Vulnerable Library - temporal-sdk-1.3.1.jar
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.12.5/725e364cc71b80e60fa450bd06d75cdea7fb2d59/jackson-core-2.12.5.jar
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in |
Remediation Available |
CVE-2021-41269 |
High |
9.8 |
cron-utils-9.1.5.jar |
Transitive |
1.5.0 |
✅ |
WS-2021-0419 |
High |
7.7 |
gson-2.8.8.jar |
Transitive |
1.5.0 |
✅ |
CVE-2020-36518 |
High |
7.5 |
jackson-databind-2.12.5.jar |
Transitive |
1.4.0 |
✅ |
WS-2021-0616 |
Medium |
5.9 |
multiple |
Transitive |
1.4.0 |
✅ |
CVE-2021-22569 |
Medium |
5.5 |
protobuf-java-3.17.3.jar |
Transitive |
1.6.0 |
✅ |
Details
CVE-2021-41269
Vulnerable Library - cron-utils-9.1.5.jar
A Java library to parse, migrate and validate crons as well as describe them in human readable
language
Library home page: http://cron-parser.com/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.cronutils/cron-utils/9.1.5/f8e751f72522f3a650dc0513bf8c3defa5ad89a5/cron-utils-9.1.5.jar
Dependency Hierarchy:
- temporal-sdk-1.3.1.jar (Root Library)
- ❌ cron-utils-9.1.5.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
cron-utils is a Java library to define, parse, validate, migrate crons as well as get human readable descriptions for them. In affected versions A template Injection was identified in cron-utils enabling attackers to inject arbitrary Java EL expressions, leading to unauthenticated Remote Code Execution (RCE) vulnerability. Versions up to 9.1.2 are susceptible to this vulnerability. Please note, that only projects using the @Cron annotation to validate untrusted Cron expressions are affected. The issue was patched and a new version was released. Please upgrade to version 9.1.6. There are no known workarounds known.
Publish Date: 2021-11-15
URL: CVE-2021-41269
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-p9m8-27x8-rg87
Release Date: 2021-11-15
Fix Resolution (com.cronutils:cron-utils): 9.1.6
Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.5.0
⛑️ Automatic Remediation is available for this issue
WS-2021-0419
Vulnerable Library - gson-2.8.8.jar
Library home page: https://github.com/google/gson
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.8/431fc3cbc0ff81abdbfde070062741089c3ba874/gson-2.8.8.jar
Dependency Hierarchy:
- temporal-sdk-1.3.1.jar (Root Library)
- ❌ gson-2.8.8.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9
Release Date: 2021-10-11
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.5.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-36518
Vulnerable Library - jackson-databind-2.12.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.5/b064cf057f23d3d35390328c5030847efeffedde/jackson-databind-2.12.5.jar
Dependency Hierarchy:
- temporal-sdk-1.3.1.jar (Root Library)
- ❌ jackson-databind-2.12.5.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
WhiteSource Note: After conducting further research, WhiteSource has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: 2022-03-11
URL: CVE-2020-36518
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2816
Release Date: 2022-03-11
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1
Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.4.0
⛑️ Automatic Remediation is available for this issue
WS-2021-0616
Vulnerable Libraries - jackson-databind-2.12.5.jar, jackson-core-2.12.5.jar
jackson-databind-2.12.5.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.12.5/b064cf057f23d3d35390328c5030847efeffedde/jackson-databind-2.12.5.jar
Dependency Hierarchy:
- temporal-sdk-1.3.1.jar (Root Library)
- ❌ jackson-databind-2.12.5.jar (Vulnerable Library)
jackson-core-2.12.5.jar
Core Jackson processing abstractions (aka Streaming API), implementation for JSON
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.12.5/725e364cc71b80e60fa450bd06d75cdea7fb2d59/jackson-core-2.12.5.jar
Dependency Hierarchy:
- temporal-sdk-1.3.1.jar (Root Library)
- jackson-datatype-jsr310-2.12.5.jar
- ❌ jackson-core-2.12.5.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
FasterXML jackson-databind before 2.12.6 and 2.13.1 there is DoS when using JDK serialization to serialize JsonNode.
Publish Date: 2021-11-20
URL: WS-2021-0616
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#3328
Release Date: 2021-11-20
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6
Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.4.0
Fix Resolution (com.fasterxml.jackson.core:jackson-core): 2.12.6
Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.4.0
⛑️ Automatic Remediation is available for this issue
CVE-2021-22569
Vulnerable Library - protobuf-java-3.17.3.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.17.3/313b1861fa9312dd71e1033a77c2e64fb1a94dd3/protobuf-java-3.17.3.jar
Dependency Hierarchy:
- temporal-sdk-1.3.1.jar (Root Library)
- temporal-serviceclient-1.3.1.jar
- protobuf-java-util-3.17.3.jar
- ❌ protobuf-java-3.17.3.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Publish Date: 2022-01-10
URL: CVE-2021-22569
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wrvw-hg22-4m67
Release Date: 2022-01-10
Fix Resolution (com.google.protobuf:protobuf-java): 3.18.2
Direct dependency fix Resolution (io.temporal:temporal-sdk): 1.6.0
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.