Giter Club home page Giter Club logo

milo's People

Contributors

apupier avatar asashour avatar asunc avatar cmello avatar comtel2000 avatar ctron avatar eclipse-milo-bot avatar eclipsewebmaster avatar goetzgoerisch avatar hekonsek avatar igarciasz avatar jlleitschuh avatar joesan avatar kevinherron avatar lln-ijinus avatar locutusv0nb0rg avatar marcusschneider avatar mend-bolt-for-github[bot] avatar michaelstofan avatar mx990 avatar pro avatar renovate[bot] avatar shoothzj avatar

Stargazers

avatar

Forkers

tonjaheinemann

milo's Issues

netty-codec-http-4.1.105.Final.jar: 1 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - netty-codec-http-4.1.105.Final.jar

Library home page: https://netty.io/

Path to dependency file: /milo-examples/client-examples/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (netty-codec-http version) Remediation Possible**
CVE-2024-29025 Medium 5.3 netty-codec-http-4.1.105.Final.jar Direct 4.1.108.Final

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-29025

Vulnerable Library - netty-codec-http-4.1.105.Final.jar

Library home page: https://netty.io/

Path to dependency file: /milo-examples/client-examples/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.105.Final/netty-codec-http-4.1.105.Final.jar

Dependency Hierarchy:

  • netty-codec-http-4.1.105.Final.jar (Vulnerable Library)

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Found in base branch: develop

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

Publish Date: 2024-03-25

URL: CVE-2024-29025

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-29025

Release Date: 2024-03-25

Fix Resolution: 4.1.108.Final

Step up your Open Source Security Game with Mend here

server-examples-0.6.12-SNAPSHOT.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - server-examples-0.6.12-SNAPSHOT.jar

Path to dependency file: /milo-examples/client-examples/pom.xml

Path to vulnerable library: /milo-examples/server-examples/pom.xml,/milo-examples/client-examples/pom.xml

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (server-examples version) Remediation Possible**
CVE-2023-6481 High 7.5 logback-core-1.2.12.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6481

Vulnerable Library - logback-core-1.2.12.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /milo-examples/server-examples/pom.xml

Path to vulnerable library: /milo-examples/server-examples/pom.xml,/milo-examples/client-examples/pom.xml

Dependency Hierarchy:

  • server-examples-0.6.12-SNAPSHOT.jar (Root Library)
    • logback-classic-1.2.12.jar
      • logback-core-1.2.12.jar (Vulnerable Library)

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Found in base branch: develop

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14

Step up your Open Source Security Game with Mend here

bcprov-jdk18on-1.75.jar: 1 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - bcprov-jdk18on-1.75.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /opc-ua-sdk/sdk-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (bcprov-jdk18on version) Remediation Possible**
CVE-2024-30171 Medium 5.3 bcprov-jdk18on-1.75.jar Direct 1.78

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-30171

Vulnerable Library - bcprov-jdk18on-1.75.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.8 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /opc-ua-sdk/sdk-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk18on/1.75/bcprov-jdk18on-1.75.jar

Dependency Hierarchy:

  • bcprov-jdk18on-1.75.jar (Vulnerable Library)

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Found in base branch: develop

Vulnerability Details

BouncyCastle before version 1.78 is vulnerable to timing side-channel attacks against RSA decryption (both PKCS#1v1.5 and OAEP).

Publish Date: 2024-03-24

URL: CVE-2024-30171

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2024-03-24

Fix Resolution: 1.78

Step up your Open Source Security Game with Mend here

server-examples-0.6.13-SNAPSHOT.jar: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - server-examples-0.6.13-SNAPSHOT.jar

Path to dependency file: /milo-examples/client-examples/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.12/logback-core-1.2.12.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.12/logback-core-1.2.12.jar

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (server-examples version) Remediation Possible**
CVE-2023-6481 High 7.5 logback-core-1.2.12.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6481

Vulnerable Library - logback-core-1.2.12.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /milo-examples/client-examples/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.12/logback-core-1.2.12.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.2.12/logback-core-1.2.12.jar

Dependency Hierarchy:

  • server-examples-0.6.13-SNAPSHOT.jar (Root Library)
    • logback-classic-1.2.12.jar
      • logback-core-1.2.12.jar (Vulnerable Library)

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Found in base branch: develop

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-12-04

URL: CVE-2023-6481

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-6481

Release Date: 2023-12-04

Fix Resolution: ch.qos.logback:logback-core:1.2.13,1.3.14,1.4.14

Step up your Open Source Security Game with Mend here

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • chore(deps): update dependency org.apache.maven.plugins:maven-gpg-plugin to v3.2.4
  • fix(deps): update netty monorepo to v4.1.109.final (io.netty:netty-codec-http, io.netty:netty-handler, io.netty:netty-codec)
  • chore(deps): update dependency org.apache.maven.plugins:maven-enforcer-plugin to v3.4.1
  • chore(deps): update dependency org.apache.maven.plugins:maven-failsafe-plugin to v3.2.5
  • chore(deps): update dependency org.apache.maven.plugins:maven-install-plugin to v3.1.1
  • chore(deps): update dependency org.apache.maven.plugins:maven-jar-plugin to v3.4.1
  • chore(deps): update dependency org.apache.maven.plugins:maven-javadoc-plugin to v3.6.3
  • chore(deps): update dependency org.apache.maven.plugins:maven-resources-plugin to v3.3.1
  • chore(deps): update dependency org.apache.maven.plugins:maven-shade-plugin to v3.5.3
  • chore(deps): update dependency org.apache.maven.plugins:maven-site-plugin to v3.12.1
  • chore(deps): update dependency org.apache.maven.plugins:maven-source-plugin to v3.3.1
  • chore(deps): update dependency org.apache.maven.plugins:maven-surefire-plugin to v3.2.5
  • chore(deps): update dependency org.jvnet.jaxb2.maven2:maven-jaxb2-plugin to v0.15.3
  • chore(deps): update dependency org.mockito:mockito-core to v2.28.2
  • chore(deps): update dependency org.testng:testng to v6.14.3
  • fix(deps): update bouncycastle.version to v1.78.1 (org.bouncycastle:bcpkix-jdk18on, org.bouncycastle:bcprov-jdk18on)
  • fix(deps): update dependency ch.qos.logback:logback-classic to v1.5.6
  • fix(deps): update dependency com.digitalpetri.netty:netty-channel-fsm to v0.9
  • fix(deps): update dependency com.google.code.gson:gson to v2.10.1
  • chore(deps): update slf4j monorepo to v2 (major) (org.slf4j:slf4j-jdk14, org.slf4j:jcl-over-slf4j, org.slf4j:slf4j-simple, org.slf4j:slf4j-api)
  • fix(deps): update dependency org.jetbrains:annotations to v24
  • fix(deps): update dependency org.jetbrains:annotations to v24
  • 🔐 Create all rate-limited PRs at once 🔐

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Ignored or Blocked

These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.

Detected dependencies

github-actions
.github/workflows/maven.yml
  • actions/checkout v3
  • actions/setup-java v3
  • ubuntu 20.04
maven
build-tools/pom.xml
  • org.apache.maven.plugins:maven-deploy-plugin 3.0.0-M1
  • org.apache.maven.plugins:maven-enforcer-plugin 3.0.0-M3
  • org.apache.maven.plugins:maven-clean-plugin 3.1.0
  • org.apache.maven.plugins:maven-compiler-plugin 3.13.0
  • org.apache.maven.plugins:maven-install-plugin 3.0.0-M1
  • org.apache.maven.plugins:maven-jar-plugin 3.2.0
  • org.apache.maven.plugins:maven-resources-plugin 3.1.0
  • org.apache.maven.plugins:maven-site-plugin 3.8.2
  • org.apache.maven.plugins:maven-surefire-plugin 3.0.0-M4
milo-examples/client-examples/pom.xml
  • org.eclipse.milo:milo-examples 0.6.13-SNAPSHOT
  • org.eclipse.milo:sdk-client 0.6.13-SNAPSHOT
  • org.eclipse.milo:dictionary-reader 0.6.13-SNAPSHOT
  • org.eclipse.milo:server-examples 0.6.13-SNAPSHOT
  • ch.qos.logback:logback-classic 1.2.13
  • org.jetbrains:annotations 22.0.0
milo-examples/pom.xml
  • org.apache.maven.plugins:maven-deploy-plugin 3.0.0-M1
milo-examples/server-examples/pom.xml
  • org.eclipse.milo:milo-examples 0.6.13-SNAPSHOT
  • org.eclipse.milo:sdk-server 0.6.13-SNAPSHOT
  • org.eclipse.milo:dictionary-manager 0.6.13-SNAPSHOT
  • ch.qos.logback:logback-classic 1.2.13
  • org.jetbrains:annotations 22.0.0
  • org.apache.maven.plugins:maven-shade-plugin 3.2.2
opc-ua-sdk/dictionary-manager/pom.xml
  • org.eclipse.milo:opc-ua-sdk 0.6.13-SNAPSHOT
opc-ua-sdk/dictionary-reader/pom.xml
  • org.eclipse.milo:opc-ua-sdk 0.6.13-SNAPSHOT
  • org.junit.jupiter:junit-jupiter-engine 5.5.2
opc-ua-sdk/integration-tests/pom.xml
  • org.eclipse.milo:opc-ua-sdk 0.6.13-SNAPSHOT
  • org.junit.jupiter:junit-jupiter-api 5.6.2
  • org.junit.jupiter:junit-jupiter-engine 5.6.2
  • org.apache.maven.plugins:maven-failsafe-plugin 3.0.0-M4
opc-ua-sdk/pom.xml
  • org.jetbrains:annotations 22.0.0
  • org.mockito:mockito-core 2.25.1
  • org.slf4j:slf4j-simple 1.7.32
  • org.codehaus.mojo:findbugs-maven-plugin 3.0.5
  • org.jetbrains:annotations 22.0.0
  • org.jetbrains:annotations 22.0.0
  • org.slf4j:slf4j-simple 1.7.32
  • org.jetbrains:annotations 22.0.0
  • org.testng:testng 6.11
  • org.mockito:mockito-core 2.25.1
  • org.slf4j:slf4j-simple 1.7.32
  • org.slf4j:slf4j-simple 1.7.32
  • org.testng:testng 6.11
  • org.mockito:mockito-core 2.25.1
opc-ua-sdk/sdk-client/pom.xml
  • org.eclipse.milo:opc-ua-sdk 0.6.13-SNAPSHOT
opc-ua-sdk/sdk-core/pom.xml
  • org.eclipse.milo:opc-ua-sdk 0.6.13-SNAPSHOT
  • org.junit.jupiter:junit-jupiter-api 5.6.2
  • org.junit.jupiter:junit-jupiter-engine 5.6.2
opc-ua-sdk/sdk-server/pom.xml
  • org.eclipse.milo:opc-ua-sdk 0.6.13-SNAPSHOT
opc-ua-sdk/sdk-tests/pom.xml
  • org.eclipse.milo:opc-ua-sdk 0.6.13-SNAPSHOT
  • org.apache.maven.plugins:maven-failsafe-plugin 3.0.0-M4
opc-ua-stack/bsd-core/pom.xml
  • org.eclipse.milo:opc-ua-stack 0.6.13-SNAPSHOT
  • org.eclipse.milo:stack-core 0.6.13-SNAPSHOT
  • com.sun.activation:jakarta.activation 1.2.2
  • org.glassfish.jaxb:jaxb-runtime 2.3.6
  • org.jvnet.jaxb2.maven2:maven-jaxb2-plugin 0.14.0
opc-ua-stack/bsd-generator/pom.xml
  • org.eclipse.milo:opc-ua-stack 0.6.13-SNAPSHOT
  • org.eclipse.milo:bsd-core 0.6.13-SNAPSHOT
opc-ua-stack/bsd-parser-gson/pom.xml
  • org.eclipse.milo:opc-ua-stack 0.6.13-SNAPSHOT
  • org.eclipse.milo:bsd-parser 0.6.13-SNAPSHOT
  • com.google.code.gson:gson 2.8.9
  • org.eclipse.milo:bsd-parser 0.6.13-SNAPSHOT
opc-ua-stack/bsd-parser/pom.xml
  • org.eclipse.milo:opc-ua-stack 0.6.13-SNAPSHOT
  • org.eclipse.milo:bsd-core 0.6.13-SNAPSHOT
  • com.sun.activation:jakarta.activation 1.2.2
  • org.glassfish.jaxb:jaxb-runtime 2.3.6
opc-ua-stack/pom.xml
  • org.testng:testng 6.9.10
  • org.slf4j:slf4j-simple 1.7.32
  • org.jetbrains:annotations 22.0.0
  • org.testng:testng 6.9.10
  • org.slf4j:slf4j-simple 1.7.32
  • org.codehaus.mojo:findbugs-maven-plugin 3.0.5
  • org.apache.maven.plugins:maven-surefire-plugin 3.0.0-M4
  • org.apache.maven.plugins:maven-failsafe-plugin 3.0.0-M4
  • io.netty:netty-codec-http 4.1.108.Final
  • org.jetbrains:annotations 22.0.0
  • org.bouncycastle:bcprov-jdk18on 1.75
  • org.bouncycastle:bcpkix-jdk18on 1.75
  • com.google.guava:guava 33.1.0-jre
  • io.netty:netty-codec 4.1.108.Final
  • io.netty:netty-handler 4.1.108.Final
  • org.slf4j:slf4j-api 1.7.32
  • org.jetbrains:annotations 22.0.0
  • org.testng:testng 6.9.10
  • org.slf4j:slf4j-simple 1.7.32
  • io.netty:netty-codec-http 4.1.108.Final
  • org.jetbrains:annotations 22.0.0
  • org.testng:testng 6.9.10
  • org.slf4j:slf4j-simple 1.7.32
opc-ua-stack/stack-client/pom.xml
  • org.eclipse.milo:opc-ua-stack 0.6.13-SNAPSHOT
  • com.digitalpetri.netty:netty-channel-fsm 0.8
opc-ua-stack/stack-core/pom.xml
  • org.eclipse.milo:opc-ua-stack 0.6.13-SNAPSHOT
  • org.glassfish.jaxb:jaxb-runtime 2.3.6
  • org.projectlombok:lombok 1.18.32
  • org.apache.maven.plugins:maven-compiler-plugin 3.13.0
  • org.projectlombok:lombok 1.18.32
opc-ua-stack/stack-server/pom.xml
  • org.eclipse.milo:opc-ua-stack 0.6.13-SNAPSHOT
opc-ua-stack/stack-tests/pom.xml
  • org.eclipse.milo:opc-ua-stack 0.6.13-SNAPSHOT
pom.xml
  • org.apache.maven.plugins:maven-source-plugin 3.2.1
  • org.apache.maven.plugins:maven-javadoc-plugin 3.2.0
  • org.apache.maven.plugins:maven-jar-plugin 3.2.0
  • org.apache.maven.plugins:maven-gpg-plugin 3.2.1
  • org.sonatype.plugins:nexus-staging-maven-plugin 1.6.8
  • org.apache.maven.plugins:maven-source-plugin 3.2.1
  • org.apache.maven.plugins:maven-javadoc-plugin 3.2.0
  • org.apache.maven.plugins:maven-checkstyle-plugin 3.0.0
  • com.puppycrawl.tools:checkstyle 8.18
  • org.slf4j:jcl-over-slf4j 1.7.21
  • org.slf4j:slf4j-jdk14 1.7.21
  • org.apache.maven.plugins:maven-enforcer-plugin 3.0.0-M3
  • org.apache.maven.plugins:maven-compiler-plugin 3.13.0
  • org.apache.maven.plugins:maven-jar-plugin 3.2.0
  • org.apache.felix:maven-bundle-plugin 5.1.9
  • org.apache.maven.plugins:maven-release-plugin 3.0.0-M1
  • org.apache.maven.plugins:maven-clean-plugin 3.1.0
  • org.apache.maven.plugins:maven-deploy-plugin 3.0.0-M1
  • org.apache.maven.plugins:maven-install-plugin 3.0.0-M1
  • org.apache.maven.plugins:maven-resources-plugin 3.1.0
  • org.apache.maven.plugins:maven-site-plugin 3.8.2
  • org.apache.maven.plugins:maven-surefire-plugin 3.0.0-M4
  • org.apache.maven.plugins:maven-checkstyle-plugin 3.0.0
  • Check this box to trigger a request for Renovate to run again on this repository

logback-classic-1.2.12.jar: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - logback-classic-1.2.12.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /milo-examples/server-examples/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.12/logback-classic-1.2.12.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.12/logback-classic-1.2.12.jar

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (logback-classic version) Remediation Possible**
CVE-2023-6378 High 7.5 logback-classic-1.2.12.jar Direct 1.2.13

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-6378

Vulnerable Library - logback-classic-1.2.12.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /milo-examples/server-examples/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.12/logback-classic-1.2.12.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.12/logback-classic-1.2.12.jar

Dependency Hierarchy:

  • logback-classic-1.2.12.jar (Vulnerable Library)

Found in HEAD commit: 865206946cdd36c1f698b5aa417b55688843148d

Found in base branch: develop

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.

Publish Date: 2023-11-29

URL: CVE-2023-6378

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logback.qos.ch/news.html#1.3.12

Release Date: 2023-11-29

Fix Resolution: 1.2.13

Step up your Open Source Security Game with Mend here

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.