Giter Club home page Giter Club logo

vonage-java-code-snippets's Introduction

Vonage Quickstart Examples for Java

Nexmo is now known as Vonage

Quickstarts also available for: Python, .NET, Node.js, PHP, Ruby and curl.

The purpose of the quickstart guide is to provide simple examples focused on one goal. For example, sending an SMS, handling an incoming SMS webhook, making a Text to Speech call. These code samples are meant to be used for https://developer.nexmo.com/, and are structured in such a way as to be used for internal testing. Developers are free to use these code snippets as a reference, but these may require changes to be worked into your specific application. We recommend checking out the Vonage Developer Website, which displays these code snippets in a more copy/paste fashion.

Setup

To use this sample you will first need a Vonage account.

For some of the examples you will need to buy a number.

Building The Library

You will need to have Gradle installed to build the code. Once you have gradle installed, run the following to build a jar that contains the quickstart code along with all the vonage server sdk dependencies:

gradle assemble

This will build the following file: build/libs/vonage-java-code-snippets-with-dependencies.jar

Running The Examples

Copy .env-example to .env and edit the values. You'll need to load those values into environment variables, so you'll probably want to use a tool like Foreman to run your code like this:

foreman run java -cp build/libs/vonage-java-code-snippets-with-dependencies.jar PACKAGE.CLASS

So to run the OutboundTextToSpeechExample class, you would run the following:

foreman run java -cp build/libs/vonage-java-code-snippets-with-dependencies.jar com.vonage.quickstart.voice.OutboundTextToSpeech

If you set the environment variable QUICKSTART_DEBUG to any value, extra information will be output to the console from the Vonage Server SDK.

Running NCCO Webhook Examples

Sign up for a free ngrok account

Download and install from the ngrok site or use Homebrew (mac0S)

brew install cask ngrok

Connect the installed ngrok to your ngrok account

  1. Go to your ngrok dashboard.
  2. Go to Setup & Installation
  3. Copy the token from the Connect your account step without the ./ prefix. What you copy should look like this:
ngrok authentication 112skjl4jlwlkjdl4lkj66565lkjmn56n==e4w4l
  1. Start a HTTP tunnel forwarding to your local port. Check your snippet to locate the port ngrok should forward to. For the Voice NCCO snippets we use port 3000, so our command would be:
ngrok http 3000

You may then enter http://localhost:4040/inspect/http in your web browser to see a more detailed view of your requests, or use the console to http status and message of your requests.

Setup a Vonage Application

After setting up ngrok you will need to setup a Vonage application that will be used for monitoring your webhooks. Add a vonage feature that you would like your webhook to monitor for. In this example, we will setup a Vonage application and add voice capabilities.

Setup a Vonage Application with voice capabilities using the Vonage Developer Portal

  1. On the developer portal, go to Applications.
  2. Click on the Create new application button.
  3. Give your applications a name.
  4. Under Capabilities, toggle the Voice capability. Go back to the terminal that has ngrok fired up and grab the forwarding url. Add that domain as the prefix to the path for the webhook. Resulting url should look similar to the following:
 http://17e80b46d273.ngrok.io/webhook/answer

Go back to the Voice capabilities section and add the urls for the webhooks. Ex:

Answer URL: http://17e80b46d273.ngrok.io/webhook/answer

Event URL: http://17e80b46d273.ngrok.io/webhook/event

Answer Fallback URL: http://17e80b46d273.ngrok.io/webhook/fallback (if no path is specified in the snippet use a random domain)

  1. Click the generate public and private key button. A private key file called private.key should be downloaded to your computer.
  2. Move the private key to the nexmo-java-code-snippets project root.
  3. Go the developer portal and click Generate application
  4. In your .env file, add the environment variables for your application that is needed to run the snippet to. For the voice dtmf webhook snippet, we would need the application id, and private key file location
  5. (Optional) Link the number associated with your nexmo account to your app. In the developer portal, click the Link button on the application details screen to link that number to your application. This will allow you to test webhooks that require you to call or text a number to test the NCCOs for that snippet.

Request an Example

Please raise an issue to request an example that isn't present within the quickstart. Pull requests will be gratefully received.

License

This code is licensed under the MIT license.

vonage-java-code-snippets's People

Contributors

adambutler avatar akramkazmi71 avatar chrisguzman avatar cr0wst avatar dragonmantank avatar fauna5 avatar intrigus-lgtm avatar judy2k avatar leggetter avatar lornajane avatar mheap avatar pardel avatar patheticpat avatar rpraveenpai avatar slorello89 avatar smadani avatar superchilled avatar tarekbazine avatar tommorris avatar yallen011 avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

davmarksman haydarabu javazaver fauna5 mayank12psingh patheticpat vinayak42 akramkazmi71 rpraveenpai kumarmanish9973 rubenibarra ahmedmubaraksoftware kannangce romanmarkin hongwei1 arifarif29 qhl0505 albedith nexmo xma8lu tarekbazine trishitapingolia andrewmogbolu2 wrkniemiec indisateesh intrigus-lgtm sanjulamadurapperuma lawrencedcodes dianapham natym-git ds-rimpa

vonage-java-code-snippets's Issues

Introduce java-dotenv

Instead of suggesting the use of something like Foreman, we could introduce the cdimascio/java-dotenv which will look for a .env file internally.

Downside would be that they would have to configure the environment before assembling the artifacts.

Get javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake using nexmo-java SDK

Hello,

I'm trying to run a quickstart example (https://github.com/nexmo-community/nexmo-java-quickstart/blob/master/src/main/java/com/nexmo/quickstart/voice/TransferCall.java) but I get an exception 'javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake'.

This is returned from Nexmo host in response to POST https://api.nexmo.com/v1/calls.

I'm using jdk1.8.0_25 on MacOS 10.14.2 and run java with -Djavax.net.debug=all flag to get SSL debug log (see attached). As I can see, my java client is using TLSv1.2, but Nexmo
run.log
remote host closes a connection during handshake with description = handshake_failure.

Can you please point me to the reason of this issue and how can I resolve it.

jackson-databind-2.13.3.jar: 2 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - jackson-databind-2.13.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar,/les-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-42004 High 7.5 jackson-databind-2.13.3.jar Direct com.fasterxml.jackson.core:jackson-databind:2.13.4
CVE-2022-42003 High 7.5 jackson-databind-2.13.3.jar Direct N/A

Details

CVE-2022-42004

Vulnerable Library - jackson-databind-2.13.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar,/les-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar

Dependency Hierarchy:

  • jackson-databind-2.13.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.

Publish Date: 2022-10-02

URL: CVE-2022-42004

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-10-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.13.4

⛑️ Automatic Remediation is available for this issue

CVE-2022-42003

Vulnerable Library - jackson-databind-2.13.3.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar,/les-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.13.3/56deb9ea2c93a7a556b3afbedd616d342963464e/jackson-databind-2.13.3.jar

Dependency Hierarchy:

  • jackson-databind-2.13.3.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1

Publish Date: 2022-10-02

URL: CVE-2022-42003

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

⛑️ Automatic Remediation is available for this issue.

jwt-1.0.1.jar: 1 vulnerabilities (highest severity is: 5.3) - autoclosed

Vulnerable Library - jwt-1.0.1.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.31/11289d20fd95ae219333f3456072be9f081c30cc/kotlin-stdlib-1.3.31.jar

Found in HEAD commit: c3d677c25ab2d543c54025acad646909623089f9

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-24329 Medium 5.3 kotlin-stdlib-1.3.31.jar Transitive N/A

Details

CVE-2022-24329

Vulnerable Library - kotlin-stdlib-1.3.31.jar

Kotlin Standard Library for JVM

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.31/11289d20fd95ae219333f3456072be9f081c30cc/kotlin-stdlib-1.3.31.jar

Dependency Hierarchy:

  • jwt-1.0.1.jar (Root Library)
    • kotlin-stdlib-jdk8-1.3.31.jar
      • kotlin-stdlib-1.3.31.jar (Vulnerable Library)

Found in HEAD commit: c3d677c25ab2d543c54025acad646909623089f9

Found in base branch: master

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0

spark-core-2.9.4.jar: 1 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - spark-core-2.9.4.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.48.v20220622/b91a0641cda31c93962503b88f783602d2bd8093/jetty-server-9.4.48.v20220622.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spark-core version) Remediation Available
CVE-2023-26048 Medium 5.3 jetty-server-9.4.48.v20220622.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2023-26048

Vulnerable Library - jetty-server-9.4.48.v20220622.jar

The core jetty server artifact.

Library home page: https://eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.48.v20220622/b91a0641cda31c93962503b88f783602d2bd8093/jetty-server-9.4.48.v20220622.jar

Dependency Hierarchy:

  • spark-core-2.9.4.jar (Root Library)
    • jetty-server-9.4.48.v20220622.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with @MultipartConfig) that call HttpServletRequest.getParameter() or HttpServletRequest.getParts() may cause OutOfMemoryError when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of fileSizeThreshold=0 which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw OutOfMemoryError. However, the server may be able to recover after the OutOfMemoryError and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter maxRequestSize which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).

Publish Date: 2023-04-18

URL: CVE-2023-26048

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qw69-rqj8-6qw8

Release Date: 2023-04-18

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.51.v20230217,10.0.14,11.0.14;org.eclipse.jetty:jetty-runner:9.4.51.v20230217,10.0.14,11.0.14

SMS service by using angular-5

Hello,
I am developing send sms to my user on a click function in angular-5 with java.There must be some documentation how to use.

jwt-1.1.0.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - jwt-1.1.0.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.jsonwebtoken/jjwt-impl/0.12.3/e850d2b3f53bd82355cd9ee1c471054aa602b320/jjwt-impl-0.12.3.jar

Mend has checked all newer package trees, and you are on the least vulnerable package!

Please note: There might be a version that explicitly solves one or more of the vulnerabilities listed below, but we do not recommend it. For more info about the optional fixes, check the "Details" section below.

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jwt version) Fix PR available
CVE-2024-31033 High 7.5 jjwt-impl-0.12.3.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-31033

Vulnerable Library - jjwt-impl-0.12.3.jar

Library home page: https://github.com/jwtk/jjwt

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.jsonwebtoken/jjwt-impl/0.12.3/e850d2b3f53bd82355cd9ee1c471054aa602b320/jjwt-impl-0.12.3.jar

Dependency Hierarchy:

  • jwt-1.1.0.jar (Root Library)
    • jjwt-impl-0.12.3.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.

Publish Date: 2024-04-01

URL: CVE-2024-31033

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

jwt-1.1.1.jar: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - jwt-1.1.1.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.jsonwebtoken/jjwt-impl/0.12.5/b4ceb5407a360e0eb7ba6fa6c6452abadf6c120a/jjwt-impl-0.12.5.jar

Oops, something went wrong. We couldn’t find a fix. Support token-112edf4a00c543ef9e526a57e96c776c

Vulnerabilities

CVE Severity CVSS Exploit Maturity EPSS Dependency Type Fixed in (jwt version) Fix PR available Reachability
CVE-2024-31033 High 7.5 Not Defined 0.0% jjwt-impl-0.12.5.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-31033

Vulnerable Library - jjwt-impl-0.12.5.jar

Library home page: https://github.com/jwtk/jjwt

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.jsonwebtoken/jjwt-impl/0.12.5/b4ceb5407a360e0eb7ba6fa6c6452abadf6c120a/jjwt-impl-0.12.5.jar

Dependency Hierarchy:

  • jwt-1.1.1.jar (Root Library)
    • jjwt-impl-0.12.5.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

JJWT (aka Java JWT) through 0.12.5 ignores certain characters and thus a user might falsely conclude that they have a strong key. The impacted code is the setSigningKey() method within the DefaultJwtParser class and the signWith() method within the DefaultJwtBuilder class. NOTE: the vendor disputes this because the "ignores" behavior cannot occur (in any version) unless there is a user error in how JJWT is used, and because the version that was actually tested must have been more than six years out of date.

Publish Date: 2024-04-01

URL: CVE-2024-31033

Threat Assessment

Exploit Maturity: Not Defined

EPSS: 0.0%

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

OTP template format

Hi team,

does the OTP template work?
From the java code, the template looks as below, and "language" and "components" are in "custom", and I failed to send OTP with this format.
{ "message_type": "custom", "channel": "whatsapp", "from": "", "to": "", "custom": { "type": "template", "template": { "name": "" }, "language": { "code": "en", "policy": "deterministic" }, "components": [ { "type": "body", "parameters": [ { "type": "text", "text": "123456" } ] }, { "type": "button", "sub_type": "url", "index": "0", "parameters": [ { "type": "text", "text": "123456" } ] } ] } }

while I tried with another format as https://github.com/Vonage/vonage-curl-code-snippets/blob/main/messages/whatsapp/send-authentication-template.sh
the format is as below, "language" and "components" were in "template", and it worked as expected.
{ "message_type": "custom", "channel": "whatsapp", "from": "", "to": "", "custom": { "type": "template", "template": { "name": "", "language": { "code": "en", "policy": "deterministic" }, "components": [ { "type": "body", "parameters": [ { "type": "text", "text": "123456" } ] }, { "type": "button", "sub_type": "url", "index": "0", "parameters": [ { "type": "text", "text": "123456" } ] } ] } } }

Compile problem with test code

I am trying out the test code.

Created a maven project.
Added the Vonage maven dependency

com.vonage
client
7.1.0

Copied the sample code from https://github.com/vonage/vonage-java-code-snippets/blob/master/src/main/java/com/vonage/quickstart/voice/OutboundTextToSpeechWithNcco.java#L39-L42

But I am getting an error on this line.
Ncco ncco = new Ncco(TalkAction.builder("This is a text to speech call from Vonage").build());
The type com.fasterxml.jackson.databind.ObjectWriter cannot be resolved. It is indirectly referenced from required .class files

I checked maven repo and 7.1.0 is indeed the latest version.
What gives?

Thanks,
Maneesh

spark-core-2.9.3.jar: 6 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - spark-core-2.9.3.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.31.v20200723/6862f0e6fc7e9f8828416a7cae1477b233d92f8/jetty-http-9.4.31.v20200723.jar

Found in HEAD commit: c3d677c25ab2d543c54025acad646909623089f9

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-28165 High 7.5 jetty-io-9.4.31.v20200723.jar Transitive N/A
CVE-2020-27216 High 7.0 jetty-webapp-9.4.31.v20200723.jar Transitive N/A
CVE-2020-27223 Medium 5.3 jetty-http-9.4.31.v20200723.jar Transitive N/A
CVE-2021-28169 Medium 5.3 multiple Transitive N/A
CVE-2020-27218 Medium 4.8 jetty-server-9.4.31.v20200723.jar Transitive N/A
CVE-2021-34428 Low 3.5 jetty-server-9.4.31.v20200723.jar Transitive N/A

Details

CVE-2021-28165

Vulnerable Library - jetty-io-9.4.31.v20200723.jar

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-io/9.4.31.v20200723/328e4562e0f30e01efea63efe4fc24b2b860d852/jetty-io-9.4.31.v20200723.jar

Dependency Hierarchy:

  • spark-core-2.9.3.jar (Root Library)
    • jetty-server-9.4.31.v20200723.jar
      • jetty-io-9.4.31.v20200723.jar (Vulnerable Library)

Found in HEAD commit: c3d677c25ab2d543c54025acad646909623089f9

Found in base branch: master

Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.

Publish Date: 2021-04-01

URL: CVE-2021-28165

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-26vr-8j45-3r4w

Release Date: 2021-04-01

Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2

CVE-2020-27216

Vulnerable Library - jetty-webapp-9.4.31.v20200723.jar

Jetty web application support

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-webapp/9.4.31.v20200723/9e6716366f586307f253d1082cbae88f33c239cd/jetty-webapp-9.4.31.v20200723.jar

Dependency Hierarchy:

  • spark-core-2.9.3.jar (Root Library)
    • jetty-webapp-9.4.31.v20200723.jar (Vulnerable Library)

Found in HEAD commit: c3d677c25ab2d543c54025acad646909623089f9

Found in base branch: master

Vulnerability Details

In Eclipse Jetty versions 1.0 thru 9.4.32.v20200930, 10.0.0.alpha1 thru 10.0.0.beta2, and 11.0.0.alpha1 thru 11.0.0.beta2O, on Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability.

Publish Date: 2020-10-23

URL: CVE-2020-27216

CVSS 3 Score Details (7.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=567921

Release Date: 2020-10-23

Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.33,10.0.0.beta3,11.0.0.beta3;org.eclipse.jetty:jetty-webapp:9.4.33,10.0.0.beta3,11.0.0.beta3

CVE-2020-27223

Vulnerable Library - jetty-http-9.4.31.v20200723.jar

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.31.v20200723/6862f0e6fc7e9f8828416a7cae1477b233d92f8/jetty-http-9.4.31.v20200723.jar

Dependency Hierarchy:

  • spark-core-2.9.3.jar (Root Library)
    • jetty-server-9.4.31.v20200723.jar
      • jetty-http-9.4.31.v20200723.jar (Vulnerable Library)

Found in HEAD commit: c3d677c25ab2d543c54025acad646909623089f9

Found in base branch: master

Vulnerability Details

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.

Publish Date: 2021-02-26

URL: CVE-2020-27223

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m394-8rww-3jr7

Release Date: 2021-02-26

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.37.v20210219, org.eclipse.jetty:jetty-http:10.0.1, org.eclipse.jetty:jetty-http:11.0.1

CVE-2021-28169

Vulnerable Libraries - jetty-server-9.4.31.v20200723.jar, jetty-http-9.4.31.v20200723.jar

jetty-server-9.4.31.v20200723.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.31.v20200723/b9043b4a0c17ee543aba97e80ea3a34cd8cdb600/jetty-server-9.4.31.v20200723.jar

Dependency Hierarchy:

  • spark-core-2.9.3.jar (Root Library)
    • jetty-server-9.4.31.v20200723.jar (Vulnerable Library)

jetty-http-9.4.31.v20200723.jar

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/9.4.31.v20200723/6862f0e6fc7e9f8828416a7cae1477b233d92f8/jetty-http-9.4.31.v20200723.jar

Dependency Hierarchy:

  • spark-core-2.9.3.jar (Root Library)
    • jetty-server-9.4.31.v20200723.jar
      • jetty-http-9.4.31.v20200723.jar (Vulnerable Library)

Found in HEAD commit: c3d677c25ab2d543c54025acad646909623089f9

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.

Publish Date: 2021-06-09

URL: CVE-2021-28169

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: 2021-06-09

Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3

CVE-2020-27218

Vulnerable Library - jetty-server-9.4.31.v20200723.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.31.v20200723/b9043b4a0c17ee543aba97e80ea3a34cd8cdb600/jetty-server-9.4.31.v20200723.jar

Dependency Hierarchy:

  • spark-core-2.9.3.jar (Root Library)
    • jetty-server-9.4.31.v20200723.jar (Vulnerable Library)

Found in HEAD commit: c3d677c25ab2d543c54025acad646909623089f9

Found in base branch: master

Vulnerability Details

In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.

Publish Date: 2020-11-28

URL: CVE-2020-27218

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-86wm-rrjm-8wh8

Release Date: 2020-11-28

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.35.v20201120, 10.0.0.beta3, 11.0.0.beta3

CVE-2021-34428

Vulnerable Library - jetty-server-9.4.31.v20200723.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.31.v20200723/b9043b4a0c17ee543aba97e80ea3a34cd8cdb600/jetty-server-9.4.31.v20200723.jar

Dependency Hierarchy:

  • spark-core-2.9.3.jar (Root Library)
    • jetty-server-9.4.31.v20200723.jar (Vulnerable Library)

Found in HEAD commit: c3d677c25ab2d543c54025acad646909623089f9

Found in base branch: master

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Publish Date: 2021-06-22

URL: CVE-2021-34428

CVSS 3 Score Details (3.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Physical
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6cp-vxjx-65j6

Release Date: 2021-06-22

Fix Resolution: org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.