7.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.1.7.RELEASE/14cd651e4aa3514e75710c9450c7a0c89413e63f/spring-beans-5.1.7.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.1.7.RELEASE/14cd651e4aa3514e75710c9450c7a0c89413e63f/spring-beans-5.1.7.RELEASE.jar

Dependency Hierarchy:

• spring-context-5.1.7.RELEASE.jar (Root Library)
  • ❌ spring-beans-5.1.7.RELEASE.jar (Vulnerable Library)

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.20.RELEASE

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • blackduck-common-api-2019.6.0.2.jar
    • integration-rest-0.11.1.jar
      • integration-common-17.2.0.jar
        • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0

Vulnerable Library - com-google-gson-RELEASE113.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • blackduck-common-api-2019.6.0.2.jar
    • integration-rest-0.11.1.jar
      • integration-common-17.2.0.jar
        • ❌ com-google-gson-RELEASE113.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

Vulnerable Libraries - snakeyaml-1.24.jar, snakeyaml-1.23.jar

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.

Publish Date: 2020-01-21

URL: CVE-2020-7595

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7595

Release Date: 2020-01-21

Fix Resolution: nokogiri - 1.10.8

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • blackduck-common-api-2019.6.0.2.jar
    • integration-rest-0.11.1.jar
      • integration-common-17.2.0.jar
        • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0

Vulnerable Library - jackson-databind-2.10.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/le/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.10.0.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

Publish Date: 2020-12-03

URL: CVE-2020-25649

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-03

Fix Resolution: 2.10.5.1

Vulnerable Libraries - snakeyaml-1.24.jar, snakeyaml-1.23.jar

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.

Publish Date: 2022-05-20

URL: CVE-2022-29181

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181

Release Date: 2022-05-20

Fix Resolution: nokogiri - 1.13.6

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Nokogiri before version 1.13.2 is vulnerable.

Publish Date: 2022-03-01

URL: WS-2022-0089

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fq42-c5rg-92c2

Release Date: 2022-03-01

Fix Resolution: nokogiri - v1.13.2

Vulnerable Library - spring-boot-2.1.5.RELEASE.jar

Spring Boot

Library home page: https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/2.1.5.RELEASE/939061a385b4e30e115978d78a7412fb984674df/spring-boot-2.1.5.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/2.1.5.RELEASE/939061a385b4e30e115978d78a7412fb984674df/spring-boot-2.1.5.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-test-2.1.5.RELEASE.jar (Root Library)
  • spring-boot-test-2.1.5.RELEASE.jar
    • ❌ spring-boot-2.1.5.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.

Publish Date: 2022-03-30

URL: CVE-2022-27772

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cm59-pr5q-cw85

Release Date: 2022-03-30

Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.2.11.RELEASE

Vulnerable Library - pdfbox-2.0.12.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • integration-reporting-0.3.5.jar
    • ❌ pdfbox-2.0.12.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

Publish Date: 2021-06-12

URL: CVE-2021-31812

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31812

Release Date: 2021-06-12

Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.24

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0

Vulnerable Library - jackson-databind-2.10.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/le/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.10.0.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution: 2.12.7.1

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.

Publish Date: 2018-04-08

URL: CVE-2017-18258

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-882p-jqgm-f45g

Release Date: 2018-04-08

Fix Resolution: nokogiri - 1.8.2

Vulnerable Library - jackson-databind-2.10.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/le/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.10.0.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.

Publish Date: 2022-03-11

URL: CVE-2020-36518

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-03-11

Fix Resolution: 2.12.6.1

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

nokogiri up to and including 1.13.8 is affected by several vulnerabilities (CVE-2022-40303, CVE-2022-40304 and CVE-2022-2309) in the dependency bundled libxml2 library. Version 1.13.9 of nokogiri contains a patch where the dependency is upgraded with the patches as well.

Publish Date: 2022-10-18

URL: WS-2022-0334

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qc6-mcvw-92cw

Release Date: 2022-10-18

Fix Resolution: nokogiri - 1.13.9

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2

Vulnerable Library - tzinfo-1.2.3.gem

TZInfo provides daylight savings aware transformations between times in different time zones.

Library home page: https://rubygems.org/gems/tzinfo-1.2.3.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/tzinfo-1.2.3.gem

Dependency Hierarchy:

• cocoapods-check-1.0.1.gem (Root Library)
  • cocoapods-1.2.1.gem
    • activesupport-4.2.8.gem
      • ❌ tzinfo-1.2.3.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require on demand. In the affected versions, TZInfo::Timezone.get fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get can be made to load unintended files with require, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z.

Publish Date: 2022-07-22

URL: CVE-2022-31163

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-5cm2-9h8c-rvfx

Release Date: 2022-07-22

Fix Resolution: tzinfo - 0.3.61,1.2.10

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.

Publish Date: 2017-05-18

URL: CVE-2017-9050

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050

Release Date: 2017-05-18

Fix Resolution: 2.9.5

Vulnerable Libraries - snakeyaml-1.24.jar, snakeyaml-1.23.jar

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374

Release Date: 2022-12-01

Fix Resolution (org.yaml:snakeyaml): 2.0

Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2

Vulnerable Library - pdfbox-2.0.12.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • integration-reporting-0.3.5.jar
    • ❌ pdfbox-2.0.12.jar (Vulnerable Library)

Vulnerability Details

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

Publish Date: 2021-03-19

URL: CVE-2021-27807

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27807

Release Date: 2021-03-19

Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.23

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0

Vulnerable Library - git-1.3.0.gem

Library home page: https://rubygems.org/gems/git-1.3.0.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/git-1.3.0.gem

Dependency Hierarchy:

• danger-5.1.1.gem (Root Library)
  • ❌ git-1.3.0.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Publish Date: 2022-04-19

URL: CVE-2022-25648

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25648

Release Date: 2022-04-19

Fix Resolution: git - 1.11.0

Vulnerable Libraries - logback-core-1.2.3.jar, logback-classic-1.2.3.jar

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution (ch.qos.logback:logback-core): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8

Fix Resolution (ch.qos.logback:logback-classic): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8

Vulnerable Library - cocoapods-downloader-1.1.3.gem

Library home page: https://rubygems.org/gems/cocoapods-downloader-1.1.3.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/cocoapods-downloader-1.1.3.gem

Dependency Hierarchy:

• cocoapods-check-1.0.1.gem (Root Library)
  • cocoapods-1.2.1.gem
    • ❌ cocoapods-downloader-1.1.3.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Publish Date: 2022-04-01

URL: CVE-2022-24440

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24440

Release Date: 2022-04-01

Fix Resolution: cocoapods-downloader - 1.6.0,1.6.3

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Publish Date: 2020-12-30

URL: CVE-2020-26247

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-12-30

Fix Resolution: 1.11.0.rc4

Vulnerable Library - spring-expression-5.1.7.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.1.7.RELEASE/7b47446553c83a5a7323d647f5c1793106b2948c/spring-expression-5.1.7.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.1.7.RELEASE/7b47446553c83a5a7323d647f5c1793106b2948c/spring-expression-5.1.7.RELEASE.jar

Dependency Hierarchy:

• spring-context-5.1.7.RELEASE.jar (Root Library)
  • ❌ spring-expression-5.1.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.20.RELEASE

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /tmp/ws-scm/synopsys-detect/detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar,/root/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • blackduck-common-api-2019.6.0.2.jar
    • integration-rest-0.11.1.jar
      • integration-common-17.2.0.jar
        • ❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability.

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (4.8)

Base Score Metrics not available

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • blackduck-common-api-2019.6.0.2.jar
    • integration-rest-0.11.1.jar
      • integration-common-17.2.0.jar
        • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0

Vulnerable Library - spring-core-5.1.7.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /le/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.7.RELEASE/280f821b9ed4dad9993f1d551d6e86557092ae58/spring-core-5.1.7.RELEASE.jar,/le/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.7.RELEASE/280f821b9ed4dad9993f1d551d6e86557092ae58/spring-core-5.1.7.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.7.RELEASE/280f821b9ed4dad9993f1d551d6e86557092ae58/spring-core-5.1.7.RELEASE.jar

Dependency Hierarchy:

• ❌ spring-core-5.1.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution: 5.2.18.RELEASE

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.

Publish Date: 2018-07-19

URL: CVE-2018-14404

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-19

Fix Resolution: nokogiri- 2.9.5, libxml2 - 2.9.9

Vulnerable Library - com-google-gson-RELEASE113.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • blackduck-common-api-2019.6.0.2.jar
    • integration-rest-0.11.1.jar
      • integration-common-17.2.0.jar
        • ❌ com-google-gson-RELEASE113.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9

Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution (org.yaml:snakeyaml): 1.26

Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.

Publish Date: 2019-08-16

URL: CVE-2019-5477

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-16

Fix Resolution: nokogiri-v1.10.4, rexical-v1.0.7

Vulnerable Library - jackson-databind-2.10.0.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/le/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.10.0.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution: 2.12.7.1

Vulnerable Libraries - spring-beans-5.1.7.RELEASE.jar, spring-core-5.1.7.RELEASE.jar

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.22.RELEASE

Vulnerable Library - cocoapods-downloader-1.1.3.gem

Library home page: https://rubygems.org/gems/cocoapods-downloader-1.1.3.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/cocoapods-downloader-1.1.3.gem

Dependency Hierarchy:

• cocoapods-check-1.0.1.gem (Root Library)
  • cocoapods-1.2.1.gem
    • ❌ cocoapods-downloader-1.1.3.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.

Publish Date: 2022-04-01

URL: CVE-2022-21223

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21223

Release Date: 2022-04-01

Fix Resolution: cocoapods-downloader - 1.6.2

Vulnerable Library - pdfbox-2.0.12.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • integration-reporting-0.3.5.jar
    • ❌ pdfbox-2.0.12.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

Publish Date: 2021-06-12

URL: CVE-2021-31811

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31811

Release Date: 2021-06-12

Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.24

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0

Vulnerable Library - httpclient-4.5.8.jar

Apache HttpComponents Client

Library home page: http://hc.apache.org/

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.8/c27c9d6f15435dc2b6947112027b418b0eef32b9/httpclient-4.5.8.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.8/c27c9d6f15435dc2b6947112027b418b0eef32b9/httpclient-4.5.8.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • blackduck-common-api-2019.6.0.2.jar
    • integration-rest-0.11.1.jar
      • integration-common-17.2.0.jar
        • httpmime-4.5.8.jar
          • ❌ httpclient-4.5.8.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-12-02

Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.13

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.3.3

Vulnerable Libraries - snakeyaml-1.24.jar, snakeyaml-1.23.jar

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2

Vulnerable Library - kramdown-1.13.2.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-1.13.2.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/kramdown-1.13.2.gem

Dependency Hierarchy:

• danger-5.1.1.gem (Root Library)
  • ❌ kramdown-1.13.2.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.

Publish Date: 2020-07-17

URL: CVE-2020-14001

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001

Release Date: 2020-07-17

Fix Resolution: kramdown - 2.3.0

Vulnerable Library - kotlin-stdlib-1.3.31.jar

Kotlin Standard Library for JVM

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.31/11289d20fd95ae219333f3456072be9f081c30cc/kotlin-stdlib-1.3.31.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.31/11289d20fd95ae219333f3456072be9f081c30cc/kotlin-stdlib-1.3.31.jar

Dependency Hierarchy:

• kotlin-stdlib-jdk8-1.3.31.jar (Root Library)
  • ❌ kotlin-stdlib-1.3.31.jar (Vulnerable Library)

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1

Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-stdlib-jdk8): 1.6.0

Vulnerable Libraries - snakeyaml-1.24.jar, snakeyaml-1.23.jar

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2

Vulnerable Library - groovy-all-2.4.12.jar

Groovy: A powerful, dynamic language for the JVM

Library home page: http://groovy-lang.org

Path to dependency file: /build.gradle

Path to vulnerable library: /le/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.12/760afc568cbd94c09d78f801ce51aed1326710af/groovy-all-2.4.12.jar,/le/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.12/760afc568cbd94c09d78f801ce51aed1326710af/groovy-all-2.4.12.jar

Dependency Hierarchy:

• ❌ groovy-all-2.4.12.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.

Publish Date: 2020-12-07

URL: CVE-2020-17521

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/GROOVY-9824

Release Date: 2020-12-07

Fix Resolution: 2.4.21

Vulnerable Libraries - snakeyaml-1.24.jar, snakeyaml-1.23.jar

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Publish Date: 2022-04-11

URL: CVE-2022-24836

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-crjr-9rc5-ghw8

Release Date: 2022-04-11

Fix Resolution: nokogiri - 1.13.4

Vulnerable Library - pdfbox-2.0.12.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • integration-reporting-0.3.5.jar
    • ❌ pdfbox-2.0.12.jar (Vulnerable Library)

Vulnerability Details

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

Publish Date: 2021-03-19

URL: CVE-2021-27906

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27906

Release Date: 2021-03-19

Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.23

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • blackduck-common-api-2019.6.0.2.jar
    • integration-rest-0.11.1.jar
      • integration-common-17.2.0.jar
        • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Publish Date: 2019-08-30

URL: CVE-2019-12402

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402

Release Date: 2019-08-30

Fix Resolution (org.apache.commons:commons-compress): 1.19

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /detect-configuration/build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar

Dependency Hierarchy:

• blackduck-common-44.2.14.jar (Root Library)
  • blackduck-common-api-2019.6.0.2.jar
    • integration-rest-0.11.1.jar
      • integration-common-17.2.0.jar
        • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8

Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0

Vulnerable Library - nokogiri-1.7.1.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem

Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem

Dependency Hierarchy:

• second_curtain-0.6.0.gem (Root Library)
  • aws-sdk-v1-1.67.0.gem
    • ❌ nokogiri-1.7.1.gem (Vulnerable Library)

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Publish Date: 2021-09-27

URL: CVE-2021-41098

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098

Release Date: 2021-09-27

Fix Resolution: nokogiri - 1.12.5

Vulnerable Library - kramdown-1.13.2.gem

kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.

Library home page: https://rubygems.org/gems/kramdown-1.13.2.gem

Path to dependency file: synopsys-detect/detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock

Path to vulnerable library: /var/lib/gems/2.3.0/cache/kramdown-1.13.2.gem

Dependency Hierarchy:

• danger-5.1.1.gem (Root Library)
  • ❌ kramdown-1.13.2.gem (Vulnerable Library)

Vulnerability Details

Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.

Publish Date: 2021-03-19

URL: CVE-2021-28834

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834

Release Date: 2021-03-19

Fix Resolution: REL_2_3_1