From a9a40071fab64c8e29ca6e8ef2fced70502a2e81 Mon Sep 17 00:00:00 2001 From: Charles Hu Date: Fri, 9 Aug 2024 13:15:18 -0400 Subject: [PATCH 1/3] Review changes Signed-off-by: Charles Hu --- .../src/cyclonedx-sbom-mapper.ts | 67 ++++++------------- 1 file changed, 21 insertions(+), 46 deletions(-) diff --git a/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts b/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts index 9327baa5df..d2faced269 100644 --- a/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts +++ b/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts @@ -109,7 +109,7 @@ export class CycloneDXSBOMResults { // Pull components from raw data data.components = [ ...(_.cloneDeep(data.raw.components) as ComponentRepository) - ].map((element) => Object(element)); + ] as unknown as IntermediaryComponent[]; // Look through every component at the top level of the list for (const component of data.components) { @@ -155,7 +155,7 @@ export class CycloneDXSBOMResults { // Pull vulnerabilities from raw data data.vulnerabilities = [ ...(_.cloneDeep(data.raw.vulnerabilities) as VulnerabilityRepository) - ].map((element) => Object(element)); + ] as unknown as IntermediaryVulnerability[]; for (const vulnerability of data.vulnerabilities) { vulnerability.affectedComponents = []; @@ -203,18 +203,15 @@ export class CycloneDXSBOMResults { // Pull vulnerabilities from raw data data.vulnerabilities = [ ...(_.cloneDeep(data.raw.vulnerabilities) as VulnerabilityRepository) - ].map((element) => Object(element)); + ] as unknown as IntermediaryVulnerability[]; for (const vulnerability of data.vulnerabilities) { - vulnerability.affectedComponents = []; - for (const id of vulnerability.affects) { - // Build a dummy component for each bom-ref identified as being affected by the vulnerability - // Add that component to the corresponding vulnerability object - vulnerability.affectedComponents.push({ - 'bom-ref': `${id.ref}`, - name: `${id.ref}` - }); - } + // Build a dummy component for each bom-ref identified as being affected by the vulnerability + // Add that component to the corresponding vulnerability object + vulnerability.affectedComponents = vulnerability.affects.map((id) => ({ + 'bom-ref': `${id.ref}`, + name: `${id.ref}` + })); } } @@ -331,30 +328,22 @@ export class CycloneDXSBOMMapper extends BaseConverter { descriptions: [ { path: 'detail', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: Record) => input ? {data: input, label: 'Detail'} : undefined } as unknown as ExecJSON.ControlDescription, { path: 'recommendation', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: string) => input ? {data: input, label: 'Recommendation'} : undefined } as unknown as ExecJSON.ControlDescription, { path: 'workaround', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: string) => input ? {data: input, label: 'Workaround'} : undefined } as unknown as ExecJSON.ControlDescription, { path: 'proofOfConcept', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: Record) => input ? { data: JSON.stringify(input, null, 2), @@ -364,55 +353,41 @@ export class CycloneDXSBOMMapper extends BaseConverter { } as unknown as ExecJSON.ControlDescription, { path: 'created', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: Record) => input ? {data: input, label: 'Date created'} : undefined } as unknown as ExecJSON.ControlDescription, { path: 'published', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: Record) => input ? {data: input, label: 'Date published'} : undefined } as unknown as ExecJSON.ControlDescription, { path: 'updated', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: Record) => input ? {data: input, label: 'Date updated'} : undefined } as unknown as ExecJSON.ControlDescription, { path: 'rejected', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: Record) => input ? {data: input, label: 'Date rejected'} : undefined } as unknown as ExecJSON.ControlDescription, { path: 'credits', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: Record) => input ? {data: JSON.stringify(input, null, 2), label: 'Credits'} : undefined } as unknown as ExecJSON.ControlDescription, { path: 'tools', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: Record) => input ? {data: JSON.stringify(input, null, 2), label: 'Tools'} : undefined } as unknown as ExecJSON.ControlDescription, { path: 'analysis', - transformer: ( - input: Record - ): Record | undefined => + transformer: (input: Record) => input ? {data: JSON.stringify(input, null, 2), label: 'Analysis'} : undefined @@ -516,7 +491,7 @@ export class CycloneDXSBOMMapper extends BaseConverter { } } }; - constructor(exportJson: Record, withRaw = false) { + constructor(exportJson: DataStorage, withRaw = false) { super(exportJson, true); this.withRaw = withRaw; } From ec9c5e6799fb9534ae283a21b779ba4f679cf883 Mon Sep 17 00:00:00 2001 From: Charles Hu Date: Mon, 12 Aug 2024 09:01:11 -0400 Subject: [PATCH 2/3] Tag changes Signed-off-by: Charles Hu --- .../sbom-dropwizard-vex-hdf-withraw.json | 1425 ++++++----------- .../sbom-dropwizard-vex-hdf.json | 1425 ++++++----------- .../sbom-dropwizard-vulns-hdf-withraw.json | 1425 ++++++----------- .../sbom-dropwizard-vulns-hdf.json | 1425 ++++++----------- .../sbom-vex-hdf-withraw.json | 20 +- .../cyclonedx_sbom_mapper/sbom-vex-hdf.json | 20 +- .../src/cyclonedx-sbom-mapper.ts | 43 +- 7 files changed, 2063 insertions(+), 3720 deletions(-) diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf-withraw.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf-withraw.json index f62531dd92..3f0a48f297 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf-withraw.json @@ -31,18 +31,13 @@ "CWE-200", "CWE-378", "CWE-732" - ] + ], + "created": "", + "published": "2021-03-25T17:04:19Z", + "updated": "2023-11-09T18:44:38Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-03-25T17:04:19Z", - "label": "Date published" - }, - { - "data": "2023-11-09T18:44:38Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -81,18 +76,13 @@ "cwe": [ "CWE-379", "CWE-552" - ] + ], + "created": "", + "published": "2023-06-14T18:30:38Z", + "updated": "2024-02-13T21:49:15Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-06-14T18:30:38Z", - "label": "Date published" - }, - { - "data": "2024-02-13T21:49:15Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -128,18 +118,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T21:08:40Z", + "updated": "2023-02-01T05:02:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T21:08:40Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:02:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -175,18 +160,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:44Z", + "updated": "2023-02-01T05:02:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:44Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:02:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -222,18 +202,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-10T21:12:41Z", + "updated": "2023-02-01T05:03:03Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-10T21:12:41Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:03:03Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -269,18 +244,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:50Z", + "updated": "2023-02-01T05:03:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:50Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:03:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -316,18 +286,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T20:19:02Z", + "updated": "2024-03-15T00:41:35Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T20:19:02Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:41:35Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -363,18 +328,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:47Z", + "updated": "2024-03-15T00:48:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:47Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:48:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -410,18 +370,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:54Z", + "updated": "2024-03-15T00:50:18Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:54Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:50:18Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -457,18 +412,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T21:36:03Z", + "updated": "2024-06-25T13:46:45Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T21:36:03Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:46:45Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -504,18 +454,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T16:32:59Z", + "updated": "2024-07-03T21:10:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T16:32:59Z", - "label": "Date published" - }, - { - "data": "2024-07-03T21:10:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -551,18 +496,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:50Z", + "updated": "2023-02-01T05:04:14Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:50Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:04:14Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -598,18 +538,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:43Z", + "updated": "2024-03-15T00:37:17Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:43Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:37:17Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -645,18 +580,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:46Z", + "updated": "2024-03-15T00:39:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:46Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:39:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -692,18 +622,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:48Z", + "updated": "2024-06-25T13:46:04Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:48Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:46:04Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -739,18 +664,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-03-04T20:52:14Z", + "updated": "2023-06-08T19:02:12Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-03-04T20:52:14Z", - "label": "Date published" - }, - { - "data": "2023-06-08T19:02:12Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -786,18 +706,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2022-07-15T19:41:47Z", + "updated": "2023-08-18T15:45:27Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-15T19:41:47Z", - "label": "Date published" - }, - { - "data": "2023-08-18T15:45:27Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -833,18 +748,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-11-13T00:32:27Z", + "updated": "2023-09-14T14:55:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-11-13T00:32:27Z", - "label": "Date published" - }, - { - "data": "2023-09-14T14:55:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -880,18 +790,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-11-13T00:32:38Z", + "updated": "2023-09-14T14:55:25Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-11-13T00:32:38Z", - "label": "Date published" - }, - { - "data": "2023-09-14T14:55:25Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -927,18 +832,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-10-28T20:51:15Z", + "updated": "2024-03-15T00:57:37Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-10-28T20:51:15Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:57:37Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -974,18 +874,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:10Z", + "updated": "2023-09-14T15:09:40Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:10Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:09:40Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1021,18 +916,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:01Z", + "updated": "2024-03-15T00:20:09Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:01Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:20:09Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1069,18 +959,13 @@ "cwe": [ "CWE-94", "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:14:51Z", + "updated": "2023-09-14T15:44:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:14:51Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:44:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1116,18 +1001,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:36Z", + "updated": "2023-09-14T15:47:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:36Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:47:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1163,18 +1043,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:02Z", + "updated": "2023-09-14T15:52:49Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:02Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:52:49Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1210,18 +1085,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:26Z", + "updated": "2023-09-14T15:53:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:26Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:53:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1257,18 +1127,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-11-19T20:13:06Z", + "updated": "2023-09-14T15:59:33Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-11-19T20:13:06Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:59:33Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1304,18 +1169,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:51Z", + "updated": "2023-09-14T16:01:31Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:51Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:01:31Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1351,18 +1211,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:59Z", + "updated": "2023-09-14T16:04:22Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:59Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:04:22Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1398,18 +1253,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:42Z", + "updated": "2023-09-14T16:04:22Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:42Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:04:22Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1445,18 +1295,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:10Z", + "updated": "2023-09-14T16:07:00Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:10Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:07:00Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1492,18 +1337,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:54Z", + "updated": "2023-09-14T16:07:40Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:54Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:07:40Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1539,18 +1379,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:46Z", + "updated": "2023-09-14T16:08:37Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:46Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:08:37Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1586,18 +1421,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:18Z", + "updated": "2023-09-14T16:13:01Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:18Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:13:01Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1633,18 +1463,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:34Z", + "updated": "2023-09-14T16:15:44Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:34Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:15:44Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1680,18 +1505,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:24Z", + "updated": "2023-11-21T11:40:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:24Z", - "label": "Date published" - }, - { - "data": "2023-11-21T11:40:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1727,18 +1547,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:00Z", + "updated": "2024-03-15T00:28:08Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:00Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:28:08Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1775,18 +1590,13 @@ "cwe": [ "CWE-502", "CWE-913" - ] + ], + "created": "", + "published": "2021-12-09T19:15:11Z", + "updated": "2024-06-25T13:47:23Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:11Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:47:23Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1823,18 +1633,13 @@ "cwe": [ "CWE-400", "CWE-502" - ] + ], + "created": "", + "published": "2022-10-03T00:00:31Z", + "updated": "2024-03-15T00:14:44Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-10-03T00:00:31Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:14:44Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1870,18 +1675,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-01-20T21:20:15Z", + "updated": "2024-03-15T00:16:04Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-01-20T21:20:15Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:16:04Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1917,18 +1717,13 @@ ], "cwe": [ "CWE-787" - ] + ], + "created": "", + "published": "2022-03-12T00:00:36Z", + "updated": "2024-03-15T00:24:56Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-03-12T00:00:36Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:24:56Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1964,18 +1759,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2021-02-18T20:51:54Z", + "updated": "2024-03-15T00:31:24Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-02-18T20:51:54Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:31:24Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2011,18 +1801,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-03-04T20:52:11Z", + "updated": "2024-03-15T00:52:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-03-04T20:52:11Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:52:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2059,18 +1844,13 @@ "cwe": [ "CWE-400", "CWE-502" - ] + ], + "created": "", + "published": "2022-10-03T00:00:31Z", + "updated": "2024-03-24T05:01:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-10-03T00:00:31Z", - "label": "Date published" - }, - { - "data": "2024-03-24T05:01:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2106,18 +1886,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:04Z", + "updated": "2024-07-03T21:10:31Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:04Z", - "label": "Date published" - }, - { - "data": "2024-07-03T21:10:31Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2155,18 +1930,13 @@ ], "cwe": [ "CWE-74" - ] + ], + "created": "", + "published": "2020-04-10T18:42:20Z", + "updated": "2023-01-09T05:02:18Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-10T18:42:20Z", - "label": "Date published" - }, - { - "data": "2023-01-09T05:02:18Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2204,18 +1974,13 @@ ], "cwe": [ "CWE-74" - ] + ], + "created": "", + "published": "2020-02-24T17:27:27Z", + "updated": "2024-06-05T16:42:03Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-02-24T17:27:27Z", - "label": "Date published" - }, - { - "data": "2024-06-05T16:42:03Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2253,18 +2018,13 @@ ], "cwe": [ "CWE-776" - ] + ], + "created": "", + "published": "2021-06-04T21:37:45Z", + "updated": "2023-05-22T20:17:58Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-04T21:37:45Z", - "label": "Date published" - }, - { - "data": "2023-05-22T20:17:58Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2301,18 +2061,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2349,18 +2104,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-11-11T19:00:31Z", + "updated": "2024-06-21T21:33:52Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-11-11T19:00:31Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:33:52Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2397,18 +2147,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2445,18 +2190,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2493,18 +2233,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2541,18 +2276,13 @@ "cwe": [ "CWE-400", "CWE-776" - ] + ], + "created": "", + "published": "2022-08-31T00:00:24Z", + "updated": "2024-03-15T19:06:46Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-08-31T00:00:24Z", - "label": "Date published" - }, - { - "data": "2024-03-15T19:06:46Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2589,18 +2319,13 @@ "cwe": [ "CWE-20", "CWE-502" - ] + ], + "created": "", + "published": "2022-12-12T21:19:47Z", + "updated": "2024-06-24T21:22:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-12-12T21:19:47Z", - "label": "Date published" - }, - { - "data": "2024-06-24T21:22:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2636,18 +2361,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-17T20:00:50Z", + "updated": "2023-01-30T05:04:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-17T20:00:50Z", - "label": "Date published" - }, - { - "data": "2023-01-30T05:04:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2683,18 +2403,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2023-11-29T12:30:16Z", + "updated": "2023-12-05T21:31:13Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-11-29T12:30:16Z", - "label": "Date published" - }, - { - "data": "2023-12-05T21:31:13Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2730,18 +2445,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2021-03-10T03:46:47Z", + "updated": "2023-02-01T05:05:09Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-03-10T03:46:47Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:09Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2777,18 +2487,13 @@ ], "cwe": [ "CWE-613" - ] + ], + "created": "", + "published": "2021-06-23T20:23:04Z", + "updated": "2023-02-01T05:05:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-23T20:23:04Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2826,18 +2531,13 @@ "CWE-400", "CWE-551", "CWE-755" - ] + ], + "created": "", + "published": "2021-04-06T17:31:30Z", + "updated": "2023-09-26T11:11:47Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-04-06T17:31:30Z", - "label": "Date published" - }, - { - "data": "2023-09-26T11:11:47Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2873,18 +2573,13 @@ ], "cwe": [ "CWE-200" - ] + ], + "created": "", + "published": "2023-04-18T22:19:57Z", + "updated": "2023-11-06T05:01:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-04-18T22:19:57Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2921,18 +2616,13 @@ "cwe": [ "CWE-400", "CWE-770" - ] + ], + "created": "", + "published": "2023-04-19T18:15:45Z", + "updated": "2023-11-06T05:02:06Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-04-19T18:15:45Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:02:06Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2968,18 +2658,13 @@ ], "cwe": [ "CWE-226" - ] + ], + "created": "", + "published": "2020-12-02T18:28:18Z", + "updated": "2024-02-21T17:23:14Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-12-02T18:28:18Z", - "label": "Date published" - }, - { - "data": "2024-02-21T17:23:14Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3015,18 +2700,13 @@ ], "cwe": [ "CWE-20" - ] + ], + "created": "", + "published": "2022-07-07T20:55:34Z", + "updated": "2023-01-29T05:06:01Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-07T20:55:34Z", - "label": "Date published" - }, - { - "data": "2023-01-29T05:06:01Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3064,18 +2744,13 @@ ], "cwe": [ "CWE-130" - ] + ], + "created": "", + "published": "2023-09-14T16:17:27Z", + "updated": "2023-11-06T05:01:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-09-14T16:17:27Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3115,18 +2790,13 @@ "CWE-378", "CWE-379", "CWE-552" - ] + ], + "created": "", + "published": "2020-11-04T17:50:24Z", + "updated": "2023-11-27T23:07:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-11-04T17:50:24Z", - "label": "Date published" - }, - { - "data": "2023-11-27T23:07:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3162,18 +2832,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2023-07-10T21:52:39Z", + "updated": "2023-09-05T22:39:32Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-07-10T21:52:39Z", - "label": "Date published" - }, - { - "data": "2023-09-05T22:39:32Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3209,18 +2874,13 @@ ], "cwe": [ "CWE-200" - ] + ], + "created": "", + "published": "2021-06-10T15:43:22Z", + "updated": "2023-02-01T05:05:51Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-10T15:43:22Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:51Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3258,18 +2918,13 @@ ], "cwe": [ "CWE-149" - ] + ], + "created": "", + "published": "2023-09-14T16:16:00Z", + "updated": "2023-11-06T05:01:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-09-14T16:16:00Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3308,18 +2963,13 @@ "cwe": [ "CWE-200", "CWE-732" - ] + ], + "created": "", + "published": "2020-10-12T17:33:00Z", + "updated": "2023-02-01T05:04:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-10-12T17:33:00Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:04:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3355,7 +3005,11 @@ "CCI-002605", "CCI-001643" ], - "cwe": [] + "cwe": [], + "created": "", + "published": "", + "updated": "", + "rejected": "" }, "descriptions": [], "refs": [ @@ -3391,7 +3045,11 @@ "CCI-002605", "CCI-001643" ], - "cwe": [] + "cwe": [], + "created": "", + "published": "", + "updated": "", + "rejected": "" }, "descriptions": [], "refs": [ @@ -3428,18 +3086,13 @@ ], "cwe": [ "CWE-89" - ] + ], + "created": "", + "published": "2022-02-09T22:57:29Z", + "updated": "2024-06-27T16:39:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-02-09T22:57:29Z", - "label": "Date published" - }, - { - "data": "2024-06-27T16:39:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3475,18 +3128,13 @@ ], "cwe": [ "CWE-89" - ] + ], + "created": "", + "published": "2022-02-10T23:05:04Z", + "updated": "2024-06-27T18:05:49Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-02-10T23:05:04Z", - "label": "Date published" - }, - { - "data": "2024-06-27T18:05:49Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3522,18 +3170,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2020-06-05T16:13:36Z", + "updated": "2023-01-27T05:02:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-05T16:13:36Z", - "label": "Date published" - }, - { - "data": "2023-01-27T05:02:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3569,18 +3212,13 @@ ], "cwe": [ "CWE-79" - ] + ], + "created": "", + "published": "2021-06-03T23:40:23Z", + "updated": "2023-02-01T05:05:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-03T23:40:23Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3616,18 +3254,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2022-03-05T00:00:45Z", + "updated": "2023-01-27T05:02:46Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-03-05T00:00:45Z", - "label": "Date published" - }, - { - "data": "2023-01-27T05:02:46Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3664,18 +3297,13 @@ "cwe": [ "CWE-400", "CWE-410" - ] + ], + "created": "", + "published": "2022-07-07T20:55:40Z", + "updated": "2023-07-24T19:39:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-07T20:55:40Z", - "label": "Date published" - }, - { - "data": "2023-07-24T19:39:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3711,18 +3339,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2023-10-10T21:28:24Z", + "updated": "2024-06-21T21:34:00Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-10T21:28:24Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:34:00Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3758,18 +3381,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2024-02-26T20:13:46Z", + "updated": "2024-05-02T18:38:19Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2024-02-26T20:13:46Z", - "label": "Date published" - }, - { - "data": "2024-05-02T18:38:19Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3805,18 +3423,13 @@ ], "cwe": [ "CWE-190" - ] + ], + "created": "", + "published": "2023-10-10T21:16:23Z", + "updated": "2024-06-21T21:33:57Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-10T21:16:23Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:33:57Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3854,18 +3467,13 @@ ], "cwe": [ "CWE-295" - ] + ], + "created": "", + "published": "2018-10-18T18:06:08Z", + "updated": "2023-01-09T05:03:38Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2018-10-18T18:06:08Z", - "label": "Date published" - }, - { - "data": "2023-01-09T05:03:38Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3901,18 +3509,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2023-10-24T01:49:09Z", + "updated": "2023-11-05T05:04:23Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-24T01:49:09Z", - "label": "Date published" - }, - { - "data": "2023-11-05T05:04:23Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3948,18 +3551,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2022-01-06T23:55:09Z", + "updated": "2023-02-25T00:31:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-01-06T23:55:09Z", - "label": "Date published" - }, - { - "data": "2023-02-25T00:31:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3997,18 +3595,13 @@ ], "cwe": [ "CWE-88" - ] + ], + "created": "", + "published": "2022-01-21T23:07:39Z", + "updated": "2023-08-18T15:47:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-01-21T23:07:39Z", - "label": "Date published" - }, - { - "data": "2023-08-18T15:47:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -4035,7 +3628,7 @@ ] } ], - "sha256": "9902bf99c7a943ca3bf57d11dec58a10fb723eb05d3e3094fdb723af75718cee" + "sha256": "03b83542495c79a3357c8fbaf3866ed19ef80d11dc9e784b483cfa177cdcbf00" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf.json index cd69ef8849..f495576830 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf.json @@ -31,18 +31,13 @@ "CWE-200", "CWE-378", "CWE-732" - ] + ], + "created": "", + "published": "2021-03-25T17:04:19Z", + "updated": "2023-11-09T18:44:38Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-03-25T17:04:19Z", - "label": "Date published" - }, - { - "data": "2023-11-09T18:44:38Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -81,18 +76,13 @@ "cwe": [ "CWE-379", "CWE-552" - ] + ], + "created": "", + "published": "2023-06-14T18:30:38Z", + "updated": "2024-02-13T21:49:15Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-06-14T18:30:38Z", - "label": "Date published" - }, - { - "data": "2024-02-13T21:49:15Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -128,18 +118,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T21:08:40Z", + "updated": "2023-02-01T05:02:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T21:08:40Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:02:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -175,18 +160,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:44Z", + "updated": "2023-02-01T05:02:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:44Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:02:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -222,18 +202,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-10T21:12:41Z", + "updated": "2023-02-01T05:03:03Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-10T21:12:41Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:03:03Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -269,18 +244,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:50Z", + "updated": "2023-02-01T05:03:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:50Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:03:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -316,18 +286,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T20:19:02Z", + "updated": "2024-03-15T00:41:35Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T20:19:02Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:41:35Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -363,18 +328,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:47Z", + "updated": "2024-03-15T00:48:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:47Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:48:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -410,18 +370,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:54Z", + "updated": "2024-03-15T00:50:18Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:54Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:50:18Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -457,18 +412,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T21:36:03Z", + "updated": "2024-06-25T13:46:45Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T21:36:03Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:46:45Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -504,18 +454,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T16:32:59Z", + "updated": "2024-07-03T21:10:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T16:32:59Z", - "label": "Date published" - }, - { - "data": "2024-07-03T21:10:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -551,18 +496,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:50Z", + "updated": "2023-02-01T05:04:14Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:50Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:04:14Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -598,18 +538,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:43Z", + "updated": "2024-03-15T00:37:17Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:43Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:37:17Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -645,18 +580,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:46Z", + "updated": "2024-03-15T00:39:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:46Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:39:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -692,18 +622,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:48Z", + "updated": "2024-06-25T13:46:04Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:48Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:46:04Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -739,18 +664,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-03-04T20:52:14Z", + "updated": "2023-06-08T19:02:12Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-03-04T20:52:14Z", - "label": "Date published" - }, - { - "data": "2023-06-08T19:02:12Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -786,18 +706,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2022-07-15T19:41:47Z", + "updated": "2023-08-18T15:45:27Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-15T19:41:47Z", - "label": "Date published" - }, - { - "data": "2023-08-18T15:45:27Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -833,18 +748,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-11-13T00:32:27Z", + "updated": "2023-09-14T14:55:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-11-13T00:32:27Z", - "label": "Date published" - }, - { - "data": "2023-09-14T14:55:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -880,18 +790,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-11-13T00:32:38Z", + "updated": "2023-09-14T14:55:25Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-11-13T00:32:38Z", - "label": "Date published" - }, - { - "data": "2023-09-14T14:55:25Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -927,18 +832,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-10-28T20:51:15Z", + "updated": "2024-03-15T00:57:37Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-10-28T20:51:15Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:57:37Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -974,18 +874,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:10Z", + "updated": "2023-09-14T15:09:40Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:10Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:09:40Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1021,18 +916,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:01Z", + "updated": "2024-03-15T00:20:09Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:01Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:20:09Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1069,18 +959,13 @@ "cwe": [ "CWE-94", "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:14:51Z", + "updated": "2023-09-14T15:44:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:14:51Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:44:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1116,18 +1001,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:36Z", + "updated": "2023-09-14T15:47:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:36Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:47:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1163,18 +1043,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:02Z", + "updated": "2023-09-14T15:52:49Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:02Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:52:49Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1210,18 +1085,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:26Z", + "updated": "2023-09-14T15:53:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:26Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:53:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1257,18 +1127,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-11-19T20:13:06Z", + "updated": "2023-09-14T15:59:33Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-11-19T20:13:06Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:59:33Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1304,18 +1169,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:51Z", + "updated": "2023-09-14T16:01:31Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:51Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:01:31Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1351,18 +1211,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:59Z", + "updated": "2023-09-14T16:04:22Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:59Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:04:22Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1398,18 +1253,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:42Z", + "updated": "2023-09-14T16:04:22Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:42Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:04:22Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1445,18 +1295,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:10Z", + "updated": "2023-09-14T16:07:00Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:10Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:07:00Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1492,18 +1337,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:54Z", + "updated": "2023-09-14T16:07:40Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:54Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:07:40Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1539,18 +1379,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:46Z", + "updated": "2023-09-14T16:08:37Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:46Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:08:37Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1586,18 +1421,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:18Z", + "updated": "2023-09-14T16:13:01Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:18Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:13:01Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1633,18 +1463,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:34Z", + "updated": "2023-09-14T16:15:44Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:34Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:15:44Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1680,18 +1505,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:24Z", + "updated": "2023-11-21T11:40:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:24Z", - "label": "Date published" - }, - { - "data": "2023-11-21T11:40:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1727,18 +1547,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:00Z", + "updated": "2024-03-15T00:28:08Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:00Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:28:08Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1775,18 +1590,13 @@ "cwe": [ "CWE-502", "CWE-913" - ] + ], + "created": "", + "published": "2021-12-09T19:15:11Z", + "updated": "2024-06-25T13:47:23Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:11Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:47:23Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1823,18 +1633,13 @@ "cwe": [ "CWE-400", "CWE-502" - ] + ], + "created": "", + "published": "2022-10-03T00:00:31Z", + "updated": "2024-03-15T00:14:44Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-10-03T00:00:31Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:14:44Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1870,18 +1675,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-01-20T21:20:15Z", + "updated": "2024-03-15T00:16:04Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-01-20T21:20:15Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:16:04Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1917,18 +1717,13 @@ ], "cwe": [ "CWE-787" - ] + ], + "created": "", + "published": "2022-03-12T00:00:36Z", + "updated": "2024-03-15T00:24:56Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-03-12T00:00:36Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:24:56Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1964,18 +1759,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2021-02-18T20:51:54Z", + "updated": "2024-03-15T00:31:24Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-02-18T20:51:54Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:31:24Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2011,18 +1801,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-03-04T20:52:11Z", + "updated": "2024-03-15T00:52:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-03-04T20:52:11Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:52:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2059,18 +1844,13 @@ "cwe": [ "CWE-400", "CWE-502" - ] + ], + "created": "", + "published": "2022-10-03T00:00:31Z", + "updated": "2024-03-24T05:01:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-10-03T00:00:31Z", - "label": "Date published" - }, - { - "data": "2024-03-24T05:01:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2106,18 +1886,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:04Z", + "updated": "2024-07-03T21:10:31Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:04Z", - "label": "Date published" - }, - { - "data": "2024-07-03T21:10:31Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2155,18 +1930,13 @@ ], "cwe": [ "CWE-74" - ] + ], + "created": "", + "published": "2020-04-10T18:42:20Z", + "updated": "2023-01-09T05:02:18Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-10T18:42:20Z", - "label": "Date published" - }, - { - "data": "2023-01-09T05:02:18Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2204,18 +1974,13 @@ ], "cwe": [ "CWE-74" - ] + ], + "created": "", + "published": "2020-02-24T17:27:27Z", + "updated": "2024-06-05T16:42:03Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-02-24T17:27:27Z", - "label": "Date published" - }, - { - "data": "2024-06-05T16:42:03Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2253,18 +2018,13 @@ ], "cwe": [ "CWE-776" - ] + ], + "created": "", + "published": "2021-06-04T21:37:45Z", + "updated": "2023-05-22T20:17:58Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-04T21:37:45Z", - "label": "Date published" - }, - { - "data": "2023-05-22T20:17:58Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2301,18 +2061,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2349,18 +2104,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-11-11T19:00:31Z", + "updated": "2024-06-21T21:33:52Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-11-11T19:00:31Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:33:52Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2397,18 +2147,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2445,18 +2190,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2493,18 +2233,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2541,18 +2276,13 @@ "cwe": [ "CWE-400", "CWE-776" - ] + ], + "created": "", + "published": "2022-08-31T00:00:24Z", + "updated": "2024-03-15T19:06:46Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-08-31T00:00:24Z", - "label": "Date published" - }, - { - "data": "2024-03-15T19:06:46Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2589,18 +2319,13 @@ "cwe": [ "CWE-20", "CWE-502" - ] + ], + "created": "", + "published": "2022-12-12T21:19:47Z", + "updated": "2024-06-24T21:22:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-12-12T21:19:47Z", - "label": "Date published" - }, - { - "data": "2024-06-24T21:22:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2636,18 +2361,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-17T20:00:50Z", + "updated": "2023-01-30T05:04:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-17T20:00:50Z", - "label": "Date published" - }, - { - "data": "2023-01-30T05:04:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2683,18 +2403,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2023-11-29T12:30:16Z", + "updated": "2023-12-05T21:31:13Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-11-29T12:30:16Z", - "label": "Date published" - }, - { - "data": "2023-12-05T21:31:13Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2730,18 +2445,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2021-03-10T03:46:47Z", + "updated": "2023-02-01T05:05:09Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-03-10T03:46:47Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:09Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2777,18 +2487,13 @@ ], "cwe": [ "CWE-613" - ] + ], + "created": "", + "published": "2021-06-23T20:23:04Z", + "updated": "2023-02-01T05:05:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-23T20:23:04Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2826,18 +2531,13 @@ "CWE-400", "CWE-551", "CWE-755" - ] + ], + "created": "", + "published": "2021-04-06T17:31:30Z", + "updated": "2023-09-26T11:11:47Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-04-06T17:31:30Z", - "label": "Date published" - }, - { - "data": "2023-09-26T11:11:47Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2873,18 +2573,13 @@ ], "cwe": [ "CWE-200" - ] + ], + "created": "", + "published": "2023-04-18T22:19:57Z", + "updated": "2023-11-06T05:01:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-04-18T22:19:57Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2921,18 +2616,13 @@ "cwe": [ "CWE-400", "CWE-770" - ] + ], + "created": "", + "published": "2023-04-19T18:15:45Z", + "updated": "2023-11-06T05:02:06Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-04-19T18:15:45Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:02:06Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2968,18 +2658,13 @@ ], "cwe": [ "CWE-226" - ] + ], + "created": "", + "published": "2020-12-02T18:28:18Z", + "updated": "2024-02-21T17:23:14Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-12-02T18:28:18Z", - "label": "Date published" - }, - { - "data": "2024-02-21T17:23:14Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3015,18 +2700,13 @@ ], "cwe": [ "CWE-20" - ] + ], + "created": "", + "published": "2022-07-07T20:55:34Z", + "updated": "2023-01-29T05:06:01Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-07T20:55:34Z", - "label": "Date published" - }, - { - "data": "2023-01-29T05:06:01Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3064,18 +2744,13 @@ ], "cwe": [ "CWE-130" - ] + ], + "created": "", + "published": "2023-09-14T16:17:27Z", + "updated": "2023-11-06T05:01:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-09-14T16:17:27Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3115,18 +2790,13 @@ "CWE-378", "CWE-379", "CWE-552" - ] + ], + "created": "", + "published": "2020-11-04T17:50:24Z", + "updated": "2023-11-27T23:07:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-11-04T17:50:24Z", - "label": "Date published" - }, - { - "data": "2023-11-27T23:07:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3162,18 +2832,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2023-07-10T21:52:39Z", + "updated": "2023-09-05T22:39:32Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-07-10T21:52:39Z", - "label": "Date published" - }, - { - "data": "2023-09-05T22:39:32Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3209,18 +2874,13 @@ ], "cwe": [ "CWE-200" - ] + ], + "created": "", + "published": "2021-06-10T15:43:22Z", + "updated": "2023-02-01T05:05:51Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-10T15:43:22Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:51Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3258,18 +2918,13 @@ ], "cwe": [ "CWE-149" - ] + ], + "created": "", + "published": "2023-09-14T16:16:00Z", + "updated": "2023-11-06T05:01:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-09-14T16:16:00Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3308,18 +2963,13 @@ "cwe": [ "CWE-200", "CWE-732" - ] + ], + "created": "", + "published": "2020-10-12T17:33:00Z", + "updated": "2023-02-01T05:04:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-10-12T17:33:00Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:04:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3355,7 +3005,11 @@ "CCI-002605", "CCI-001643" ], - "cwe": [] + "cwe": [], + "created": "", + "published": "", + "updated": "", + "rejected": "" }, "descriptions": [], "refs": [ @@ -3391,7 +3045,11 @@ "CCI-002605", "CCI-001643" ], - "cwe": [] + "cwe": [], + "created": "", + "published": "", + "updated": "", + "rejected": "" }, "descriptions": [], "refs": [ @@ -3428,18 +3086,13 @@ ], "cwe": [ "CWE-89" - ] + ], + "created": "", + "published": "2022-02-09T22:57:29Z", + "updated": "2024-06-27T16:39:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-02-09T22:57:29Z", - "label": "Date published" - }, - { - "data": "2024-06-27T16:39:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3475,18 +3128,13 @@ ], "cwe": [ "CWE-89" - ] + ], + "created": "", + "published": "2022-02-10T23:05:04Z", + "updated": "2024-06-27T18:05:49Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-02-10T23:05:04Z", - "label": "Date published" - }, - { - "data": "2024-06-27T18:05:49Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3522,18 +3170,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2020-06-05T16:13:36Z", + "updated": "2023-01-27T05:02:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-05T16:13:36Z", - "label": "Date published" - }, - { - "data": "2023-01-27T05:02:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3569,18 +3212,13 @@ ], "cwe": [ "CWE-79" - ] + ], + "created": "", + "published": "2021-06-03T23:40:23Z", + "updated": "2023-02-01T05:05:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-03T23:40:23Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3616,18 +3254,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2022-03-05T00:00:45Z", + "updated": "2023-01-27T05:02:46Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-03-05T00:00:45Z", - "label": "Date published" - }, - { - "data": "2023-01-27T05:02:46Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3664,18 +3297,13 @@ "cwe": [ "CWE-400", "CWE-410" - ] + ], + "created": "", + "published": "2022-07-07T20:55:40Z", + "updated": "2023-07-24T19:39:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-07T20:55:40Z", - "label": "Date published" - }, - { - "data": "2023-07-24T19:39:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3711,18 +3339,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2023-10-10T21:28:24Z", + "updated": "2024-06-21T21:34:00Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-10T21:28:24Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:34:00Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3758,18 +3381,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2024-02-26T20:13:46Z", + "updated": "2024-05-02T18:38:19Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2024-02-26T20:13:46Z", - "label": "Date published" - }, - { - "data": "2024-05-02T18:38:19Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3805,18 +3423,13 @@ ], "cwe": [ "CWE-190" - ] + ], + "created": "", + "published": "2023-10-10T21:16:23Z", + "updated": "2024-06-21T21:33:57Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-10T21:16:23Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:33:57Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3854,18 +3467,13 @@ ], "cwe": [ "CWE-295" - ] + ], + "created": "", + "published": "2018-10-18T18:06:08Z", + "updated": "2023-01-09T05:03:38Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2018-10-18T18:06:08Z", - "label": "Date published" - }, - { - "data": "2023-01-09T05:03:38Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3901,18 +3509,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2023-10-24T01:49:09Z", + "updated": "2023-11-05T05:04:23Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-24T01:49:09Z", - "label": "Date published" - }, - { - "data": "2023-11-05T05:04:23Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3948,18 +3551,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2022-01-06T23:55:09Z", + "updated": "2023-02-25T00:31:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-01-06T23:55:09Z", - "label": "Date published" - }, - { - "data": "2023-02-25T00:31:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3997,18 +3595,13 @@ ], "cwe": [ "CWE-88" - ] + ], + "created": "", + "published": "2022-01-21T23:07:39Z", + "updated": "2023-08-18T15:47:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-01-21T23:07:39Z", - "label": "Date published" - }, - { - "data": "2023-08-18T15:47:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -4035,7 +3628,7 @@ ] } ], - "sha256": "9902bf99c7a943ca3bf57d11dec58a10fb723eb05d3e3094fdb723af75718cee" + "sha256": "03b83542495c79a3357c8fbaf3866ed19ef80d11dc9e784b483cfa177cdcbf00" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf-withraw.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf-withraw.json index e87eea6038..dff9084bf6 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf-withraw.json @@ -31,18 +31,13 @@ "CWE-200", "CWE-378", "CWE-732" - ] + ], + "created": "", + "published": "2021-03-25T17:04:19Z", + "updated": "2023-11-09T18:44:38Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-03-25T17:04:19Z", - "label": "Date published" - }, - { - "data": "2023-11-09T18:44:38Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -81,18 +76,13 @@ "cwe": [ "CWE-379", "CWE-552" - ] + ], + "created": "", + "published": "2023-06-14T18:30:38Z", + "updated": "2024-02-13T21:49:15Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-06-14T18:30:38Z", - "label": "Date published" - }, - { - "data": "2024-02-13T21:49:15Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -128,18 +118,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T21:08:40Z", + "updated": "2023-02-01T05:02:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T21:08:40Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:02:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -175,18 +160,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:44Z", + "updated": "2023-02-01T05:02:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:44Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:02:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -222,18 +202,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-10T21:12:41Z", + "updated": "2023-02-01T05:03:03Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-10T21:12:41Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:03:03Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -269,18 +244,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:50Z", + "updated": "2023-02-01T05:03:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:50Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:03:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -316,18 +286,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T20:19:02Z", + "updated": "2024-03-15T00:41:35Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T20:19:02Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:41:35Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -363,18 +328,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:47Z", + "updated": "2024-03-15T00:48:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:47Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:48:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -410,18 +370,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:54Z", + "updated": "2024-03-15T00:50:18Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:54Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:50:18Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -457,18 +412,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T21:36:03Z", + "updated": "2024-06-25T13:46:45Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T21:36:03Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:46:45Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -504,18 +454,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T16:32:59Z", + "updated": "2024-07-03T21:10:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T16:32:59Z", - "label": "Date published" - }, - { - "data": "2024-07-03T21:10:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -551,18 +496,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:50Z", + "updated": "2023-02-01T05:04:14Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:50Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:04:14Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -598,18 +538,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:43Z", + "updated": "2024-03-15T00:37:17Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:43Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:37:17Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -645,18 +580,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:46Z", + "updated": "2024-03-15T00:39:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:46Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:39:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -692,18 +622,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:48Z", + "updated": "2024-06-25T13:46:04Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:48Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:46:04Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -739,18 +664,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-03-04T20:52:14Z", + "updated": "2023-06-08T19:02:12Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-03-04T20:52:14Z", - "label": "Date published" - }, - { - "data": "2023-06-08T19:02:12Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -786,18 +706,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2022-07-15T19:41:47Z", + "updated": "2023-08-18T15:45:27Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-15T19:41:47Z", - "label": "Date published" - }, - { - "data": "2023-08-18T15:45:27Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -833,18 +748,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-11-13T00:32:27Z", + "updated": "2023-09-14T14:55:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-11-13T00:32:27Z", - "label": "Date published" - }, - { - "data": "2023-09-14T14:55:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -880,18 +790,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-11-13T00:32:38Z", + "updated": "2023-09-14T14:55:25Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-11-13T00:32:38Z", - "label": "Date published" - }, - { - "data": "2023-09-14T14:55:25Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -927,18 +832,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-10-28T20:51:15Z", + "updated": "2024-03-15T00:57:37Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-10-28T20:51:15Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:57:37Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -974,18 +874,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:10Z", + "updated": "2023-09-14T15:09:40Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:10Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:09:40Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1021,18 +916,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:01Z", + "updated": "2024-03-15T00:20:09Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:01Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:20:09Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1069,18 +959,13 @@ "cwe": [ "CWE-94", "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:14:51Z", + "updated": "2023-09-14T15:44:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:14:51Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:44:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1116,18 +1001,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:36Z", + "updated": "2023-09-14T15:47:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:36Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:47:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1163,18 +1043,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:02Z", + "updated": "2023-09-14T15:52:49Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:02Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:52:49Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1210,18 +1085,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:26Z", + "updated": "2023-09-14T15:53:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:26Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:53:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1257,18 +1127,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-11-19T20:13:06Z", + "updated": "2023-09-14T15:59:33Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-11-19T20:13:06Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:59:33Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1304,18 +1169,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:51Z", + "updated": "2023-09-14T16:01:31Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:51Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:01:31Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1351,18 +1211,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:59Z", + "updated": "2023-09-14T16:04:22Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:59Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:04:22Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1398,18 +1253,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:42Z", + "updated": "2023-09-14T16:04:22Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:42Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:04:22Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1445,18 +1295,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:10Z", + "updated": "2023-09-14T16:07:00Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:10Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:07:00Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1492,18 +1337,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:54Z", + "updated": "2023-09-14T16:07:40Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:54Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:07:40Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1539,18 +1379,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:46Z", + "updated": "2023-09-14T16:08:37Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:46Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:08:37Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1586,18 +1421,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:18Z", + "updated": "2023-09-14T16:13:01Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:18Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:13:01Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1633,18 +1463,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:34Z", + "updated": "2023-09-14T16:15:44Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:34Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:15:44Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1680,18 +1505,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:24Z", + "updated": "2023-11-21T11:40:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:24Z", - "label": "Date published" - }, - { - "data": "2023-11-21T11:40:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1727,18 +1547,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:00Z", + "updated": "2024-03-15T00:28:08Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:00Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:28:08Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1775,18 +1590,13 @@ "cwe": [ "CWE-502", "CWE-913" - ] + ], + "created": "", + "published": "2021-12-09T19:15:11Z", + "updated": "2024-06-25T13:47:23Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:11Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:47:23Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1823,18 +1633,13 @@ "cwe": [ "CWE-400", "CWE-502" - ] + ], + "created": "", + "published": "2022-10-03T00:00:31Z", + "updated": "2024-03-15T00:14:44Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-10-03T00:00:31Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:14:44Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1870,18 +1675,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-01-20T21:20:15Z", + "updated": "2024-03-15T00:16:04Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-01-20T21:20:15Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:16:04Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1917,18 +1717,13 @@ ], "cwe": [ "CWE-787" - ] + ], + "created": "", + "published": "2022-03-12T00:00:36Z", + "updated": "2024-03-15T00:24:56Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-03-12T00:00:36Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:24:56Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1964,18 +1759,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2021-02-18T20:51:54Z", + "updated": "2024-03-15T00:31:24Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-02-18T20:51:54Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:31:24Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2011,18 +1801,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-03-04T20:52:11Z", + "updated": "2024-03-15T00:52:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-03-04T20:52:11Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:52:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2059,18 +1844,13 @@ "cwe": [ "CWE-400", "CWE-502" - ] + ], + "created": "", + "published": "2022-10-03T00:00:31Z", + "updated": "2024-03-24T05:01:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-10-03T00:00:31Z", - "label": "Date published" - }, - { - "data": "2024-03-24T05:01:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2106,18 +1886,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:04Z", + "updated": "2024-07-03T21:10:31Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:04Z", - "label": "Date published" - }, - { - "data": "2024-07-03T21:10:31Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2155,18 +1930,13 @@ ], "cwe": [ "CWE-74" - ] + ], + "created": "", + "published": "2020-04-10T18:42:20Z", + "updated": "2023-01-09T05:02:18Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-10T18:42:20Z", - "label": "Date published" - }, - { - "data": "2023-01-09T05:02:18Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2204,18 +1974,13 @@ ], "cwe": [ "CWE-74" - ] + ], + "created": "", + "published": "2020-02-24T17:27:27Z", + "updated": "2024-06-05T16:42:03Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-02-24T17:27:27Z", - "label": "Date published" - }, - { - "data": "2024-06-05T16:42:03Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2253,18 +2018,13 @@ ], "cwe": [ "CWE-776" - ] + ], + "created": "", + "published": "2021-06-04T21:37:45Z", + "updated": "2023-05-22T20:17:58Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-04T21:37:45Z", - "label": "Date published" - }, - { - "data": "2023-05-22T20:17:58Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2301,18 +2061,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2349,18 +2104,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-11-11T19:00:31Z", + "updated": "2024-06-21T21:33:52Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-11-11T19:00:31Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:33:52Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2397,18 +2147,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2445,18 +2190,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2493,18 +2233,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2541,18 +2276,13 @@ "cwe": [ "CWE-400", "CWE-776" - ] + ], + "created": "", + "published": "2022-08-31T00:00:24Z", + "updated": "2024-03-15T19:06:46Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-08-31T00:00:24Z", - "label": "Date published" - }, - { - "data": "2024-03-15T19:06:46Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2589,18 +2319,13 @@ "cwe": [ "CWE-20", "CWE-502" - ] + ], + "created": "", + "published": "2022-12-12T21:19:47Z", + "updated": "2024-06-24T21:22:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-12-12T21:19:47Z", - "label": "Date published" - }, - { - "data": "2024-06-24T21:22:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2636,18 +2361,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-17T20:00:50Z", + "updated": "2023-01-30T05:04:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-17T20:00:50Z", - "label": "Date published" - }, - { - "data": "2023-01-30T05:04:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2683,18 +2403,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2023-11-29T12:30:16Z", + "updated": "2023-12-05T21:31:13Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-11-29T12:30:16Z", - "label": "Date published" - }, - { - "data": "2023-12-05T21:31:13Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2736,18 +2451,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2021-03-10T03:46:47Z", + "updated": "2023-02-01T05:05:09Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-03-10T03:46:47Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:09Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2783,18 +2493,13 @@ ], "cwe": [ "CWE-613" - ] + ], + "created": "", + "published": "2021-06-23T20:23:04Z", + "updated": "2023-02-01T05:05:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-23T20:23:04Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2832,18 +2537,13 @@ "CWE-400", "CWE-551", "CWE-755" - ] + ], + "created": "", + "published": "2021-04-06T17:31:30Z", + "updated": "2023-09-26T11:11:47Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-04-06T17:31:30Z", - "label": "Date published" - }, - { - "data": "2023-09-26T11:11:47Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2879,18 +2579,13 @@ ], "cwe": [ "CWE-200" - ] + ], + "created": "", + "published": "2023-04-18T22:19:57Z", + "updated": "2023-11-06T05:01:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-04-18T22:19:57Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2927,18 +2622,13 @@ "cwe": [ "CWE-400", "CWE-770" - ] + ], + "created": "", + "published": "2023-04-19T18:15:45Z", + "updated": "2023-11-06T05:02:06Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-04-19T18:15:45Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:02:06Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2974,18 +2664,13 @@ ], "cwe": [ "CWE-226" - ] + ], + "created": "", + "published": "2020-12-02T18:28:18Z", + "updated": "2024-02-21T17:23:14Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-12-02T18:28:18Z", - "label": "Date published" - }, - { - "data": "2024-02-21T17:23:14Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3021,18 +2706,13 @@ ], "cwe": [ "CWE-20" - ] + ], + "created": "", + "published": "2022-07-07T20:55:34Z", + "updated": "2023-01-29T05:06:01Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-07T20:55:34Z", - "label": "Date published" - }, - { - "data": "2023-01-29T05:06:01Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3070,18 +2750,13 @@ ], "cwe": [ "CWE-130" - ] + ], + "created": "", + "published": "2023-09-14T16:17:27Z", + "updated": "2023-11-06T05:01:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-09-14T16:17:27Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3121,18 +2796,13 @@ "CWE-378", "CWE-379", "CWE-552" - ] + ], + "created": "", + "published": "2020-11-04T17:50:24Z", + "updated": "2023-11-27T23:07:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-11-04T17:50:24Z", - "label": "Date published" - }, - { - "data": "2023-11-27T23:07:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3168,18 +2838,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2023-07-10T21:52:39Z", + "updated": "2023-09-05T22:39:32Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-07-10T21:52:39Z", - "label": "Date published" - }, - { - "data": "2023-09-05T22:39:32Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3215,18 +2880,13 @@ ], "cwe": [ "CWE-200" - ] + ], + "created": "", + "published": "2021-06-10T15:43:22Z", + "updated": "2023-02-01T05:05:51Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-10T15:43:22Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:51Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3264,18 +2924,13 @@ ], "cwe": [ "CWE-149" - ] + ], + "created": "", + "published": "2023-09-14T16:16:00Z", + "updated": "2023-11-06T05:01:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-09-14T16:16:00Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3314,18 +2969,13 @@ "cwe": [ "CWE-200", "CWE-732" - ] + ], + "created": "", + "published": "2020-10-12T17:33:00Z", + "updated": "2023-02-01T05:04:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-10-12T17:33:00Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:04:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3361,7 +3011,11 @@ "CCI-002605", "CCI-001643" ], - "cwe": [] + "cwe": [], + "created": "", + "published": "", + "updated": "", + "rejected": "" }, "descriptions": [], "refs": [ @@ -3397,7 +3051,11 @@ "CCI-002605", "CCI-001643" ], - "cwe": [] + "cwe": [], + "created": "", + "published": "", + "updated": "", + "rejected": "" }, "descriptions": [], "refs": [ @@ -3434,18 +3092,13 @@ ], "cwe": [ "CWE-89" - ] + ], + "created": "", + "published": "2022-02-09T22:57:29Z", + "updated": "2024-06-27T16:39:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-02-09T22:57:29Z", - "label": "Date published" - }, - { - "data": "2024-06-27T16:39:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3481,18 +3134,13 @@ ], "cwe": [ "CWE-89" - ] + ], + "created": "", + "published": "2022-02-10T23:05:04Z", + "updated": "2024-06-27T18:05:49Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-02-10T23:05:04Z", - "label": "Date published" - }, - { - "data": "2024-06-27T18:05:49Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3528,18 +3176,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2020-06-05T16:13:36Z", + "updated": "2023-01-27T05:02:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-05T16:13:36Z", - "label": "Date published" - }, - { - "data": "2023-01-27T05:02:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3575,18 +3218,13 @@ ], "cwe": [ "CWE-79" - ] + ], + "created": "", + "published": "2021-06-03T23:40:23Z", + "updated": "2023-02-01T05:05:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-03T23:40:23Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3622,18 +3260,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2022-03-05T00:00:45Z", + "updated": "2023-01-27T05:02:46Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-03-05T00:00:45Z", - "label": "Date published" - }, - { - "data": "2023-01-27T05:02:46Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3670,18 +3303,13 @@ "cwe": [ "CWE-400", "CWE-410" - ] + ], + "created": "", + "published": "2022-07-07T20:55:40Z", + "updated": "2023-07-24T19:39:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-07T20:55:40Z", - "label": "Date published" - }, - { - "data": "2023-07-24T19:39:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3717,18 +3345,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2023-10-10T21:28:24Z", + "updated": "2024-06-21T21:34:00Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-10T21:28:24Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:34:00Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3770,18 +3393,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2024-02-26T20:13:46Z", + "updated": "2024-05-02T18:38:19Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2024-02-26T20:13:46Z", - "label": "Date published" - }, - { - "data": "2024-05-02T18:38:19Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3817,18 +3435,13 @@ ], "cwe": [ "CWE-190" - ] + ], + "created": "", + "published": "2023-10-10T21:16:23Z", + "updated": "2024-06-21T21:33:57Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-10T21:16:23Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:33:57Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3866,18 +3479,13 @@ ], "cwe": [ "CWE-295" - ] + ], + "created": "", + "published": "2018-10-18T18:06:08Z", + "updated": "2023-01-09T05:03:38Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2018-10-18T18:06:08Z", - "label": "Date published" - }, - { - "data": "2023-01-09T05:03:38Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3913,18 +3521,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2023-10-24T01:49:09Z", + "updated": "2023-11-05T05:04:23Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-24T01:49:09Z", - "label": "Date published" - }, - { - "data": "2023-11-05T05:04:23Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3960,18 +3563,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2022-01-06T23:55:09Z", + "updated": "2023-02-25T00:31:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-01-06T23:55:09Z", - "label": "Date published" - }, - { - "data": "2023-02-25T00:31:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -4009,18 +3607,13 @@ ], "cwe": [ "CWE-88" - ] + ], + "created": "", + "published": "2022-01-21T23:07:39Z", + "updated": "2023-08-18T15:47:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-01-21T23:07:39Z", - "label": "Date published" - }, - { - "data": "2023-08-18T15:47:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -4047,7 +3640,7 @@ ] } ], - "sha256": "423500d681549aa5606b24248ba94a5e2801d4a5394a672d8b1292d679fe0cfc" + "sha256": "bf70242005c6b5e676974f138b98d38be83bb0d941a8a31a8985a17567976521" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf.json index cbb436af50..380c7645cf 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf.json @@ -31,18 +31,13 @@ "CWE-200", "CWE-378", "CWE-732" - ] + ], + "created": "", + "published": "2021-03-25T17:04:19Z", + "updated": "2023-11-09T18:44:38Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-03-25T17:04:19Z", - "label": "Date published" - }, - { - "data": "2023-11-09T18:44:38Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -81,18 +76,13 @@ "cwe": [ "CWE-379", "CWE-552" - ] + ], + "created": "", + "published": "2023-06-14T18:30:38Z", + "updated": "2024-02-13T21:49:15Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-06-14T18:30:38Z", - "label": "Date published" - }, - { - "data": "2024-02-13T21:49:15Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -128,18 +118,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T21:08:40Z", + "updated": "2023-02-01T05:02:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T21:08:40Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:02:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -175,18 +160,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:44Z", + "updated": "2023-02-01T05:02:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:44Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:02:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -222,18 +202,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-10T21:12:41Z", + "updated": "2023-02-01T05:03:03Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-10T21:12:41Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:03:03Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -269,18 +244,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:50Z", + "updated": "2023-02-01T05:03:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:50Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:03:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -316,18 +286,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T20:19:02Z", + "updated": "2024-03-15T00:41:35Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T20:19:02Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:41:35Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -363,18 +328,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:47Z", + "updated": "2024-03-15T00:48:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:47Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:48:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -410,18 +370,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:58:54Z", + "updated": "2024-03-15T00:50:18Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:58:54Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:50:18Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -457,18 +412,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T21:36:03Z", + "updated": "2024-06-25T13:46:45Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T21:36:03Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:46:45Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -504,18 +454,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-04-23T16:32:59Z", + "updated": "2024-07-03T21:10:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-23T16:32:59Z", - "label": "Date published" - }, - { - "data": "2024-07-03T21:10:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -551,18 +496,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:50Z", + "updated": "2023-02-01T05:04:14Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:50Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:04:14Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -598,18 +538,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:43Z", + "updated": "2024-03-15T00:37:17Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:43Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:37:17Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -645,18 +580,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:46Z", + "updated": "2024-03-15T00:39:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:46Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:39:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -692,18 +622,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-06-18T14:44:48Z", + "updated": "2024-06-25T13:46:04Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-18T14:44:48Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:46:04Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -739,18 +664,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-03-04T20:52:14Z", + "updated": "2023-06-08T19:02:12Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-03-04T20:52:14Z", - "label": "Date published" - }, - { - "data": "2023-06-08T19:02:12Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -786,18 +706,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2022-07-15T19:41:47Z", + "updated": "2023-08-18T15:45:27Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-15T19:41:47Z", - "label": "Date published" - }, - { - "data": "2023-08-18T15:45:27Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -833,18 +748,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-11-13T00:32:27Z", + "updated": "2023-09-14T14:55:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-11-13T00:32:27Z", - "label": "Date published" - }, - { - "data": "2023-09-14T14:55:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -880,18 +790,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-11-13T00:32:38Z", + "updated": "2023-09-14T14:55:25Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-11-13T00:32:38Z", - "label": "Date published" - }, - { - "data": "2023-09-14T14:55:25Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -927,18 +832,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2019-10-28T20:51:15Z", + "updated": "2024-03-15T00:57:37Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2019-10-28T20:51:15Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:57:37Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -974,18 +874,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:10Z", + "updated": "2023-09-14T15:09:40Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:10Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:09:40Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1021,18 +916,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:01Z", + "updated": "2024-03-15T00:20:09Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:01Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:20:09Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1069,18 +959,13 @@ "cwe": [ "CWE-94", "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:14:51Z", + "updated": "2023-09-14T15:44:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:14:51Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:44:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1116,18 +1001,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:36Z", + "updated": "2023-09-14T15:47:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:36Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:47:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1163,18 +1043,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:02Z", + "updated": "2023-09-14T15:52:49Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:02Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:52:49Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1210,18 +1085,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:26Z", + "updated": "2023-09-14T15:53:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:26Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:53:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1257,18 +1127,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-11-19T20:13:06Z", + "updated": "2023-09-14T15:59:33Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-11-19T20:13:06Z", - "label": "Date published" - }, - { - "data": "2023-09-14T15:59:33Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1304,18 +1169,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:51Z", + "updated": "2023-09-14T16:01:31Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:51Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:01:31Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1351,18 +1211,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:59Z", + "updated": "2023-09-14T16:04:22Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:59Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:04:22Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1398,18 +1253,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:42Z", + "updated": "2023-09-14T16:04:22Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:42Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:04:22Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1445,18 +1295,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:10Z", + "updated": "2023-09-14T16:07:00Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:10Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:07:00Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1492,18 +1337,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:54Z", + "updated": "2023-09-14T16:07:40Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:54Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:07:40Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1539,18 +1379,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:46Z", + "updated": "2023-09-14T16:08:37Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:46Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:08:37Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1586,18 +1421,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:18Z", + "updated": "2023-09-14T16:13:01Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:18Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:13:01Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1633,18 +1463,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:16:34Z", + "updated": "2023-09-14T16:15:44Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:16:34Z", - "label": "Date published" - }, - { - "data": "2023-09-14T16:15:44Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1680,18 +1505,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:24Z", + "updated": "2023-11-21T11:40:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:24Z", - "label": "Date published" - }, - { - "data": "2023-11-21T11:40:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1727,18 +1547,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-09T19:15:00Z", + "updated": "2024-03-15T00:28:08Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:00Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:28:08Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1775,18 +1590,13 @@ "cwe": [ "CWE-502", "CWE-913" - ] + ], + "created": "", + "published": "2021-12-09T19:15:11Z", + "updated": "2024-06-25T13:47:23Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-09T19:15:11Z", - "label": "Date published" - }, - { - "data": "2024-06-25T13:47:23Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1823,18 +1633,13 @@ "cwe": [ "CWE-400", "CWE-502" - ] + ], + "created": "", + "published": "2022-10-03T00:00:31Z", + "updated": "2024-03-15T00:14:44Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-10-03T00:00:31Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:14:44Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1870,18 +1675,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-01-20T21:20:15Z", + "updated": "2024-03-15T00:16:04Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-01-20T21:20:15Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:16:04Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1917,18 +1717,13 @@ ], "cwe": [ "CWE-787" - ] + ], + "created": "", + "published": "2022-03-12T00:00:36Z", + "updated": "2024-03-15T00:24:56Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-03-12T00:00:36Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:24:56Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -1964,18 +1759,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2021-02-18T20:51:54Z", + "updated": "2024-03-15T00:31:24Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-02-18T20:51:54Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:31:24Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2011,18 +1801,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-03-04T20:52:11Z", + "updated": "2024-03-15T00:52:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-03-04T20:52:11Z", - "label": "Date published" - }, - { - "data": "2024-03-15T00:52:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2059,18 +1844,13 @@ "cwe": [ "CWE-400", "CWE-502" - ] + ], + "created": "", + "published": "2022-10-03T00:00:31Z", + "updated": "2024-03-24T05:01:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-10-03T00:00:31Z", - "label": "Date published" - }, - { - "data": "2024-03-24T05:01:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2106,18 +1886,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2020-05-15T18:59:04Z", + "updated": "2024-07-03T21:10:31Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-05-15T18:59:04Z", - "label": "Date published" - }, - { - "data": "2024-07-03T21:10:31Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2155,18 +1930,13 @@ ], "cwe": [ "CWE-74" - ] + ], + "created": "", + "published": "2020-04-10T18:42:20Z", + "updated": "2023-01-09T05:02:18Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-04-10T18:42:20Z", - "label": "Date published" - }, - { - "data": "2023-01-09T05:02:18Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2204,18 +1974,13 @@ ], "cwe": [ "CWE-74" - ] + ], + "created": "", + "published": "2020-02-24T17:27:27Z", + "updated": "2024-06-05T16:42:03Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-02-24T17:27:27Z", - "label": "Date published" - }, - { - "data": "2024-06-05T16:42:03Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2253,18 +2018,13 @@ ], "cwe": [ "CWE-776" - ] + ], + "created": "", + "published": "2021-06-04T21:37:45Z", + "updated": "2023-05-22T20:17:58Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-04T21:37:45Z", - "label": "Date published" - }, - { - "data": "2023-05-22T20:17:58Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2301,18 +2061,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2349,18 +2104,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-11-11T19:00:31Z", + "updated": "2024-06-21T21:33:52Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-11-11T19:00:31Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:33:52Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2397,18 +2147,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2445,18 +2190,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2493,18 +2233,13 @@ "cwe": [ "CWE-121", "CWE-787" - ] + ], + "created": "", + "published": "2022-09-06T00:00:27Z", + "updated": "2024-03-15T12:30:36Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-09-06T00:00:27Z", - "label": "Date published" - }, - { - "data": "2024-03-15T12:30:36Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2541,18 +2276,13 @@ "cwe": [ "CWE-400", "CWE-776" - ] + ], + "created": "", + "published": "2022-08-31T00:00:24Z", + "updated": "2024-03-15T19:06:46Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-08-31T00:00:24Z", - "label": "Date published" - }, - { - "data": "2024-03-15T19:06:46Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2589,18 +2319,13 @@ "cwe": [ "CWE-20", "CWE-502" - ] + ], + "created": "", + "published": "2022-12-12T21:19:47Z", + "updated": "2024-06-24T21:22:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-12-12T21:19:47Z", - "label": "Date published" - }, - { - "data": "2024-06-24T21:22:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2636,18 +2361,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2021-12-17T20:00:50Z", + "updated": "2023-01-30T05:04:55Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-12-17T20:00:50Z", - "label": "Date published" - }, - { - "data": "2023-01-30T05:04:55Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2683,18 +2403,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2023-11-29T12:30:16Z", + "updated": "2023-12-05T21:31:13Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-11-29T12:30:16Z", - "label": "Date published" - }, - { - "data": "2023-12-05T21:31:13Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2736,18 +2451,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2021-03-10T03:46:47Z", + "updated": "2023-02-01T05:05:09Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-03-10T03:46:47Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:09Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2783,18 +2493,13 @@ ], "cwe": [ "CWE-613" - ] + ], + "created": "", + "published": "2021-06-23T20:23:04Z", + "updated": "2023-02-01T05:05:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-23T20:23:04Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2832,18 +2537,13 @@ "CWE-400", "CWE-551", "CWE-755" - ] + ], + "created": "", + "published": "2021-04-06T17:31:30Z", + "updated": "2023-09-26T11:11:47Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-04-06T17:31:30Z", - "label": "Date published" - }, - { - "data": "2023-09-26T11:11:47Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2879,18 +2579,13 @@ ], "cwe": [ "CWE-200" - ] + ], + "created": "", + "published": "2023-04-18T22:19:57Z", + "updated": "2023-11-06T05:01:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-04-18T22:19:57Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2927,18 +2622,13 @@ "cwe": [ "CWE-400", "CWE-770" - ] + ], + "created": "", + "published": "2023-04-19T18:15:45Z", + "updated": "2023-11-06T05:02:06Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-04-19T18:15:45Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:02:06Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -2974,18 +2664,13 @@ ], "cwe": [ "CWE-226" - ] + ], + "created": "", + "published": "2020-12-02T18:28:18Z", + "updated": "2024-02-21T17:23:14Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-12-02T18:28:18Z", - "label": "Date published" - }, - { - "data": "2024-02-21T17:23:14Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3021,18 +2706,13 @@ ], "cwe": [ "CWE-20" - ] + ], + "created": "", + "published": "2022-07-07T20:55:34Z", + "updated": "2023-01-29T05:06:01Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-07T20:55:34Z", - "label": "Date published" - }, - { - "data": "2023-01-29T05:06:01Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3070,18 +2750,13 @@ ], "cwe": [ "CWE-130" - ] + ], + "created": "", + "published": "2023-09-14T16:17:27Z", + "updated": "2023-11-06T05:01:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-09-14T16:17:27Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3121,18 +2796,13 @@ "CWE-378", "CWE-379", "CWE-552" - ] + ], + "created": "", + "published": "2020-11-04T17:50:24Z", + "updated": "2023-11-27T23:07:53Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-11-04T17:50:24Z", - "label": "Date published" - }, - { - "data": "2023-11-27T23:07:53Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3168,18 +2838,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2023-07-10T21:52:39Z", + "updated": "2023-09-05T22:39:32Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-07-10T21:52:39Z", - "label": "Date published" - }, - { - "data": "2023-09-05T22:39:32Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3215,18 +2880,13 @@ ], "cwe": [ "CWE-200" - ] + ], + "created": "", + "published": "2021-06-10T15:43:22Z", + "updated": "2023-02-01T05:05:51Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-10T15:43:22Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:51Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3264,18 +2924,13 @@ ], "cwe": [ "CWE-149" - ] + ], + "created": "", + "published": "2023-09-14T16:16:00Z", + "updated": "2023-11-06T05:01:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-09-14T16:16:00Z", - "label": "Date published" - }, - { - "data": "2023-11-06T05:01:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3314,18 +2969,13 @@ "cwe": [ "CWE-200", "CWE-732" - ] + ], + "created": "", + "published": "2020-10-12T17:33:00Z", + "updated": "2023-02-01T05:04:50Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-10-12T17:33:00Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:04:50Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3361,7 +3011,11 @@ "CCI-002605", "CCI-001643" ], - "cwe": [] + "cwe": [], + "created": "", + "published": "", + "updated": "", + "rejected": "" }, "descriptions": [], "refs": [ @@ -3397,7 +3051,11 @@ "CCI-002605", "CCI-001643" ], - "cwe": [] + "cwe": [], + "created": "", + "published": "", + "updated": "", + "rejected": "" }, "descriptions": [], "refs": [ @@ -3434,18 +3092,13 @@ ], "cwe": [ "CWE-89" - ] + ], + "created": "", + "published": "2022-02-09T22:57:29Z", + "updated": "2024-06-27T16:39:59Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-02-09T22:57:29Z", - "label": "Date published" - }, - { - "data": "2024-06-27T16:39:59Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3481,18 +3134,13 @@ ], "cwe": [ "CWE-89" - ] + ], + "created": "", + "published": "2022-02-10T23:05:04Z", + "updated": "2024-06-27T18:05:49Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-02-10T23:05:04Z", - "label": "Date published" - }, - { - "data": "2024-06-27T18:05:49Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3528,18 +3176,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2020-06-05T16:13:36Z", + "updated": "2023-01-27T05:02:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2020-06-05T16:13:36Z", - "label": "Date published" - }, - { - "data": "2023-01-27T05:02:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3575,18 +3218,13 @@ ], "cwe": [ "CWE-79" - ] + ], + "created": "", + "published": "2021-06-03T23:40:23Z", + "updated": "2023-02-01T05:05:30Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2021-06-03T23:40:23Z", - "label": "Date published" - }, - { - "data": "2023-02-01T05:05:30Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3622,18 +3260,13 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "", + "published": "2022-03-05T00:00:45Z", + "updated": "2023-01-27T05:02:46Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-03-05T00:00:45Z", - "label": "Date published" - }, - { - "data": "2023-01-27T05:02:46Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3670,18 +3303,13 @@ "cwe": [ "CWE-400", "CWE-410" - ] + ], + "created": "", + "published": "2022-07-07T20:55:40Z", + "updated": "2023-07-24T19:39:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-07-07T20:55:40Z", - "label": "Date published" - }, - { - "data": "2023-07-24T19:39:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3717,18 +3345,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2023-10-10T21:28:24Z", + "updated": "2024-06-21T21:34:00Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-10T21:28:24Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:34:00Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3770,18 +3393,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2024-02-26T20:13:46Z", + "updated": "2024-05-02T18:38:19Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2024-02-26T20:13:46Z", - "label": "Date published" - }, - { - "data": "2024-05-02T18:38:19Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3817,18 +3435,13 @@ ], "cwe": [ "CWE-190" - ] + ], + "created": "", + "published": "2023-10-10T21:16:23Z", + "updated": "2024-06-21T21:33:57Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-10T21:16:23Z", - "label": "Date published" - }, - { - "data": "2024-06-21T21:33:57Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3866,18 +3479,13 @@ ], "cwe": [ "CWE-295" - ] + ], + "created": "", + "published": "2018-10-18T18:06:08Z", + "updated": "2023-01-09T05:03:38Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2018-10-18T18:06:08Z", - "label": "Date published" - }, - { - "data": "2023-01-09T05:03:38Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3913,18 +3521,13 @@ ], "cwe": [ "CWE-400" - ] + ], + "created": "", + "published": "2023-10-24T01:49:09Z", + "updated": "2023-11-05T05:04:23Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2023-10-24T01:49:09Z", - "label": "Date published" - }, - { - "data": "2023-11-05T05:04:23Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -3960,18 +3563,13 @@ ], "cwe": [ "CWE-502" - ] + ], + "created": "", + "published": "2022-01-06T23:55:09Z", + "updated": "2023-02-25T00:31:20Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-01-06T23:55:09Z", - "label": "Date published" - }, - { - "data": "2023-02-25T00:31:20Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -4009,18 +3607,13 @@ ], "cwe": [ "CWE-88" - ] + ], + "created": "", + "published": "2022-01-21T23:07:39Z", + "updated": "2023-08-18T15:47:05Z", + "rejected": "" }, - "descriptions": [ - { - "data": "2022-01-21T23:07:39Z", - "label": "Date published" - }, - { - "data": "2023-08-18T15:47:05Z", - "label": "Date updated" - } - ], + "descriptions": [], "refs": [ { "ref": [ @@ -4047,7 +3640,7 @@ ] } ], - "sha256": "423500d681549aa5606b24248ba94a5e2801d4a5394a672d8b1292d679fe0cfc" + "sha256": "bf70242005c6b5e676974f138b98d38be83bb0d941a8a31a8985a17567976521" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf-withraw.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf-withraw.json index 097e0f174f..e7a30d0822 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf-withraw.json @@ -24,7 +24,11 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "2020-12-03T00:00:00.000Z", + "published": "2020-12-03T00:00:00.000Z", + "updated": "2021-10-26T00:00:00.000Z", + "rejected": "" }, "descriptions": [ { @@ -35,18 +39,6 @@ "data": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.", "label": "Recommendation" }, - { - "data": "2020-12-03T00:00:00.000Z", - "label": "Date created" - }, - { - "data": "2020-12-03T00:00:00.000Z", - "label": "Date published" - }, - { - "data": "2021-10-26T00:00:00.000Z", - "label": "Date updated" - }, { "data": "{\n \"individuals\": [\n {\n \"name\": \"Bartosz Baranowski\"\n }\n ]\n}", "label": "Credits" @@ -105,7 +97,7 @@ ] } ], - "sha256": "ff54a575f2b6ba5b71509d4333cf7d81e8222be0d6f020b401421db15fdb371a" + "sha256": "de340123e25d2d20c70b9ffc2f7f9f59d264b331ea37b662be6def8a5eb7705b" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf.json index eb977a21be..4b9730ecac 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf.json @@ -24,7 +24,11 @@ ], "cwe": [ "CWE-611" - ] + ], + "created": "2020-12-03T00:00:00.000Z", + "published": "2020-12-03T00:00:00.000Z", + "updated": "2021-10-26T00:00:00.000Z", + "rejected": "" }, "descriptions": [ { @@ -35,18 +39,6 @@ "data": "Upgrade com.fasterxml.jackson.core:jackson-databind to version 2.6.7.4, 2.9.10.7, 2.10.5.1 or higher.", "label": "Recommendation" }, - { - "data": "2020-12-03T00:00:00.000Z", - "label": "Date created" - }, - { - "data": "2020-12-03T00:00:00.000Z", - "label": "Date published" - }, - { - "data": "2021-10-26T00:00:00.000Z", - "label": "Date updated" - }, { "data": "{\n \"individuals\": [\n {\n \"name\": \"Bartosz Baranowski\"\n }\n ]\n}", "label": "Credits" @@ -105,7 +97,7 @@ ] } ], - "sha256": "ff54a575f2b6ba5b71509d4333cf7d81e8222be0d6f020b401421db15fdb371a" + "sha256": "de340123e25d2d20c70b9ffc2f7f9f59d264b331ea37b662be6def8a5eb7705b" } ], "passthrough": { diff --git a/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts b/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts index d2faced269..43cceef3a2 100644 --- a/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts +++ b/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts @@ -293,13 +293,16 @@ export class CycloneDXSBOMMapper extends BaseConverter { license: { path: 'raw.metadata.component', transformer: (input: Component): string | undefined => { - let message = ''; - if (Array.isArray(input.licenses)) { - // Join together all applicable licenses for this component - input.licenses.map((license) => { - message = message.concat(`${license.license.id}, `); - }); - return message.slice(0, -2); + if (input.licenses) { + // Certain license reports only provide the license name in the `name` field + // Check there first and then default to `id` + return [..._.cloneDeep(input.licenses)] + .map((license) => + _.has(license, 'license.name') + ? _.get(license, 'license.name') + : _.get(license, 'license.id') + ) + .join(', '); } // If there are no found licenses, remove field return undefined; @@ -323,7 +326,11 @@ export class CycloneDXSBOMMapper extends BaseConverter { transformer: (input: CweRepository): string[] => getCCIsForNISTTags(getNISTTags(input)) }, - cwe: {path: 'cwes', transformer: formatCWETags} + cwe: {path: 'cwes', transformer: formatCWETags}, + created: {path: 'created'}, + published: {path: 'published'}, + updated: {path: 'updated'}, + rejected: {path: 'rejected'} }, descriptions: [ { @@ -351,26 +358,6 @@ export class CycloneDXSBOMMapper extends BaseConverter { } : undefined } as unknown as ExecJSON.ControlDescription, - { - path: 'created', - transformer: (input: Record) => - input ? {data: input, label: 'Date created'} : undefined - } as unknown as ExecJSON.ControlDescription, - { - path: 'published', - transformer: (input: Record) => - input ? {data: input, label: 'Date published'} : undefined - } as unknown as ExecJSON.ControlDescription, - { - path: 'updated', - transformer: (input: Record) => - input ? {data: input, label: 'Date updated'} : undefined - } as unknown as ExecJSON.ControlDescription, - { - path: 'rejected', - transformer: (input: Record) => - input ? {data: input, label: 'Date rejected'} : undefined - } as unknown as ExecJSON.ControlDescription, { path: 'credits', transformer: (input: Record) => From ef3f64e13a7ccf39dca3a0e90dd7374649571c43 Mon Sep 17 00:00:00 2001 From: Charles Hu Date: Mon, 12 Aug 2024 11:39:34 -0400 Subject: [PATCH 3/3] Ref refactor Signed-off-by: Charles Hu --- .../sbom-dropwizard-vex-hdf-withraw.json | 620 +++++++++++------- .../sbom-dropwizard-vex-hdf.json | 620 +++++++++++------- .../sbom-dropwizard-vulns-hdf-withraw.json | 620 +++++++++++------- .../sbom-dropwizard-vulns-hdf.json | 620 +++++++++++------- .../sbom-vex-hdf-withraw.json | 58 +- .../cyclonedx_sbom_mapper/sbom-vex-hdf.json | 58 +- .../src/cyclonedx-sbom-mapper.ts | 27 +- 7 files changed, 1652 insertions(+), 971 deletions(-) diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf-withraw.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf-withraw.json index 3f0a48f297..642034a596 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf-withraw.json @@ -42,14 +42,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine...", + "title": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.", "id": "GHSA-5mg8-w23w-74h3", "desc": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.", "impact": 0.3, @@ -87,14 +89,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix...", + "title": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.", "id": "GHSA-7g45-4rm6-3mm3", "desc": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.", "impact": 0.5, @@ -129,8 +133,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -171,8 +177,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -213,8 +221,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -255,14 +265,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool,...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", "id": "GHSA-v3xw-c963-f5hc", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", "impact": 0.7, @@ -297,8 +309,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -339,8 +353,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -381,8 +397,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -423,8 +441,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -465,8 +485,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -507,14 +529,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", "id": "GHSA-c2q3-4qrh-fm48", "desc": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", "impact": 0.7, @@ -549,8 +573,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -591,8 +617,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -633,8 +661,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -675,14 +705,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as...", + "title": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", "id": "GHSA-4w82-r329-3q67", "desc": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", "impact": 1, @@ -717,14 +749,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class...", + "title": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", "id": "GHSA-rpr3-cw39-3pxh", "desc": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", "impact": 0.7, @@ -759,14 +793,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "id": "GHSA-fmmc-742q-jg75", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "impact": 1, @@ -801,14 +837,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "id": "GHSA-gjmw-vf9h-g25v", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "impact": 1, @@ -843,14 +881,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "id": "GHSA-mx7p-6679-8g3q", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "impact": 1, @@ -885,14 +925,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", "id": "GHSA-q93h-jc49-78gg", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", "impact": 1, @@ -927,14 +969,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "id": "GHSA-p43x-xfjf-5jhr", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "impact": 1, @@ -970,14 +1014,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the...", + "title": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", "id": "GHSA-h3cw-g4mq-c5x2", "desc": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", "impact": 0.7, @@ -1012,14 +1058,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to...", + "title": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "id": "GHSA-qjw2-hr98-qgfh", "desc": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "impact": 0.7, @@ -1054,8 +1102,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1096,8 +1146,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1138,8 +1190,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1180,8 +1234,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1222,8 +1278,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1264,8 +1322,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1306,8 +1366,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1348,8 +1410,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1390,8 +1454,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1432,8 +1498,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1474,8 +1542,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1516,14 +1586,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "id": "GHSA-5r5r-6hpj-8gg9", "desc": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "impact": 0.7, @@ -1558,8 +1630,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1601,8 +1675,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1644,14 +1720,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of...", + "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc. Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", "id": "GHSA-jjjh-jjxp-wpff", "desc": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc. Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", "impact": 0.7, @@ -1686,14 +1764,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The...", + "title": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "id": "GHSA-5949-rw7g-wx7w", "desc": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "impact": 0.7, @@ -1728,14 +1808,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of...", + "title": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "id": "GHSA-57j2-w4cx-62h2", "desc": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "impact": 0.7, @@ -1770,14 +1852,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows...", + "title": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", "id": "GHSA-288c-cq4h-88gq", "desc": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", "impact": 0.7, @@ -1812,8 +1896,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1855,14 +1941,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a...", + "title": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "id": "GHSA-rgv9-q543-rqg4", "desc": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "impact": 0.7, @@ -1897,8 +1985,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1941,14 +2031,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary...", + "title": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see [GHSA-3mcp-9wr4-cjqf](https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf)/[CVE-2020-5245](https://github.com/advisories/GHSA-3mcp-9wr4-cjqf)) unfortunately didn't fix the underlying issue completely. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.21** and **2.0.3** or later. We strongly recommend upgrading to one of these versions. The evaluation of EL expressions has been disabled by default now. In order to use some interpolation in the violation messages added to [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html), it has to be explicitly allowed by setting [`SelfValidating#escapeExpressions()`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html#escapeExpressions--) to `false`. It is also recommended to use the `addViolation` methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3: * [`ViolationCollector#addViolation(String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Integer, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.Integer-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.lang.String-java.util.Map-) ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java ### References * https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf * https://github.com/dropwizard/dropwizard/pull/3208 * https://github.com/dropwizard/dropwizard/pull/3209 * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "id": "GHSA-8jpx-m2wh-2v34", "desc": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see [GHSA-3mcp-9wr4-cjqf](https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf)/[CVE-2020-5245](https://github.com/advisories/GHSA-3mcp-9wr4-cjqf)) unfortunately didn't fix the underlying issue completely. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.21** and **2.0.3** or later. We strongly recommend upgrading to one of these versions. The evaluation of EL expressions has been disabled by default now. In order to use some interpolation in the violation messages added to [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html), it has to be explicitly allowed by setting [`SelfValidating#escapeExpressions()`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html#escapeExpressions--) to `false`. It is also recommended to use the `addViolation` methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3: * [`ViolationCollector#addViolation(String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Integer, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.Integer-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.lang.String-java.util.Map-) ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java ### References * https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf * https://github.com/dropwizard/dropwizard/pull/3208 * https://github.com/dropwizard/dropwizard/pull/3209 * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "impact": 0.7, @@ -1985,14 +2077,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard...", + "title": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. ### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.19 or 2.0.2 is strongly recommended. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.19** and **2.0.2**. We strongly recommend upgrading to one of these versions. ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.2/dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java#L84-L98 ### References * https://github.com/dropwizard/dropwizard/pull/3157 * https://github.com/dropwizard/dropwizard/pull/3160 * https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions * https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "id": "GHSA-3mcp-9wr4-cjqf", "desc": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. ### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.19 or 2.0.2 is strongly recommended. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.19** and **2.0.2**. We strongly recommend upgrading to one of these versions. ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.2/dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java#L84-L98 ### References * https://github.com/dropwizard/dropwizard/pull/3157 * https://github.com/dropwizard/dropwizard/pull/3160 * https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions * https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "impact": 0.7, @@ -2029,8 +2123,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -2072,14 +2168,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "id": "GHSA-9w3m-gqgf-c4p9", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "impact": 0.5, @@ -2115,14 +2213,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser...", + "title": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "id": "GHSA-w37g-rhq8-7m4j", "desc": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "impact": 0.5, @@ -2158,14 +2258,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-c4r9-r8fh-9vj2", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2201,14 +2303,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-hhhw-99gj-p3c3", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2244,14 +2348,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-98wm-3w3q-mw94", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2287,14 +2393,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth...", + "title": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "id": "GHSA-3mc7-4q67-w48m", "desc": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "impact": 0.7, @@ -2330,14 +2438,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new...", + "title": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: **Date disclosed**: 10/13/2022", "id": "GHSA-mjmj-j48q-9wg2", "desc": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: **Date disclosed**: 10/13/2022", "impact": 0.7, @@ -2372,14 +2482,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a...", + "title": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", "id": "GHSA-668q-qrv7-99fm", "desc": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", "impact": 0.5, @@ -2414,14 +2526,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending...", + "title": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html", "id": "GHSA-vmq6-5m68-f53m", "desc": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html", "impact": 0.7, @@ -2456,14 +2570,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such...", + "title": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater", "id": "GHSA-m394-8rww-3jr7", "desc": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater", "impact": 0.5, @@ -2498,14 +2614,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the...", + "title": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.", "id": "GHSA-m6cp-vxjx-65j6", "desc": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.", "impact": 0.3, @@ -2542,14 +2660,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large...", + "title": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. ### Workarounds The problem can be worked around by compiling the following class: ```java package org.eclipse.jetty.server.ssl.fix6072; import java.nio.ByteBuffer; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.ssl.SslConnection; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.BufferUtil; import org.eclipse.jetty.util.annotation.Name; import org.eclipse.jetty.util.ssl.SslContextFactory; public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory { public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol) { super(factory, nextProtocol); } @Override protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine) { return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption()) { @Override protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException { SSLEngineResult results = super.unwrap(sslEngine, input, output); if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW || results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) && BufferUtil.space(input) == 0) { BufferUtil.clear(input); throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\"); } return results; } }; } } ``` This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules` + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section: ``` [lib] lib/sslfix6072.jar ``` + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc` + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example: ```xml http/1.1 ``` + Restart Jetty", "id": "GHSA-26vr-8j45-3r4w", "desc": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. ### Workarounds The problem can be worked around by compiling the following class: ```java package org.eclipse.jetty.server.ssl.fix6072; import java.nio.ByteBuffer; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.ssl.SslConnection; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.BufferUtil; import org.eclipse.jetty.util.annotation.Name; import org.eclipse.jetty.util.ssl.SslContextFactory; public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory { public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol) { super(factory, nextProtocol); } @Override protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine) { return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption()) { @Override protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException { SSLEngineResult results = super.unwrap(sslEngine, input, output); if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW || results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) && BufferUtil.space(input) == 0) { BufferUtil.clear(input); throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\"); } return results; } }; } } ``` This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules` + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section: ``` [lib] lib/sslfix6072.jar ``` + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc` + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example: ```xml http/1.1 ``` + Restart Jetty", "impact": 0.7, @@ -2584,14 +2704,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior...", + "title": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265", "id": "GHSA-p26g-97m4-6q7c", "desc": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265", "impact": 0.3, @@ -2627,14 +2749,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the...", + "title": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload", "id": "GHSA-qw69-rqj8-6qw8", "desc": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload", "impact": 0.5, @@ -2669,14 +2793,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection...", + "title": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content.", "id": "GHSA-86wm-rrjm-8wh8", "desc": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content.", "impact": 0.5, @@ -2711,14 +2837,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with...", + "title": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "id": "GHSA-cj7v-27pg-wf7q", "desc": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "impact": 0.3, @@ -2755,14 +2883,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive...", + "title": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. ### Workarounds There is no workaround as there is no known exploit scenario. ### Original Report [RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling. Payload: ``` POST / HTTP/1.1 Host: a.com Content-Length: +16 Connection: close ​ 0123456789abcdef ``` When sending this payload to Jetty, it can successfully parse and identify the length. When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request. This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", "id": "GHSA-hmr7-m48g-48f6", "desc": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. ### Workarounds There is no workaround as there is no known exploit scenario. ### Original Report [RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling. Payload: ``` POST / HTTP/1.1 Host: a.com Content-Length: +16 Connection: close ​ 0123456789abcdef ``` When sending this payload to Jetty, it can successfully parse and identify the length. When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request. This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", "impact": 0.5, @@ -2801,14 +2931,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated...", + "title": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. Additionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable. Additionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted. See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR For example: ```java import java.io.File; import java.io.IOException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ExampleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised // do something with that temp dir } } ``` Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them. ### CVSSv3.1 Evaluation This vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1) ### Patches Fixes were applied to the 9.4.x branch with: - https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb - https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3 ### Workarounds A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system. For recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory). Alternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below. The Jetty search order for finding a temporary directory is as follows: 1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it. 2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it. 3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1) 4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it. 5. Use `System.getProperty(\"java.io.tmpdir\")` and use it. Jetty will end traversal at the first successful step. To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker. #### Setting a Jetty server temporary directory. Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server. For choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty. For choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty. ``` shell [jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar ``` #### Setting a Context specific temporary directory. The rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/.xml`) Example (excluding the DTD which is version specific): ``` xml /var/web/webapps/foo.war /var/web/work/foo ``` ### References - https://github.com/eclipse/jetty.project/issues/5451 - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473) ### Similar Vulnerabilities Similar, but not the same. - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information The original report of this vulnerability is below: > On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh wrote: > Hi WebTide Security Team, > > I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty. > > https://lgtm.com/query/5615014766184643449/ > > I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users. > There exists a race condition between the deletion of the temporary file and the creation of the directory. > > ```java > // ensure file will always be unique by appending random digits > tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated > // delete the file that was created > tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. > // and make a directory of the same name > // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory > tmpDir.mkdirs(); > ``` > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518 > > In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback. > > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468 > > If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. > > Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories > > **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.** > > Cheers, > Jonathan Leitschuh", "id": "GHSA-g3wg-6mcf-8jj6", "desc": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. Additionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable. Additionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted. See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR For example: ```java import java.io.File; import java.io.IOException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ExampleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised // do something with that temp dir } } ``` Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them. ### CVSSv3.1 Evaluation This vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1) ### Patches Fixes were applied to the 9.4.x branch with: - https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb - https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3 ### Workarounds A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system. For recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory). Alternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below. The Jetty search order for finding a temporary directory is as follows: 1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it. 2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it. 3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1) 4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it. 5. Use `System.getProperty(\"java.io.tmpdir\")` and use it. Jetty will end traversal at the first successful step. To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker. #### Setting a Jetty server temporary directory. Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server. For choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty. For choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty. ``` shell [jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar ``` #### Setting a Context specific temporary directory. The rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/.xml`) Example (excluding the DTD which is version specific): ``` xml /var/web/webapps/foo.war /var/web/work/foo ``` ### References - https://github.com/eclipse/jetty.project/issues/5451 - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473) ### Similar Vulnerabilities Similar, but not the same. - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information The original report of this vulnerability is below: > On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh wrote: > Hi WebTide Security Team, > > I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty. > > https://lgtm.com/query/5615014766184643449/ > > I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users. > There exists a race condition between the deletion of the temporary file and the creation of the directory. > > ```java > // ensure file will always be unique by appending random digits > tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated > // delete the file that was created > tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. > // and make a directory of the same name > // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory > tmpDir.mkdirs(); > ``` > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518 > > In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback. > > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468 > > If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. > > Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories > > **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.** > > Cheers, > Jonathan Leitschuh", "impact": 0.7, @@ -2843,14 +2975,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when...", + "title": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit > this vulnerability in order to achieve SSRF or cause a denial of service. > One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the > WAR includes a malicious web.xml. ### Impact There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory. However, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely. ### Patches Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067 ### Workarounds Don't use `XmlParser` to parse data from users.", "id": "GHSA-58qw-p7qm-5rvh", "desc": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit > this vulnerability in order to achieve SSRF or cause a denial of service. > One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the > WAR includes a malicious web.xml. ### Impact There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory. However, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely. ### Patches Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067 ### Workarounds Don't use `XmlParser` to parse data from users.", "impact": 0.3, @@ -2885,14 +3019,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request...", + "title": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request to the `ConcatServlet` with a URI of `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both `ConcatServlet` and `WelcomeFilter` decode the supplied path to verify it is not within the `WEB-INF` or `META-INF` directories. It then uses this decoded path to call `RequestDispatcher` which will also do decoding of the path. This double decoding allows paths with a doubly encoded `WEB-INF` to bypass this security check. ### Impact This affects all versions of `ConcatServlet` and `WelcomeFilter` in versions before 9.4.41, 10.0.3 and 11.0.3. ### Workarounds If you cannot update to the latest version of Jetty, you can instead deploy your own version of the [`ConcatServlet`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/ConcatServlet.java) and/or the [`WelcomeFilter`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/WelcomeFilter.java) by using the code from the latest version of Jetty.", "id": "GHSA-gwcr-j4wh-j3cq", "desc": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request to the `ConcatServlet` with a URI of `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both `ConcatServlet` and `WelcomeFilter` decode the supplied path to verify it is not within the `WEB-INF` or `META-INF` directories. It then uses this decoded path to call `RequestDispatcher` which will also do decoding of the path. This double decoding allows paths with a doubly encoded `WEB-INF` to bypass this security check. ### Impact This affects all versions of `ConcatServlet` and `WelcomeFilter` in versions before 9.4.41, 10.0.3 and 11.0.3. ### Workarounds If you cannot update to the latest version of Jetty, you can instead deploy your own version of the [`ConcatServlet`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/ConcatServlet.java) and/or the [`WelcomeFilter`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/WelcomeFilter.java) by using the code from the latest version of Jetty.", "impact": 0.5, @@ -2929,14 +3065,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the...", + "title": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested. ```java if (execCmd.length() > 0 && execCmd.charAt(0) != '\"' && execCmd.contains(\" \")) execCmd = \"\\\"\" + execCmd + \"\\\"\"; ``` ### Exploit Scenario The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured. If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures. ### Impact Users of the `org.eclipse.jetty.servlets.CGI` Servlet with a very specific command structure may have the wrong command executed. ### Patches No patch. In Jetty 9.x, 10.x, and 11.x the `org.eclipse.jetty.servlets.CGI` has been deprecated. In Jetty 12 (all environments) the `org.eclipse.jetty.servlets.CGI` has been entirely removed. ### Workarounds The `org.eclipse.jetty.servlets.CGI` Servlet should not be used. Fast CGI support is available instead. ### References * https://github.com/eclipse/jetty.project/pull/9516 * https://github.com/eclipse/jetty.project/pull/9889 * https://github.com/eclipse/jetty.project/pull/9888", "id": "GHSA-3gh6-v5v9-6v9j", "desc": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested. ```java if (execCmd.length() > 0 && execCmd.charAt(0) != '\"' && execCmd.contains(\" \")) execCmd = \"\\\"\" + execCmd + \"\\\"\"; ``` ### Exploit Scenario The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured. If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures. ### Impact Users of the `org.eclipse.jetty.servlets.CGI` Servlet with a very specific command structure may have the wrong command executed. ### Patches No patch. In Jetty 9.x, 10.x, and 11.x the `org.eclipse.jetty.servlets.CGI` has been deprecated. In Jetty 12 (all environments) the `org.eclipse.jetty.servlets.CGI` has been entirely removed. ### Workarounds The `org.eclipse.jetty.servlets.CGI` Servlet should not be used. Fast CGI support is available instead. ### References * https://github.com/eclipse/jetty.project/pull/9516 * https://github.com/eclipse/jetty.project/pull/9889 * https://github.com/eclipse/jetty.project/pull/9888", "impact": 0.3, @@ -2974,14 +3112,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static...", + "title": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static class HasTempFolder { @Rule public TemporaryFolder folder = new TemporaryFolder(); @Test public void testUsingTempFolder() throws IOException { folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------` File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions // ... } } ``` ### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. When analyzing the impact of this vulnerability, here are the important questions to ask: 1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder? - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2. - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._ - If yes, and you answered 'yes' to question 1, this vulnerability impacts you. - If no, this vulnerability does not impact you. ### Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. - Java 1.6 and lower users: **no patch is available, you must use the workaround below.** ### Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae #### Similar Vulnerabilities - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues).", "id": "GHSA-269g-pwp5-87pp", "desc": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static class HasTempFolder { @Rule public TemporaryFolder folder = new TemporaryFolder(); @Test public void testUsingTempFolder() throws IOException { folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------` File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions // ... } } ``` ### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. When analyzing the impact of this vulnerability, here are the important questions to ask: 1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder? - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2. - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._ - If yes, and you answered 'yes' to question 1, this vulnerability impacts you. - If no, this vulnerability does not impact you. ### Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. - Java 1.6 and lower users: **no patch is available, you must use the workaround below.** ### Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae #### Similar Vulnerabilities - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues).", "impact": 0.5, @@ -3016,7 +3156,9 @@ { "ref": [ { - "name": "INTERNAL" + "source": { + "name": "INTERNAL" + } } ] } @@ -3056,7 +3198,9 @@ { "ref": [ { - "name": "INTERNAL" + "source": { + "name": "INTERNAL" + } } ] } @@ -3097,14 +3241,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A...", + "title": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", "id": "GHSA-j8jw-g6fq-mp7h", "desc": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", "impact": 0.7, @@ -3139,14 +3285,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation...", + "title": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "id": "GHSA-8grg-q944-cch5", "desc": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "impact": 0.5, @@ -3181,14 +3329,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular...", + "title": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "id": "GHSA-hwj3-m3p6-hj38", "desc": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "impact": 1, @@ -3223,14 +3373,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the...", + "title": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", "id": "GHSA-7r82-7xv7-xcpj", "desc": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", "impact": 0.5, @@ -3265,14 +3417,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of...", + "title": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.", "id": "GHSA-jvfv-hrrc-6q72", "desc": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.", "impact": 1, @@ -3308,14 +3462,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from...", + "title": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "id": "GHSA-wgmr-mf83-7x4j", "desc": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "impact": 0.7, @@ -3350,14 +3506,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should...", + "title": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", "id": "GHSA-qppj-fm5r-hxr3", "desc": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", "impact": 0.5, @@ -3392,14 +3550,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as...", + "title": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The client may also be impacted (if the server does not read causing a TCP congestion), but the issue is more severe for servers. ### Patches Patched versions: * 9.4.54 * 10.0.20 * 11.0.20 * 12.0.6 ### Workarounds Disable HTTP/2 and HTTP/3 support until you can upgrade to a patched version of Jetty. HTTP/1.x is not affected. ### References * https://github.com/jetty/jetty.project/issues/11256.", "id": "GHSA-rggv-cv7r-mw98", "desc": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The client may also be impacted (if the server does not read causing a TCP congestion), but the issue is more severe for servers. ### Patches Patched versions: * 9.4.54 * 10.0.20 * 11.0.20 * 12.0.6 ### Workarounds Disable HTTP/2 and HTTP/3 support until you can upgrade to a patched version of Jetty. HTTP/1.x is not affected. ### References * https://github.com/jetty/jetty.project/issues/11256.", "impact": 0.7, @@ -3434,14 +3594,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following...", + "title": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); 298 } ``` However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java public void checkSize(int length, boolean huffman) throws SessionException { // Apply a huffman fudge factor if (huffman) length = (length * 4) / 3; if ((_size + length) > _maxSize) throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); } ``` However, no exception is thrown in the case of a negative size. Later, in `Huffman.decode`, the user-entered length is multiplied by 2 before allocating a buffer: ```java public static String decode(ByteBuffer buffer, int length) throws HpackException.CompressionException { Utf8StringBuilder utf8 = new Utf8StringBuilder(length * 2); // ... ``` This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. ### Exploit Scenario 1 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02. Each time this header is decoded: + `HpackDecode.decode` will determine that a Huffman-coded value of length 805306494 needs to be decoded. + `MetaDataBuilder.checkSize` will approve this length. + Huffman.decode will allocate a 1.6 GB string array. + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens. (Note: this can be delayed by appending valid huffman-coded characters to the end of the header.) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Exploit Scenario 2 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length -1073758081 needs to be decoded + MetaDataBuilder.checkSize will approve this length + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will allocate a 2.1 GB string array + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens (Note that this deallocation can be delayed by adding valid Huffman-coded characters to the end of the header) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Impact Users of HTTP/2 can be impacted by a remote denial of service attack. ### Patches Fixed in Jetty 10.0.16 and Jetty 11.0.16 Fixed in Jetty 9.4.53 Jetty 12.x is unaffected. ### Workarounds No workarounds possible, only patched versions of Jetty. ### References * https://github.com/eclipse/jetty.project/pull/9634", "id": "GHSA-wgh7-54f2-x98r", "desc": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); 298 } ``` However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java public void checkSize(int length, boolean huffman) throws SessionException { // Apply a huffman fudge factor if (huffman) length = (length * 4) / 3; if ((_size + length) > _maxSize) throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); } ``` However, no exception is thrown in the case of a negative size. Later, in `Huffman.decode`, the user-entered length is multiplied by 2 before allocating a buffer: ```java public static String decode(ByteBuffer buffer, int length) throws HpackException.CompressionException { Utf8StringBuilder utf8 = new Utf8StringBuilder(length * 2); // ... ``` This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. ### Exploit Scenario 1 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02. Each time this header is decoded: + `HpackDecode.decode` will determine that a Huffman-coded value of length 805306494 needs to be decoded. + `MetaDataBuilder.checkSize` will approve this length. + Huffman.decode will allocate a 1.6 GB string array. + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens. (Note: this can be delayed by appending valid huffman-coded characters to the end of the header.) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Exploit Scenario 2 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length -1073758081 needs to be decoded + MetaDataBuilder.checkSize will approve this length + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will allocate a 2.1 GB string array + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens (Note that this deallocation can be delayed by adding valid Huffman-coded characters to the end of the header) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Impact Users of HTTP/2 can be impacted by a remote denial of service attack. ### Patches Fixed in Jetty 10.0.16 and Jetty 11.0.16 Fixed in Jetty 9.4.53 Jetty 12.x is unaffected. ### Workarounds No workarounds possible, only patched versions of Jetty. ### References * https://github.com/eclipse/jetty.project/pull/9634", "impact": 0.7, @@ -3478,14 +3640,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to...", + "title": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", "id": "GHSA-w4g2-9hj6-5472", "desc": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", "impact": 0.5, @@ -3520,14 +3684,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a...", + "title": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error. ### PoC #### RbbitMQ * Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory) * Start RabbitMQ #### Producer * Build a String of length 256M and send it to Consumer ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = \"A\"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println(\"Send Finish\"); } } ``` #### Consumer * First set the heap memory size to 128M * Read the message sent by the Producer from the MQ and print the length ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Consumer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); Object o = amqpTemplate.receiveAndConvert(); if(o != null){ String s = o.toString(); System.out.println(\"Received Length : \" + s.length()); }else{ System.out.println(\"null\"); } } } ``` #### Results * Run the Producer first, then the Consumer * Consumer throws OOM Exception ### Impact Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.", "id": "GHSA-mm8h-8587-p46h", "desc": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error. ### PoC #### RbbitMQ * Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory) * Start RabbitMQ #### Producer * Build a String of length 256M and send it to Consumer ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = \"A\"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println(\"Send Finish\"); } } ``` #### Consumer * First set the heap memory size to 128M * Read the message sent by the Producer from the MQ and print the length ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Consumer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); Object o = amqpTemplate.receiveAndConvert(); if(o != null){ String s = o.toString(); System.out.println(\"Received Length : \" + s.length()); }else{ System.out.println(\"null\"); } } } ``` #### Results * Run the Producer first, then the Consumer * Consumer throws OOM Exception ### Impact Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.", "impact": 0.5, @@ -3562,14 +3728,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote...", + "title": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users. ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used. ### Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `` and `` as necessary. See documentation of your web server for more details. ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information.", "id": "GHSA-h376-j262-vhq6", "desc": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users. ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used. ### Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `` and `` as necessary. See documentation of your web server for more details. ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information.", "impact": 1, @@ -3606,14 +3774,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring,...", + "title": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", "id": "GHSA-45hx-wfhj-473x", "desc": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", "impact": 1, @@ -3628,7 +3798,7 @@ ] } ], - "sha256": "03b83542495c79a3357c8fbaf3866ed19ef80d11dc9e784b483cfa177cdcbf00" + "sha256": "ba1925e7477830950378df78dd2403f10875a6c54b1c64e7566bb2922d516ff5" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf.json index f495576830..d47456cb31 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vex-hdf.json @@ -42,14 +42,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine...", + "title": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.", "id": "GHSA-5mg8-w23w-74h3", "desc": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.", "impact": 0.3, @@ -87,14 +89,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix...", + "title": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.", "id": "GHSA-7g45-4rm6-3mm3", "desc": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.", "impact": 0.5, @@ -129,8 +133,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -171,8 +177,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -213,8 +221,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -255,14 +265,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool,...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", "id": "GHSA-v3xw-c963-f5hc", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", "impact": 0.7, @@ -297,8 +309,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -339,8 +353,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -381,8 +397,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -423,8 +441,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -465,8 +485,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -507,14 +529,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", "id": "GHSA-c2q3-4qrh-fm48", "desc": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", "impact": 0.7, @@ -549,8 +573,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -591,8 +617,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -633,8 +661,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -675,14 +705,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as...", + "title": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", "id": "GHSA-4w82-r329-3q67", "desc": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", "impact": 1, @@ -717,14 +749,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class...", + "title": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", "id": "GHSA-rpr3-cw39-3pxh", "desc": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", "impact": 0.7, @@ -759,14 +793,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "id": "GHSA-fmmc-742q-jg75", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "impact": 1, @@ -801,14 +837,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "id": "GHSA-gjmw-vf9h-g25v", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "impact": 1, @@ -843,14 +881,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "id": "GHSA-mx7p-6679-8g3q", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "impact": 1, @@ -885,14 +925,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", "id": "GHSA-q93h-jc49-78gg", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", "impact": 1, @@ -927,14 +969,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "id": "GHSA-p43x-xfjf-5jhr", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "impact": 1, @@ -970,14 +1014,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the...", + "title": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", "id": "GHSA-h3cw-g4mq-c5x2", "desc": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", "impact": 0.7, @@ -1012,14 +1058,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to...", + "title": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "id": "GHSA-qjw2-hr98-qgfh", "desc": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "impact": 0.7, @@ -1054,8 +1102,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1096,8 +1146,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1138,8 +1190,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1180,8 +1234,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1222,8 +1278,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1264,8 +1322,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1306,8 +1366,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1348,8 +1410,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1390,8 +1454,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1432,8 +1498,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1474,8 +1542,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1516,14 +1586,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "id": "GHSA-5r5r-6hpj-8gg9", "desc": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "impact": 0.7, @@ -1558,8 +1630,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1601,8 +1675,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1644,14 +1720,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of...", + "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc. Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", "id": "GHSA-jjjh-jjxp-wpff", "desc": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc. Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", "impact": 0.7, @@ -1686,14 +1764,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The...", + "title": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "id": "GHSA-5949-rw7g-wx7w", "desc": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "impact": 0.7, @@ -1728,14 +1808,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of...", + "title": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "id": "GHSA-57j2-w4cx-62h2", "desc": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "impact": 0.7, @@ -1770,14 +1852,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows...", + "title": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", "id": "GHSA-288c-cq4h-88gq", "desc": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", "impact": 0.7, @@ -1812,8 +1896,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1855,14 +1941,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a...", + "title": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "id": "GHSA-rgv9-q543-rqg4", "desc": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "impact": 0.7, @@ -1897,8 +1985,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1941,14 +2031,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary...", + "title": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see [GHSA-3mcp-9wr4-cjqf](https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf)/[CVE-2020-5245](https://github.com/advisories/GHSA-3mcp-9wr4-cjqf)) unfortunately didn't fix the underlying issue completely. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.21** and **2.0.3** or later. We strongly recommend upgrading to one of these versions. The evaluation of EL expressions has been disabled by default now. In order to use some interpolation in the violation messages added to [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html), it has to be explicitly allowed by setting [`SelfValidating#escapeExpressions()`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html#escapeExpressions--) to `false`. It is also recommended to use the `addViolation` methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3: * [`ViolationCollector#addViolation(String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Integer, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.Integer-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.lang.String-java.util.Map-) ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java ### References * https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf * https://github.com/dropwizard/dropwizard/pull/3208 * https://github.com/dropwizard/dropwizard/pull/3209 * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "id": "GHSA-8jpx-m2wh-2v34", "desc": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see [GHSA-3mcp-9wr4-cjqf](https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf)/[CVE-2020-5245](https://github.com/advisories/GHSA-3mcp-9wr4-cjqf)) unfortunately didn't fix the underlying issue completely. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.21** and **2.0.3** or later. We strongly recommend upgrading to one of these versions. The evaluation of EL expressions has been disabled by default now. In order to use some interpolation in the violation messages added to [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html), it has to be explicitly allowed by setting [`SelfValidating#escapeExpressions()`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html#escapeExpressions--) to `false`. It is also recommended to use the `addViolation` methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3: * [`ViolationCollector#addViolation(String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Integer, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.Integer-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.lang.String-java.util.Map-) ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java ### References * https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf * https://github.com/dropwizard/dropwizard/pull/3208 * https://github.com/dropwizard/dropwizard/pull/3209 * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "impact": 0.7, @@ -1985,14 +2077,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard...", + "title": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. ### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.19 or 2.0.2 is strongly recommended. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.19** and **2.0.2**. We strongly recommend upgrading to one of these versions. ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.2/dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java#L84-L98 ### References * https://github.com/dropwizard/dropwizard/pull/3157 * https://github.com/dropwizard/dropwizard/pull/3160 * https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions * https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "id": "GHSA-3mcp-9wr4-cjqf", "desc": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. ### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.19 or 2.0.2 is strongly recommended. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.19** and **2.0.2**. We strongly recommend upgrading to one of these versions. ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.2/dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java#L84-L98 ### References * https://github.com/dropwizard/dropwizard/pull/3157 * https://github.com/dropwizard/dropwizard/pull/3160 * https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions * https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "impact": 0.7, @@ -2029,8 +2123,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -2072,14 +2168,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "id": "GHSA-9w3m-gqgf-c4p9", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "impact": 0.5, @@ -2115,14 +2213,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser...", + "title": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "id": "GHSA-w37g-rhq8-7m4j", "desc": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "impact": 0.5, @@ -2158,14 +2258,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-c4r9-r8fh-9vj2", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2201,14 +2303,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-hhhw-99gj-p3c3", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2244,14 +2348,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-98wm-3w3q-mw94", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2287,14 +2393,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth...", + "title": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "id": "GHSA-3mc7-4q67-w48m", "desc": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "impact": 0.7, @@ -2330,14 +2438,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new...", + "title": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: **Date disclosed**: 10/13/2022", "id": "GHSA-mjmj-j48q-9wg2", "desc": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: **Date disclosed**: 10/13/2022", "impact": 0.7, @@ -2372,14 +2482,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a...", + "title": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", "id": "GHSA-668q-qrv7-99fm", "desc": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", "impact": 0.5, @@ -2414,14 +2526,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending...", + "title": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html", "id": "GHSA-vmq6-5m68-f53m", "desc": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html", "impact": 0.7, @@ -2456,14 +2570,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such...", + "title": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater", "id": "GHSA-m394-8rww-3jr7", "desc": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater", "impact": 0.5, @@ -2498,14 +2614,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the...", + "title": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.", "id": "GHSA-m6cp-vxjx-65j6", "desc": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.", "impact": 0.3, @@ -2542,14 +2660,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large...", + "title": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. ### Workarounds The problem can be worked around by compiling the following class: ```java package org.eclipse.jetty.server.ssl.fix6072; import java.nio.ByteBuffer; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.ssl.SslConnection; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.BufferUtil; import org.eclipse.jetty.util.annotation.Name; import org.eclipse.jetty.util.ssl.SslContextFactory; public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory { public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol) { super(factory, nextProtocol); } @Override protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine) { return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption()) { @Override protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException { SSLEngineResult results = super.unwrap(sslEngine, input, output); if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW || results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) && BufferUtil.space(input) == 0) { BufferUtil.clear(input); throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\"); } return results; } }; } } ``` This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules` + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section: ``` [lib] lib/sslfix6072.jar ``` + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc` + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example: ```xml http/1.1 ``` + Restart Jetty", "id": "GHSA-26vr-8j45-3r4w", "desc": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. ### Workarounds The problem can be worked around by compiling the following class: ```java package org.eclipse.jetty.server.ssl.fix6072; import java.nio.ByteBuffer; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.ssl.SslConnection; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.BufferUtil; import org.eclipse.jetty.util.annotation.Name; import org.eclipse.jetty.util.ssl.SslContextFactory; public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory { public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol) { super(factory, nextProtocol); } @Override protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine) { return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption()) { @Override protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException { SSLEngineResult results = super.unwrap(sslEngine, input, output); if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW || results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) && BufferUtil.space(input) == 0) { BufferUtil.clear(input); throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\"); } return results; } }; } } ``` This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules` + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section: ``` [lib] lib/sslfix6072.jar ``` + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc` + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example: ```xml http/1.1 ``` + Restart Jetty", "impact": 0.7, @@ -2584,14 +2704,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior...", + "title": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265", "id": "GHSA-p26g-97m4-6q7c", "desc": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265", "impact": 0.3, @@ -2627,14 +2749,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the...", + "title": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload", "id": "GHSA-qw69-rqj8-6qw8", "desc": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload", "impact": 0.5, @@ -2669,14 +2793,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection...", + "title": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content.", "id": "GHSA-86wm-rrjm-8wh8", "desc": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content.", "impact": 0.5, @@ -2711,14 +2837,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with...", + "title": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "id": "GHSA-cj7v-27pg-wf7q", "desc": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "impact": 0.3, @@ -2755,14 +2883,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive...", + "title": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. ### Workarounds There is no workaround as there is no known exploit scenario. ### Original Report [RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling. Payload: ``` POST / HTTP/1.1 Host: a.com Content-Length: +16 Connection: close ​ 0123456789abcdef ``` When sending this payload to Jetty, it can successfully parse and identify the length. When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request. This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", "id": "GHSA-hmr7-m48g-48f6", "desc": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. ### Workarounds There is no workaround as there is no known exploit scenario. ### Original Report [RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling. Payload: ``` POST / HTTP/1.1 Host: a.com Content-Length: +16 Connection: close ​ 0123456789abcdef ``` When sending this payload to Jetty, it can successfully parse and identify the length. When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request. This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", "impact": 0.5, @@ -2801,14 +2931,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated...", + "title": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. Additionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable. Additionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted. See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR For example: ```java import java.io.File; import java.io.IOException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ExampleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised // do something with that temp dir } } ``` Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them. ### CVSSv3.1 Evaluation This vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1) ### Patches Fixes were applied to the 9.4.x branch with: - https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb - https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3 ### Workarounds A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system. For recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory). Alternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below. The Jetty search order for finding a temporary directory is as follows: 1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it. 2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it. 3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1) 4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it. 5. Use `System.getProperty(\"java.io.tmpdir\")` and use it. Jetty will end traversal at the first successful step. To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker. #### Setting a Jetty server temporary directory. Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server. For choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty. For choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty. ``` shell [jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar ``` #### Setting a Context specific temporary directory. The rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/.xml`) Example (excluding the DTD which is version specific): ``` xml /var/web/webapps/foo.war /var/web/work/foo ``` ### References - https://github.com/eclipse/jetty.project/issues/5451 - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473) ### Similar Vulnerabilities Similar, but not the same. - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information The original report of this vulnerability is below: > On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh wrote: > Hi WebTide Security Team, > > I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty. > > https://lgtm.com/query/5615014766184643449/ > > I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users. > There exists a race condition between the deletion of the temporary file and the creation of the directory. > > ```java > // ensure file will always be unique by appending random digits > tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated > // delete the file that was created > tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. > // and make a directory of the same name > // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory > tmpDir.mkdirs(); > ``` > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518 > > In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback. > > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468 > > If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. > > Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories > > **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.** > > Cheers, > Jonathan Leitschuh", "id": "GHSA-g3wg-6mcf-8jj6", "desc": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. Additionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable. Additionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted. See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR For example: ```java import java.io.File; import java.io.IOException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ExampleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised // do something with that temp dir } } ``` Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them. ### CVSSv3.1 Evaluation This vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1) ### Patches Fixes were applied to the 9.4.x branch with: - https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb - https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3 ### Workarounds A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system. For recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory). Alternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below. The Jetty search order for finding a temporary directory is as follows: 1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it. 2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it. 3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1) 4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it. 5. Use `System.getProperty(\"java.io.tmpdir\")` and use it. Jetty will end traversal at the first successful step. To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker. #### Setting a Jetty server temporary directory. Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server. For choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty. For choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty. ``` shell [jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar ``` #### Setting a Context specific temporary directory. The rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/.xml`) Example (excluding the DTD which is version specific): ``` xml /var/web/webapps/foo.war /var/web/work/foo ``` ### References - https://github.com/eclipse/jetty.project/issues/5451 - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473) ### Similar Vulnerabilities Similar, but not the same. - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information The original report of this vulnerability is below: > On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh wrote: > Hi WebTide Security Team, > > I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty. > > https://lgtm.com/query/5615014766184643449/ > > I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users. > There exists a race condition between the deletion of the temporary file and the creation of the directory. > > ```java > // ensure file will always be unique by appending random digits > tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated > // delete the file that was created > tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. > // and make a directory of the same name > // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory > tmpDir.mkdirs(); > ``` > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518 > > In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback. > > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468 > > If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. > > Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories > > **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.** > > Cheers, > Jonathan Leitschuh", "impact": 0.7, @@ -2843,14 +2975,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when...", + "title": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit > this vulnerability in order to achieve SSRF or cause a denial of service. > One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the > WAR includes a malicious web.xml. ### Impact There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory. However, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely. ### Patches Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067 ### Workarounds Don't use `XmlParser` to parse data from users.", "id": "GHSA-58qw-p7qm-5rvh", "desc": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit > this vulnerability in order to achieve SSRF or cause a denial of service. > One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the > WAR includes a malicious web.xml. ### Impact There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory. However, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely. ### Patches Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067 ### Workarounds Don't use `XmlParser` to parse data from users.", "impact": 0.3, @@ -2885,14 +3019,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request...", + "title": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request to the `ConcatServlet` with a URI of `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both `ConcatServlet` and `WelcomeFilter` decode the supplied path to verify it is not within the `WEB-INF` or `META-INF` directories. It then uses this decoded path to call `RequestDispatcher` which will also do decoding of the path. This double decoding allows paths with a doubly encoded `WEB-INF` to bypass this security check. ### Impact This affects all versions of `ConcatServlet` and `WelcomeFilter` in versions before 9.4.41, 10.0.3 and 11.0.3. ### Workarounds If you cannot update to the latest version of Jetty, you can instead deploy your own version of the [`ConcatServlet`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/ConcatServlet.java) and/or the [`WelcomeFilter`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/WelcomeFilter.java) by using the code from the latest version of Jetty.", "id": "GHSA-gwcr-j4wh-j3cq", "desc": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request to the `ConcatServlet` with a URI of `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both `ConcatServlet` and `WelcomeFilter` decode the supplied path to verify it is not within the `WEB-INF` or `META-INF` directories. It then uses this decoded path to call `RequestDispatcher` which will also do decoding of the path. This double decoding allows paths with a doubly encoded `WEB-INF` to bypass this security check. ### Impact This affects all versions of `ConcatServlet` and `WelcomeFilter` in versions before 9.4.41, 10.0.3 and 11.0.3. ### Workarounds If you cannot update to the latest version of Jetty, you can instead deploy your own version of the [`ConcatServlet`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/ConcatServlet.java) and/or the [`WelcomeFilter`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/WelcomeFilter.java) by using the code from the latest version of Jetty.", "impact": 0.5, @@ -2929,14 +3065,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the...", + "title": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested. ```java if (execCmd.length() > 0 && execCmd.charAt(0) != '\"' && execCmd.contains(\" \")) execCmd = \"\\\"\" + execCmd + \"\\\"\"; ``` ### Exploit Scenario The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured. If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures. ### Impact Users of the `org.eclipse.jetty.servlets.CGI` Servlet with a very specific command structure may have the wrong command executed. ### Patches No patch. In Jetty 9.x, 10.x, and 11.x the `org.eclipse.jetty.servlets.CGI` has been deprecated. In Jetty 12 (all environments) the `org.eclipse.jetty.servlets.CGI` has been entirely removed. ### Workarounds The `org.eclipse.jetty.servlets.CGI` Servlet should not be used. Fast CGI support is available instead. ### References * https://github.com/eclipse/jetty.project/pull/9516 * https://github.com/eclipse/jetty.project/pull/9889 * https://github.com/eclipse/jetty.project/pull/9888", "id": "GHSA-3gh6-v5v9-6v9j", "desc": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested. ```java if (execCmd.length() > 0 && execCmd.charAt(0) != '\"' && execCmd.contains(\" \")) execCmd = \"\\\"\" + execCmd + \"\\\"\"; ``` ### Exploit Scenario The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured. If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures. ### Impact Users of the `org.eclipse.jetty.servlets.CGI` Servlet with a very specific command structure may have the wrong command executed. ### Patches No patch. In Jetty 9.x, 10.x, and 11.x the `org.eclipse.jetty.servlets.CGI` has been deprecated. In Jetty 12 (all environments) the `org.eclipse.jetty.servlets.CGI` has been entirely removed. ### Workarounds The `org.eclipse.jetty.servlets.CGI` Servlet should not be used. Fast CGI support is available instead. ### References * https://github.com/eclipse/jetty.project/pull/9516 * https://github.com/eclipse/jetty.project/pull/9889 * https://github.com/eclipse/jetty.project/pull/9888", "impact": 0.3, @@ -2974,14 +3112,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static...", + "title": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static class HasTempFolder { @Rule public TemporaryFolder folder = new TemporaryFolder(); @Test public void testUsingTempFolder() throws IOException { folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------` File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions // ... } } ``` ### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. When analyzing the impact of this vulnerability, here are the important questions to ask: 1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder? - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2. - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._ - If yes, and you answered 'yes' to question 1, this vulnerability impacts you. - If no, this vulnerability does not impact you. ### Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. - Java 1.6 and lower users: **no patch is available, you must use the workaround below.** ### Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae #### Similar Vulnerabilities - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues).", "id": "GHSA-269g-pwp5-87pp", "desc": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static class HasTempFolder { @Rule public TemporaryFolder folder = new TemporaryFolder(); @Test public void testUsingTempFolder() throws IOException { folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------` File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions // ... } } ``` ### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. When analyzing the impact of this vulnerability, here are the important questions to ask: 1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder? - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2. - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._ - If yes, and you answered 'yes' to question 1, this vulnerability impacts you. - If no, this vulnerability does not impact you. ### Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. - Java 1.6 and lower users: **no patch is available, you must use the workaround below.** ### Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae #### Similar Vulnerabilities - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues).", "impact": 0.5, @@ -3016,7 +3156,9 @@ { "ref": [ { - "name": "INTERNAL" + "source": { + "name": "INTERNAL" + } } ] } @@ -3056,7 +3198,9 @@ { "ref": [ { - "name": "INTERNAL" + "source": { + "name": "INTERNAL" + } } ] } @@ -3097,14 +3241,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A...", + "title": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", "id": "GHSA-j8jw-g6fq-mp7h", "desc": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", "impact": 0.7, @@ -3139,14 +3285,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation...", + "title": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "id": "GHSA-8grg-q944-cch5", "desc": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "impact": 0.5, @@ -3181,14 +3329,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular...", + "title": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "id": "GHSA-hwj3-m3p6-hj38", "desc": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "impact": 1, @@ -3223,14 +3373,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the...", + "title": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", "id": "GHSA-7r82-7xv7-xcpj", "desc": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", "impact": 0.5, @@ -3265,14 +3417,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of...", + "title": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.", "id": "GHSA-jvfv-hrrc-6q72", "desc": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.", "impact": 1, @@ -3308,14 +3462,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from...", + "title": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "id": "GHSA-wgmr-mf83-7x4j", "desc": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "impact": 0.7, @@ -3350,14 +3506,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should...", + "title": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", "id": "GHSA-qppj-fm5r-hxr3", "desc": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", "impact": 0.5, @@ -3392,14 +3550,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as...", + "title": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The client may also be impacted (if the server does not read causing a TCP congestion), but the issue is more severe for servers. ### Patches Patched versions: * 9.4.54 * 10.0.20 * 11.0.20 * 12.0.6 ### Workarounds Disable HTTP/2 and HTTP/3 support until you can upgrade to a patched version of Jetty. HTTP/1.x is not affected. ### References * https://github.com/jetty/jetty.project/issues/11256.", "id": "GHSA-rggv-cv7r-mw98", "desc": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The client may also be impacted (if the server does not read causing a TCP congestion), but the issue is more severe for servers. ### Patches Patched versions: * 9.4.54 * 10.0.20 * 11.0.20 * 12.0.6 ### Workarounds Disable HTTP/2 and HTTP/3 support until you can upgrade to a patched version of Jetty. HTTP/1.x is not affected. ### References * https://github.com/jetty/jetty.project/issues/11256.", "impact": 0.7, @@ -3434,14 +3594,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following...", + "title": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); 298 } ``` However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java public void checkSize(int length, boolean huffman) throws SessionException { // Apply a huffman fudge factor if (huffman) length = (length * 4) / 3; if ((_size + length) > _maxSize) throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); } ``` However, no exception is thrown in the case of a negative size. Later, in `Huffman.decode`, the user-entered length is multiplied by 2 before allocating a buffer: ```java public static String decode(ByteBuffer buffer, int length) throws HpackException.CompressionException { Utf8StringBuilder utf8 = new Utf8StringBuilder(length * 2); // ... ``` This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. ### Exploit Scenario 1 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02. Each time this header is decoded: + `HpackDecode.decode` will determine that a Huffman-coded value of length 805306494 needs to be decoded. + `MetaDataBuilder.checkSize` will approve this length. + Huffman.decode will allocate a 1.6 GB string array. + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens. (Note: this can be delayed by appending valid huffman-coded characters to the end of the header.) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Exploit Scenario 2 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length -1073758081 needs to be decoded + MetaDataBuilder.checkSize will approve this length + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will allocate a 2.1 GB string array + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens (Note that this deallocation can be delayed by adding valid Huffman-coded characters to the end of the header) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Impact Users of HTTP/2 can be impacted by a remote denial of service attack. ### Patches Fixed in Jetty 10.0.16 and Jetty 11.0.16 Fixed in Jetty 9.4.53 Jetty 12.x is unaffected. ### Workarounds No workarounds possible, only patched versions of Jetty. ### References * https://github.com/eclipse/jetty.project/pull/9634", "id": "GHSA-wgh7-54f2-x98r", "desc": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); 298 } ``` However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java public void checkSize(int length, boolean huffman) throws SessionException { // Apply a huffman fudge factor if (huffman) length = (length * 4) / 3; if ((_size + length) > _maxSize) throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); } ``` However, no exception is thrown in the case of a negative size. Later, in `Huffman.decode`, the user-entered length is multiplied by 2 before allocating a buffer: ```java public static String decode(ByteBuffer buffer, int length) throws HpackException.CompressionException { Utf8StringBuilder utf8 = new Utf8StringBuilder(length * 2); // ... ``` This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. ### Exploit Scenario 1 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02. Each time this header is decoded: + `HpackDecode.decode` will determine that a Huffman-coded value of length 805306494 needs to be decoded. + `MetaDataBuilder.checkSize` will approve this length. + Huffman.decode will allocate a 1.6 GB string array. + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens. (Note: this can be delayed by appending valid huffman-coded characters to the end of the header.) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Exploit Scenario 2 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length -1073758081 needs to be decoded + MetaDataBuilder.checkSize will approve this length + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will allocate a 2.1 GB string array + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens (Note that this deallocation can be delayed by adding valid Huffman-coded characters to the end of the header) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Impact Users of HTTP/2 can be impacted by a remote denial of service attack. ### Patches Fixed in Jetty 10.0.16 and Jetty 11.0.16 Fixed in Jetty 9.4.53 Jetty 12.x is unaffected. ### Workarounds No workarounds possible, only patched versions of Jetty. ### References * https://github.com/eclipse/jetty.project/pull/9634", "impact": 0.7, @@ -3478,14 +3640,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to...", + "title": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", "id": "GHSA-w4g2-9hj6-5472", "desc": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", "impact": 0.5, @@ -3520,14 +3684,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a...", + "title": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error. ### PoC #### RbbitMQ * Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory) * Start RabbitMQ #### Producer * Build a String of length 256M and send it to Consumer ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = \"A\"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println(\"Send Finish\"); } } ``` #### Consumer * First set the heap memory size to 128M * Read the message sent by the Producer from the MQ and print the length ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Consumer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); Object o = amqpTemplate.receiveAndConvert(); if(o != null){ String s = o.toString(); System.out.println(\"Received Length : \" + s.length()); }else{ System.out.println(\"null\"); } } } ``` #### Results * Run the Producer first, then the Consumer * Consumer throws OOM Exception ### Impact Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.", "id": "GHSA-mm8h-8587-p46h", "desc": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error. ### PoC #### RbbitMQ * Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory) * Start RabbitMQ #### Producer * Build a String of length 256M and send it to Consumer ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = \"A\"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println(\"Send Finish\"); } } ``` #### Consumer * First set the heap memory size to 128M * Read the message sent by the Producer from the MQ and print the length ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Consumer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); Object o = amqpTemplate.receiveAndConvert(); if(o != null){ String s = o.toString(); System.out.println(\"Received Length : \" + s.length()); }else{ System.out.println(\"null\"); } } } ``` #### Results * Run the Producer first, then the Consumer * Consumer throws OOM Exception ### Impact Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.", "impact": 0.5, @@ -3562,14 +3728,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote...", + "title": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users. ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used. ### Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `` and `` as necessary. See documentation of your web server for more details. ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information.", "id": "GHSA-h376-j262-vhq6", "desc": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users. ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used. ### Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `` and `` as necessary. See documentation of your web server for more details. ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information.", "impact": 1, @@ -3606,14 +3774,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring,...", + "title": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", "id": "GHSA-45hx-wfhj-473x", "desc": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", "impact": 1, @@ -3628,7 +3798,7 @@ ] } ], - "sha256": "03b83542495c79a3357c8fbaf3866ed19ef80d11dc9e784b483cfa177cdcbf00" + "sha256": "ba1925e7477830950378df78dd2403f10875a6c54b1c64e7566bb2922d516ff5" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf-withraw.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf-withraw.json index dff9084bf6..cce4467857 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf-withraw.json @@ -42,14 +42,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine...", + "title": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.", "id": "GHSA-5mg8-w23w-74h3", "desc": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.", "impact": 0.3, @@ -87,14 +89,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix...", + "title": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.", "id": "GHSA-7g45-4rm6-3mm3", "desc": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.", "impact": 0.5, @@ -129,8 +133,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -171,8 +177,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -213,8 +221,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -255,14 +265,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool,...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", "id": "GHSA-v3xw-c963-f5hc", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", "impact": 0.7, @@ -297,8 +309,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -339,8 +353,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -381,8 +397,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -423,8 +441,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -465,8 +485,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -507,14 +529,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", "id": "GHSA-c2q3-4qrh-fm48", "desc": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", "impact": 0.7, @@ -549,8 +573,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -591,8 +617,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -633,8 +661,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -675,14 +705,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as...", + "title": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", "id": "GHSA-4w82-r329-3q67", "desc": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", "impact": 1, @@ -717,14 +749,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class...", + "title": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", "id": "GHSA-rpr3-cw39-3pxh", "desc": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", "impact": 0.7, @@ -759,14 +793,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "id": "GHSA-fmmc-742q-jg75", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "impact": 1, @@ -801,14 +837,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "id": "GHSA-gjmw-vf9h-g25v", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "impact": 1, @@ -843,14 +881,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "id": "GHSA-mx7p-6679-8g3q", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "impact": 1, @@ -885,14 +925,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", "id": "GHSA-q93h-jc49-78gg", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", "impact": 1, @@ -927,14 +969,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "id": "GHSA-p43x-xfjf-5jhr", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "impact": 1, @@ -970,14 +1014,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the...", + "title": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", "id": "GHSA-h3cw-g4mq-c5x2", "desc": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", "impact": 0.7, @@ -1012,14 +1058,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to...", + "title": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "id": "GHSA-qjw2-hr98-qgfh", "desc": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "impact": 0.7, @@ -1054,8 +1102,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1096,8 +1146,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1138,8 +1190,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1180,8 +1234,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1222,8 +1278,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1264,8 +1322,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1306,8 +1366,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1348,8 +1410,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1390,8 +1454,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1432,8 +1498,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1474,8 +1542,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1516,14 +1586,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "id": "GHSA-5r5r-6hpj-8gg9", "desc": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "impact": 0.7, @@ -1558,8 +1630,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1601,8 +1675,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1644,14 +1720,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of...", + "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc. Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", "id": "GHSA-jjjh-jjxp-wpff", "desc": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc. Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", "impact": 0.7, @@ -1686,14 +1764,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The...", + "title": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "id": "GHSA-5949-rw7g-wx7w", "desc": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "impact": 0.7, @@ -1728,14 +1808,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of...", + "title": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "id": "GHSA-57j2-w4cx-62h2", "desc": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "impact": 0.7, @@ -1770,14 +1852,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows...", + "title": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", "id": "GHSA-288c-cq4h-88gq", "desc": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", "impact": 0.7, @@ -1812,8 +1896,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1855,14 +1941,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a...", + "title": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "id": "GHSA-rgv9-q543-rqg4", "desc": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "impact": 0.7, @@ -1897,8 +1985,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1941,14 +2031,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary...", + "title": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see [GHSA-3mcp-9wr4-cjqf](https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf)/[CVE-2020-5245](https://github.com/advisories/GHSA-3mcp-9wr4-cjqf)) unfortunately didn't fix the underlying issue completely. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.21** and **2.0.3** or later. We strongly recommend upgrading to one of these versions. The evaluation of EL expressions has been disabled by default now. In order to use some interpolation in the violation messages added to [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html), it has to be explicitly allowed by setting [`SelfValidating#escapeExpressions()`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html#escapeExpressions--) to `false`. It is also recommended to use the `addViolation` methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3: * [`ViolationCollector#addViolation(String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Integer, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.Integer-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.lang.String-java.util.Map-) ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java ### References * https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf * https://github.com/dropwizard/dropwizard/pull/3208 * https://github.com/dropwizard/dropwizard/pull/3209 * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "id": "GHSA-8jpx-m2wh-2v34", "desc": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see [GHSA-3mcp-9wr4-cjqf](https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf)/[CVE-2020-5245](https://github.com/advisories/GHSA-3mcp-9wr4-cjqf)) unfortunately didn't fix the underlying issue completely. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.21** and **2.0.3** or later. We strongly recommend upgrading to one of these versions. The evaluation of EL expressions has been disabled by default now. In order to use some interpolation in the violation messages added to [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html), it has to be explicitly allowed by setting [`SelfValidating#escapeExpressions()`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html#escapeExpressions--) to `false`. It is also recommended to use the `addViolation` methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3: * [`ViolationCollector#addViolation(String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Integer, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.Integer-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.lang.String-java.util.Map-) ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java ### References * https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf * https://github.com/dropwizard/dropwizard/pull/3208 * https://github.com/dropwizard/dropwizard/pull/3209 * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "impact": 0.7, @@ -1985,14 +2077,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard...", + "title": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. ### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.19 or 2.0.2 is strongly recommended. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.19** and **2.0.2**. We strongly recommend upgrading to one of these versions. ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.2/dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java#L84-L98 ### References * https://github.com/dropwizard/dropwizard/pull/3157 * https://github.com/dropwizard/dropwizard/pull/3160 * https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions * https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "id": "GHSA-3mcp-9wr4-cjqf", "desc": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. ### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.19 or 2.0.2 is strongly recommended. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.19** and **2.0.2**. We strongly recommend upgrading to one of these versions. ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.2/dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java#L84-L98 ### References * https://github.com/dropwizard/dropwizard/pull/3157 * https://github.com/dropwizard/dropwizard/pull/3160 * https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions * https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "impact": 0.7, @@ -2029,8 +2123,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -2072,14 +2168,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "id": "GHSA-9w3m-gqgf-c4p9", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "impact": 0.5, @@ -2115,14 +2213,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser...", + "title": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "id": "GHSA-w37g-rhq8-7m4j", "desc": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "impact": 0.5, @@ -2158,14 +2258,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-c4r9-r8fh-9vj2", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2201,14 +2303,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-hhhw-99gj-p3c3", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2244,14 +2348,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-98wm-3w3q-mw94", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2287,14 +2393,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth...", + "title": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "id": "GHSA-3mc7-4q67-w48m", "desc": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "impact": 0.7, @@ -2330,14 +2438,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new...", + "title": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: **Date disclosed**: 10/13/2022", "id": "GHSA-mjmj-j48q-9wg2", "desc": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: **Date disclosed**: 10/13/2022", "impact": 0.7, @@ -2372,14 +2482,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a...", + "title": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", "id": "GHSA-668q-qrv7-99fm", "desc": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", "impact": 0.5, @@ -2414,14 +2526,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending...", + "title": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html", "id": "GHSA-vmq6-5m68-f53m", "desc": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html", "impact": 0.7, @@ -2462,14 +2576,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such...", + "title": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater", "id": "GHSA-m394-8rww-3jr7", "desc": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater", "impact": 0.5, @@ -2504,14 +2620,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the...", + "title": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.", "id": "GHSA-m6cp-vxjx-65j6", "desc": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.", "impact": 0.3, @@ -2548,14 +2666,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large...", + "title": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. ### Workarounds The problem can be worked around by compiling the following class: ```java package org.eclipse.jetty.server.ssl.fix6072; import java.nio.ByteBuffer; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.ssl.SslConnection; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.BufferUtil; import org.eclipse.jetty.util.annotation.Name; import org.eclipse.jetty.util.ssl.SslContextFactory; public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory { public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol) { super(factory, nextProtocol); } @Override protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine) { return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption()) { @Override protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException { SSLEngineResult results = super.unwrap(sslEngine, input, output); if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW || results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) && BufferUtil.space(input) == 0) { BufferUtil.clear(input); throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\"); } return results; } }; } } ``` This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules` + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section: ``` [lib] lib/sslfix6072.jar ``` + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc` + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example: ```xml http/1.1 ``` + Restart Jetty", "id": "GHSA-26vr-8j45-3r4w", "desc": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. ### Workarounds The problem can be worked around by compiling the following class: ```java package org.eclipse.jetty.server.ssl.fix6072; import java.nio.ByteBuffer; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.ssl.SslConnection; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.BufferUtil; import org.eclipse.jetty.util.annotation.Name; import org.eclipse.jetty.util.ssl.SslContextFactory; public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory { public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol) { super(factory, nextProtocol); } @Override protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine) { return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption()) { @Override protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException { SSLEngineResult results = super.unwrap(sslEngine, input, output); if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW || results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) && BufferUtil.space(input) == 0) { BufferUtil.clear(input); throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\"); } return results; } }; } } ``` This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules` + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section: ``` [lib] lib/sslfix6072.jar ``` + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc` + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example: ```xml http/1.1 ``` + Restart Jetty", "impact": 0.7, @@ -2590,14 +2710,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior...", + "title": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265", "id": "GHSA-p26g-97m4-6q7c", "desc": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265", "impact": 0.3, @@ -2633,14 +2755,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the...", + "title": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload", "id": "GHSA-qw69-rqj8-6qw8", "desc": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload", "impact": 0.5, @@ -2675,14 +2799,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection...", + "title": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content.", "id": "GHSA-86wm-rrjm-8wh8", "desc": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content.", "impact": 0.5, @@ -2717,14 +2843,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with...", + "title": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "id": "GHSA-cj7v-27pg-wf7q", "desc": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "impact": 0.3, @@ -2761,14 +2889,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive...", + "title": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. ### Workarounds There is no workaround as there is no known exploit scenario. ### Original Report [RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling. Payload: ``` POST / HTTP/1.1 Host: a.com Content-Length: +16 Connection: close ​ 0123456789abcdef ``` When sending this payload to Jetty, it can successfully parse and identify the length. When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request. This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", "id": "GHSA-hmr7-m48g-48f6", "desc": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. ### Workarounds There is no workaround as there is no known exploit scenario. ### Original Report [RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling. Payload: ``` POST / HTTP/1.1 Host: a.com Content-Length: +16 Connection: close ​ 0123456789abcdef ``` When sending this payload to Jetty, it can successfully parse and identify the length. When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request. This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", "impact": 0.5, @@ -2807,14 +2937,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated...", + "title": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. Additionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable. Additionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted. See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR For example: ```java import java.io.File; import java.io.IOException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ExampleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised // do something with that temp dir } } ``` Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them. ### CVSSv3.1 Evaluation This vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1) ### Patches Fixes were applied to the 9.4.x branch with: - https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb - https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3 ### Workarounds A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system. For recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory). Alternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below. The Jetty search order for finding a temporary directory is as follows: 1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it. 2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it. 3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1) 4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it. 5. Use `System.getProperty(\"java.io.tmpdir\")` and use it. Jetty will end traversal at the first successful step. To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker. #### Setting a Jetty server temporary directory. Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server. For choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty. For choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty. ``` shell [jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar ``` #### Setting a Context specific temporary directory. The rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/.xml`) Example (excluding the DTD which is version specific): ``` xml /var/web/webapps/foo.war /var/web/work/foo ``` ### References - https://github.com/eclipse/jetty.project/issues/5451 - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473) ### Similar Vulnerabilities Similar, but not the same. - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information The original report of this vulnerability is below: > On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh wrote: > Hi WebTide Security Team, > > I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty. > > https://lgtm.com/query/5615014766184643449/ > > I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users. > There exists a race condition between the deletion of the temporary file and the creation of the directory. > > ```java > // ensure file will always be unique by appending random digits > tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated > // delete the file that was created > tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. > // and make a directory of the same name > // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory > tmpDir.mkdirs(); > ``` > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518 > > In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback. > > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468 > > If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. > > Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories > > **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.** > > Cheers, > Jonathan Leitschuh", "id": "GHSA-g3wg-6mcf-8jj6", "desc": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. Additionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable. Additionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted. See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR For example: ```java import java.io.File; import java.io.IOException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ExampleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised // do something with that temp dir } } ``` Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them. ### CVSSv3.1 Evaluation This vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1) ### Patches Fixes were applied to the 9.4.x branch with: - https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb - https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3 ### Workarounds A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system. For recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory). Alternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below. The Jetty search order for finding a temporary directory is as follows: 1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it. 2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it. 3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1) 4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it. 5. Use `System.getProperty(\"java.io.tmpdir\")` and use it. Jetty will end traversal at the first successful step. To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker. #### Setting a Jetty server temporary directory. Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server. For choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty. For choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty. ``` shell [jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar ``` #### Setting a Context specific temporary directory. The rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/.xml`) Example (excluding the DTD which is version specific): ``` xml /var/web/webapps/foo.war /var/web/work/foo ``` ### References - https://github.com/eclipse/jetty.project/issues/5451 - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473) ### Similar Vulnerabilities Similar, but not the same. - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information The original report of this vulnerability is below: > On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh wrote: > Hi WebTide Security Team, > > I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty. > > https://lgtm.com/query/5615014766184643449/ > > I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users. > There exists a race condition between the deletion of the temporary file and the creation of the directory. > > ```java > // ensure file will always be unique by appending random digits > tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated > // delete the file that was created > tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. > // and make a directory of the same name > // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory > tmpDir.mkdirs(); > ``` > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518 > > In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback. > > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468 > > If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. > > Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories > > **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.** > > Cheers, > Jonathan Leitschuh", "impact": 0.7, @@ -2849,14 +2981,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when...", + "title": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit > this vulnerability in order to achieve SSRF or cause a denial of service. > One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the > WAR includes a malicious web.xml. ### Impact There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory. However, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely. ### Patches Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067 ### Workarounds Don't use `XmlParser` to parse data from users.", "id": "GHSA-58qw-p7qm-5rvh", "desc": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit > this vulnerability in order to achieve SSRF or cause a denial of service. > One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the > WAR includes a malicious web.xml. ### Impact There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory. However, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely. ### Patches Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067 ### Workarounds Don't use `XmlParser` to parse data from users.", "impact": 0.3, @@ -2891,14 +3025,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request...", + "title": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request to the `ConcatServlet` with a URI of `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both `ConcatServlet` and `WelcomeFilter` decode the supplied path to verify it is not within the `WEB-INF` or `META-INF` directories. It then uses this decoded path to call `RequestDispatcher` which will also do decoding of the path. This double decoding allows paths with a doubly encoded `WEB-INF` to bypass this security check. ### Impact This affects all versions of `ConcatServlet` and `WelcomeFilter` in versions before 9.4.41, 10.0.3 and 11.0.3. ### Workarounds If you cannot update to the latest version of Jetty, you can instead deploy your own version of the [`ConcatServlet`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/ConcatServlet.java) and/or the [`WelcomeFilter`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/WelcomeFilter.java) by using the code from the latest version of Jetty.", "id": "GHSA-gwcr-j4wh-j3cq", "desc": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request to the `ConcatServlet` with a URI of `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both `ConcatServlet` and `WelcomeFilter` decode the supplied path to verify it is not within the `WEB-INF` or `META-INF` directories. It then uses this decoded path to call `RequestDispatcher` which will also do decoding of the path. This double decoding allows paths with a doubly encoded `WEB-INF` to bypass this security check. ### Impact This affects all versions of `ConcatServlet` and `WelcomeFilter` in versions before 9.4.41, 10.0.3 and 11.0.3. ### Workarounds If you cannot update to the latest version of Jetty, you can instead deploy your own version of the [`ConcatServlet`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/ConcatServlet.java) and/or the [`WelcomeFilter`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/WelcomeFilter.java) by using the code from the latest version of Jetty.", "impact": 0.5, @@ -2935,14 +3071,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the...", + "title": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested. ```java if (execCmd.length() > 0 && execCmd.charAt(0) != '\"' && execCmd.contains(\" \")) execCmd = \"\\\"\" + execCmd + \"\\\"\"; ``` ### Exploit Scenario The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured. If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures. ### Impact Users of the `org.eclipse.jetty.servlets.CGI` Servlet with a very specific command structure may have the wrong command executed. ### Patches No patch. In Jetty 9.x, 10.x, and 11.x the `org.eclipse.jetty.servlets.CGI` has been deprecated. In Jetty 12 (all environments) the `org.eclipse.jetty.servlets.CGI` has been entirely removed. ### Workarounds The `org.eclipse.jetty.servlets.CGI` Servlet should not be used. Fast CGI support is available instead. ### References * https://github.com/eclipse/jetty.project/pull/9516 * https://github.com/eclipse/jetty.project/pull/9889 * https://github.com/eclipse/jetty.project/pull/9888", "id": "GHSA-3gh6-v5v9-6v9j", "desc": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested. ```java if (execCmd.length() > 0 && execCmd.charAt(0) != '\"' && execCmd.contains(\" \")) execCmd = \"\\\"\" + execCmd + \"\\\"\"; ``` ### Exploit Scenario The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured. If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures. ### Impact Users of the `org.eclipse.jetty.servlets.CGI` Servlet with a very specific command structure may have the wrong command executed. ### Patches No patch. In Jetty 9.x, 10.x, and 11.x the `org.eclipse.jetty.servlets.CGI` has been deprecated. In Jetty 12 (all environments) the `org.eclipse.jetty.servlets.CGI` has been entirely removed. ### Workarounds The `org.eclipse.jetty.servlets.CGI` Servlet should not be used. Fast CGI support is available instead. ### References * https://github.com/eclipse/jetty.project/pull/9516 * https://github.com/eclipse/jetty.project/pull/9889 * https://github.com/eclipse/jetty.project/pull/9888", "impact": 0.3, @@ -2980,14 +3118,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static...", + "title": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static class HasTempFolder { @Rule public TemporaryFolder folder = new TemporaryFolder(); @Test public void testUsingTempFolder() throws IOException { folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------` File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions // ... } } ``` ### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. When analyzing the impact of this vulnerability, here are the important questions to ask: 1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder? - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2. - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._ - If yes, and you answered 'yes' to question 1, this vulnerability impacts you. - If no, this vulnerability does not impact you. ### Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. - Java 1.6 and lower users: **no patch is available, you must use the workaround below.** ### Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae #### Similar Vulnerabilities - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues).", "id": "GHSA-269g-pwp5-87pp", "desc": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static class HasTempFolder { @Rule public TemporaryFolder folder = new TemporaryFolder(); @Test public void testUsingTempFolder() throws IOException { folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------` File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions // ... } } ``` ### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. When analyzing the impact of this vulnerability, here are the important questions to ask: 1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder? - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2. - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._ - If yes, and you answered 'yes' to question 1, this vulnerability impacts you. - If no, this vulnerability does not impact you. ### Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. - Java 1.6 and lower users: **no patch is available, you must use the workaround below.** ### Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae #### Similar Vulnerabilities - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues).", "impact": 0.5, @@ -3022,7 +3162,9 @@ { "ref": [ { - "name": "INTERNAL" + "source": { + "name": "INTERNAL" + } } ] } @@ -3062,7 +3204,9 @@ { "ref": [ { - "name": "INTERNAL" + "source": { + "name": "INTERNAL" + } } ] } @@ -3103,14 +3247,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A...", + "title": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", "id": "GHSA-j8jw-g6fq-mp7h", "desc": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", "impact": 0.7, @@ -3145,14 +3291,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation...", + "title": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "id": "GHSA-8grg-q944-cch5", "desc": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "impact": 0.5, @@ -3187,14 +3335,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular...", + "title": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "id": "GHSA-hwj3-m3p6-hj38", "desc": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "impact": 1, @@ -3229,14 +3379,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the...", + "title": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", "id": "GHSA-7r82-7xv7-xcpj", "desc": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", "impact": 0.5, @@ -3271,14 +3423,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of...", + "title": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.", "id": "GHSA-jvfv-hrrc-6q72", "desc": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.", "impact": 1, @@ -3314,14 +3468,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from...", + "title": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "id": "GHSA-wgmr-mf83-7x4j", "desc": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "impact": 0.7, @@ -3356,14 +3512,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should...", + "title": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", "id": "GHSA-qppj-fm5r-hxr3", "desc": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", "impact": 0.5, @@ -3404,14 +3562,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as...", + "title": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The client may also be impacted (if the server does not read causing a TCP congestion), but the issue is more severe for servers. ### Patches Patched versions: * 9.4.54 * 10.0.20 * 11.0.20 * 12.0.6 ### Workarounds Disable HTTP/2 and HTTP/3 support until you can upgrade to a patched version of Jetty. HTTP/1.x is not affected. ### References * https://github.com/jetty/jetty.project/issues/11256.", "id": "GHSA-rggv-cv7r-mw98", "desc": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The client may also be impacted (if the server does not read causing a TCP congestion), but the issue is more severe for servers. ### Patches Patched versions: * 9.4.54 * 10.0.20 * 11.0.20 * 12.0.6 ### Workarounds Disable HTTP/2 and HTTP/3 support until you can upgrade to a patched version of Jetty. HTTP/1.x is not affected. ### References * https://github.com/jetty/jetty.project/issues/11256.", "impact": 0.7, @@ -3446,14 +3606,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following...", + "title": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); 298 } ``` However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java public void checkSize(int length, boolean huffman) throws SessionException { // Apply a huffman fudge factor if (huffman) length = (length * 4) / 3; if ((_size + length) > _maxSize) throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); } ``` However, no exception is thrown in the case of a negative size. Later, in `Huffman.decode`, the user-entered length is multiplied by 2 before allocating a buffer: ```java public static String decode(ByteBuffer buffer, int length) throws HpackException.CompressionException { Utf8StringBuilder utf8 = new Utf8StringBuilder(length * 2); // ... ``` This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. ### Exploit Scenario 1 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02. Each time this header is decoded: + `HpackDecode.decode` will determine that a Huffman-coded value of length 805306494 needs to be decoded. + `MetaDataBuilder.checkSize` will approve this length. + Huffman.decode will allocate a 1.6 GB string array. + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens. (Note: this can be delayed by appending valid huffman-coded characters to the end of the header.) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Exploit Scenario 2 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length -1073758081 needs to be decoded + MetaDataBuilder.checkSize will approve this length + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will allocate a 2.1 GB string array + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens (Note that this deallocation can be delayed by adding valid Huffman-coded characters to the end of the header) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Impact Users of HTTP/2 can be impacted by a remote denial of service attack. ### Patches Fixed in Jetty 10.0.16 and Jetty 11.0.16 Fixed in Jetty 9.4.53 Jetty 12.x is unaffected. ### Workarounds No workarounds possible, only patched versions of Jetty. ### References * https://github.com/eclipse/jetty.project/pull/9634", "id": "GHSA-wgh7-54f2-x98r", "desc": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); 298 } ``` However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java public void checkSize(int length, boolean huffman) throws SessionException { // Apply a huffman fudge factor if (huffman) length = (length * 4) / 3; if ((_size + length) > _maxSize) throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); } ``` However, no exception is thrown in the case of a negative size. Later, in `Huffman.decode`, the user-entered length is multiplied by 2 before allocating a buffer: ```java public static String decode(ByteBuffer buffer, int length) throws HpackException.CompressionException { Utf8StringBuilder utf8 = new Utf8StringBuilder(length * 2); // ... ``` This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. ### Exploit Scenario 1 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02. Each time this header is decoded: + `HpackDecode.decode` will determine that a Huffman-coded value of length 805306494 needs to be decoded. + `MetaDataBuilder.checkSize` will approve this length. + Huffman.decode will allocate a 1.6 GB string array. + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens. (Note: this can be delayed by appending valid huffman-coded characters to the end of the header.) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Exploit Scenario 2 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length -1073758081 needs to be decoded + MetaDataBuilder.checkSize will approve this length + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will allocate a 2.1 GB string array + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens (Note that this deallocation can be delayed by adding valid Huffman-coded characters to the end of the header) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Impact Users of HTTP/2 can be impacted by a remote denial of service attack. ### Patches Fixed in Jetty 10.0.16 and Jetty 11.0.16 Fixed in Jetty 9.4.53 Jetty 12.x is unaffected. ### Workarounds No workarounds possible, only patched versions of Jetty. ### References * https://github.com/eclipse/jetty.project/pull/9634", "impact": 0.7, @@ -3490,14 +3652,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to...", + "title": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", "id": "GHSA-w4g2-9hj6-5472", "desc": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", "impact": 0.5, @@ -3532,14 +3696,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a...", + "title": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error. ### PoC #### RbbitMQ * Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory) * Start RabbitMQ #### Producer * Build a String of length 256M and send it to Consumer ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = \"A\"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println(\"Send Finish\"); } } ``` #### Consumer * First set the heap memory size to 128M * Read the message sent by the Producer from the MQ and print the length ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Consumer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); Object o = amqpTemplate.receiveAndConvert(); if(o != null){ String s = o.toString(); System.out.println(\"Received Length : \" + s.length()); }else{ System.out.println(\"null\"); } } } ``` #### Results * Run the Producer first, then the Consumer * Consumer throws OOM Exception ### Impact Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.", "id": "GHSA-mm8h-8587-p46h", "desc": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error. ### PoC #### RbbitMQ * Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory) * Start RabbitMQ #### Producer * Build a String of length 256M and send it to Consumer ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = \"A\"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println(\"Send Finish\"); } } ``` #### Consumer * First set the heap memory size to 128M * Read the message sent by the Producer from the MQ and print the length ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Consumer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); Object o = amqpTemplate.receiveAndConvert(); if(o != null){ String s = o.toString(); System.out.println(\"Received Length : \" + s.length()); }else{ System.out.println(\"null\"); } } } ``` #### Results * Run the Producer first, then the Consumer * Consumer throws OOM Exception ### Impact Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.", "impact": 0.5, @@ -3574,14 +3740,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote...", + "title": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users. ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used. ### Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `` and `` as necessary. See documentation of your web server for more details. ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information.", "id": "GHSA-h376-j262-vhq6", "desc": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users. ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used. ### Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `` and `` as necessary. See documentation of your web server for more details. ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information.", "impact": 1, @@ -3618,14 +3786,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring,...", + "title": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", "id": "GHSA-45hx-wfhj-473x", "desc": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", "impact": 1, @@ -3640,7 +3810,7 @@ ] } ], - "sha256": "bf70242005c6b5e676974f138b98d38be83bb0d941a8a31a8985a17567976521" + "sha256": "a2a9f29c527b6e627114bf5ca676805fe7920a9ad1e0d2d63f3444f0c35d1f69" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf.json index 380c7645cf..191b0ffda4 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-dropwizard-vulns-hdf.json @@ -42,14 +42,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine...", + "title": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.", "id": "GHSA-5mg8-w23w-74h3", "desc": "A temp directory creation vulnerability exists in Guava prior to version 32.0.0 allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava `com.google.common.io.Files.createTempDir()`. The permissions granted to the directory created default to the standard unix-like /tmp ones, leaving the files open. Maintainers recommend explicitly changing the permissions after the creation of the directory, or removing uses of the vulnerable method.", "impact": 0.3, @@ -87,14 +89,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix...", + "title": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.", "id": "GHSA-7g45-4rm6-3mm3", "desc": "Use of Java's default temporary directory for file creation in `FileBackedOutputStream` in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class. Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.", "impact": 0.5, @@ -129,8 +133,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -171,8 +177,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -213,8 +221,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -255,14 +265,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool,...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", "id": "GHSA-v3xw-c963-f5hc", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).", "impact": 0.7, @@ -297,8 +309,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -339,8 +353,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -381,8 +397,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -423,8 +441,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -465,8 +485,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -507,14 +529,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", "id": "GHSA-c2q3-4qrh-fm48", "desc": "FasterXML jackson-databind 2.x before 2.9.10.5 mishandles the interaction between serialization gadgets and typing, related to oracle.jms.AQjmsQueueConnectionFactory, oracle.jms.AQjmsXATopicConnectionFactory, oracle.jms.AQjmsTopicConnectionFactory, oracle.jms.AQjmsXAQueueConnectionFactory, and oracle.jms.AQjmsXAConnectionFactory (aka weblogic/oracle-aqjms).", "impact": 0.7, @@ -549,8 +573,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -591,8 +617,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -633,8 +661,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -675,14 +705,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as...", + "title": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", "id": "GHSA-4w82-r329-3q67", "desc": "FasterXML jackson-databind 2.x before 2.6.7.4, 2.7.x before 2.7.9.7, 2.8.x before 2.8.11.5 and 2.9.x before 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.", "impact": 1, @@ -717,14 +749,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class...", + "title": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", "id": "GHSA-rpr3-cw39-3pxh", "desc": "The com.fasterxml.jackson.core:jackson-databind library before version 2.9.10.4 is vulnerable to an Unsafe Deserialization vulnerability when handling interactions related to the class `ignite-jta`.", "impact": 0.7, @@ -759,14 +793,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "id": "GHSA-fmmc-742q-jg75", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.", "impact": 1, @@ -801,14 +837,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "id": "GHSA-gjmw-vf9h-g25v", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 prior to 2.9.10.1, 2.8.11.5, and 2.6.7.3. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.", "impact": 1, @@ -843,14 +881,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or...", + "title": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "id": "GHSA-mx7p-6679-8g3q", "desc": "A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.", "impact": 1, @@ -885,14 +925,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", "id": "GHSA-q93h-jc49-78gg", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to `com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig` (aka `ibatis-sqlmap`).", "impact": 1, @@ -927,14 +969,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "id": "GHSA-p43x-xfjf-5jhr", "desc": "FasterXML jackson-databind 2.x before 2.9.10.4, 2.8.11.6, and 2.7.9.7 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).", "impact": 1, @@ -970,14 +1014,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the...", + "title": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", "id": "GHSA-h3cw-g4mq-c5x2", "desc": "This project contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor. FasterXML jackson-databind 2.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPDataSource (aka Anteros-DBCP).", "impact": 0.7, @@ -1012,14 +1058,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to...", + "title": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "id": "GHSA-qjw2-hr98-qgfh", "desc": "FasterXML jackson-databind 2.x before 2.6.7.5 and from 2.7.x before 2.9.10.6 mishandles the interaction between serialization gadgets and typing, related to com.pastdev.httpcomponents.configuration.JndiConfiguration.", "impact": 0.7, @@ -1054,8 +1102,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1096,8 +1146,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1138,8 +1190,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1180,8 +1234,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1222,8 +1278,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1264,8 +1322,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1306,8 +1366,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1348,8 +1410,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1390,8 +1454,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1432,8 +1498,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1474,8 +1542,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1516,14 +1586,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in...", + "title": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "id": "GHSA-5r5r-6hpj-8gg9", "desc": "FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.oracle.wls.shaded.org.apache.xalan.lib.sql.JNDIConnectionPool (aka embedded Xalan in org.glassfish.web/javax.servlet.jsp.jstl).", "impact": 0.7, @@ -1558,8 +1630,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1601,8 +1675,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1644,14 +1720,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of...", + "title": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc. Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", "id": "GHSA-jjjh-jjxp-wpff", "desc": "In FasterXML jackson-databind 2.4.0-rc1 until 2.12.7.1 and in 2.13.x before 2.13.4.2 resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. This was patched in 2.12.7.1, 2.13.4.2, and 2.14.0. Commits that introduced vulnerable code are https://github.com/FasterXML/jackson-databind/commit/d499f2e7bbc5ebd63af11e1f5cf1989fa323aa45, https://github.com/FasterXML/jackson-databind/commit/0e37a39502439ecbaa1a5b5188387c01bf7f7fa1, and https://github.com/FasterXML/jackson-databind/commit/7ba9ac5b87a9d6ac0d2815158ecbeb315ad4dcdc. Fix commits are https://github.com/FasterXML/jackson-databind/commit/cd090979b7ea78c75e4de8a4aed04f7e9fa8deea and https://github.com/FasterXML/jackson-databind/commit/d78d00ee7b5245b93103fef3187f70543d67ca33.", "impact": 0.7, @@ -1686,14 +1764,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The...", + "title": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "id": "GHSA-5949-rw7g-wx7w", "desc": "A flaw was found in jackson-databind before 2.9.10.7 and 2.6.7.5. FasterXML mishandles the interaction between serialization gadgets and typing. The highest threat from this vulnerability is to data confidentiality and integrity as well as system availability.", "impact": 0.7, @@ -1728,14 +1808,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of...", + "title": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "id": "GHSA-57j2-w4cx-62h2", "desc": "jackson-databind is a data-binding package for the Jackson Data Processor. jackson-databind allows a Java stack overflow exception and denial of service via a large depth of nested objects.", "impact": 0.7, @@ -1770,14 +1852,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows...", + "title": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", "id": "GHSA-288c-cq4h-88gq", "desc": "A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.", "impact": 0.7, @@ -1812,8 +1896,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1855,14 +1941,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a...", + "title": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "id": "GHSA-rgv9-q543-rqg4", "desc": "In FasterXML jackson-databind before 2.12.7.1 and in 2.13.x before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.", "impact": 0.7, @@ -1897,8 +1985,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -1941,14 +2031,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary...", + "title": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see [GHSA-3mcp-9wr4-cjqf](https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf)/[CVE-2020-5245](https://github.com/advisories/GHSA-3mcp-9wr4-cjqf)) unfortunately didn't fix the underlying issue completely. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.21** and **2.0.3** or later. We strongly recommend upgrading to one of these versions. The evaluation of EL expressions has been disabled by default now. In order to use some interpolation in the violation messages added to [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html), it has to be explicitly allowed by setting [`SelfValidating#escapeExpressions()`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html#escapeExpressions--) to `false`. It is also recommended to use the `addViolation` methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3: * [`ViolationCollector#addViolation(String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Integer, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.Integer-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.lang.String-java.util.Map-) ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java ### References * https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf * https://github.com/dropwizard/dropwizard/pull/3208 * https://github.com/dropwizard/dropwizard/pull/3209 * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "id": "GHSA-8jpx-m2wh-2v34", "desc": "### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.21/2.0.3 or later is strongly recommended. The changes introduced in Dropwizard 1.3.19 and 2.0.2 (see [GHSA-3mcp-9wr4-cjqf](https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf)/[CVE-2020-5245](https://github.com/advisories/GHSA-3mcp-9wr4-cjqf)) unfortunately didn't fix the underlying issue completely. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.21** and **2.0.3** or later. We strongly recommend upgrading to one of these versions. The evaluation of EL expressions has been disabled by default now. In order to use some interpolation in the violation messages added to [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html), it has to be explicitly allowed by setting [`SelfValidating#escapeExpressions()`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidating.html#escapeExpressions--) to `false`. It is also recommended to use the `addViolation` methods supporting message parameters instead of EL expressions introduced in Dropwizard 1.3.21 and 2.0.3: * [`ViolationCollector#addViolation(String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, Integer, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.Integer-java.lang.String-java.util.Map-) * [`ViolationCollector#addViolation(String, String, String, Map`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html#addViolation-java.lang.String-java.lang.String-java.lang.String-java.util.Map-) ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.3/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.3/dropwizard-validation/src/main/java/io/dropwizard/validation/InterpolationHelper.java ### References * https://github.com/dropwizard/dropwizard/security/advisories/GHSA-3mcp-9wr4-cjqf * https://github.com/dropwizard/dropwizard/pull/3208 * https://github.com/dropwizard/dropwizard/pull/3209 * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-hibernateconstraintvalidatorcontext ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "impact": 0.7, @@ -1985,14 +2077,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard...", + "title": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. ### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.19 or 2.0.2 is strongly recommended. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.19** and **2.0.2**. We strongly recommend upgrading to one of these versions. ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.2/dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java#L84-L98 ### References * https://github.com/dropwizard/dropwizard/pull/3157 * https://github.com/dropwizard/dropwizard/pull/3160 * https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions * https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "id": "GHSA-3mcp-9wr4-cjqf", "desc": "Dropwizard-Validation before 1.3.19, and 2.0.2 may allow arbitrary code execution on the host system, with the privileges of the Dropwizard service account, by injecting arbitrary Java Expression Language expressions when using the self-validating feature. ### Summary A server-side template injection was identified in the self-validating ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)) feature of **dropwizard-validation** enabling attackers to inject arbitrary Java EL expressions, leading to Remote Code Execution (RCE) vulnerability. If you're using a self-validating bean (via [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html)), an upgrade to Dropwizard 1.3.19 or 2.0.2 is strongly recommended. ### Impact This issue may allow Remote Code Execution (RCE), allowing to run arbitrary code on the host system (with the privileges of the Dropwizard service account privileges) by injecting arbitrary [Java Expression Language (EL)](https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions) expressions when using the self-validating feature ([`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html), [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html)) in **dropwizard-validation**. ### Patches The issue has been fixed in **dropwizard-validation** **1.3.19** and **2.0.2**. We strongly recommend upgrading to one of these versions. ### Workarounds If you are not able to upgrade to one of the aforementioned versions of **dropwizard-validation** but still want to use the [`@SelfValidating`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidating.html) feature, make sure to properly sanitize any message you're adding to the [`ViolationCollector`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/ViolationCollector.html) in the method annotated with [`@SelfValidation`](https://javadoc.io/static/io.dropwizard/dropwizard-project/2.0.2/io/dropwizard/validation/selfvalidating/SelfValidation.html). Example: ```java @SelfValidation public void validateFullName(ViolationCollector col) { if (fullName.contains(\"_\")) { // Sanitize fullName variable by escaping relevant characters such as \"$\" col.addViolation(\"Full name contains invalid characters: \" + sanitizeJavaEl(fullName)); } } ``` See also: https://github.com/dropwizard/dropwizard/blob/v2.0.2/dropwizard-validation/src/main/java/io/dropwizard/validation/selfvalidating/ViolationCollector.java#L84-L98 ### References * https://github.com/dropwizard/dropwizard/pull/3157 * https://github.com/dropwizard/dropwizard/pull/3160 * https://docs.oracle.com/javaee/7/tutorial/jsf-el.htm * https://docs.jboss.org/hibernate/validator/6.1/reference/en-US/html_single/#section-interpolation-with-message-expressions * https://beanvalidation.org/2.0/spec/#validationapi-message-defaultmessageinterpolation ### For more information If you have any questions or comments about this advisory: * Open an issue in [dropwizard/dropwizard](https://github.com/dropwizard/dropwizard/issues/new) * Start a discussion on the [dropwizard-dev mailing list](https://groups.google.com/forum/#!forum/dropwizard-dev) ### Security contact If you want to responsibly disclose a security issue in Dropwizard or one of its official modules, please contact us via the published channels in our [security policy](https://github.com/dropwizard/dropwizard/security/policy): https://github.com/dropwizard/dropwizard/security/policy#reporting-a-vulnerability", "impact": 0.7, @@ -2029,8 +2123,10 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } @@ -2072,14 +2168,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "id": "GHSA-9w3m-gqgf-c4p9", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DoS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.", "impact": 0.5, @@ -2115,14 +2213,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser...", + "title": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "id": "GHSA-w37g-rhq8-7m4j", "desc": "Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.", "impact": 0.5, @@ -2158,14 +2258,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-c4r9-r8fh-9vj2", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2201,14 +2303,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-hhhw-99gj-p3c3", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2244,14 +2348,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is...", + "title": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "id": "GHSA-98wm-3w3q-mw94", "desc": "Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.", "impact": 0.5, @@ -2287,14 +2393,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth...", + "title": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "id": "GHSA-3mc7-4q67-w48m", "desc": "The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.", "impact": 0.7, @@ -2330,14 +2438,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new...", + "title": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: **Date disclosed**: 10/13/2022", "id": "GHSA-mjmj-j48q-9wg2", "desc": "### Summary SnakeYaml's `Constructor` class, which inherits from `SafeConstructor`, allows any type be deserialized given the following line: new Yaml(new Constructor(TestDataClass.class)).load(yamlContent); Types do not have to match the types of properties in the target class. A `ConstructorException` is thrown, but only after a malicious payload is deserialized. ### Severity High, lack of type checks during deserialization allows remote code execution. ### Proof of Concept Execute `bash run.sh`. The PoC uses Constructor to deserialize a payload for RCE. RCE is demonstrated by using a payload which performs a http request to http://127.0.0.1:8000. Example output of successful run of proof of concept: ``` $ bash run.sh [+] Downloading snakeyaml if needed [+] Starting mock HTTP server on 127.0.0.1:8000 to demonstrate RCE nc: no process found [+] Compiling and running Proof of Concept, which a payload that sends a HTTP request to mock web server. [+] An exception is expected. Exception: Cannot create property=payload for JavaBean=Main$TestDataClass@3cbbc1e0 in 'string', line 1, column 1: payload: !!javax.script.ScriptEn ... ^ Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager in 'string', line 1, column 10: payload: !!javax.script.ScriptEngineManag ... ^ at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:291) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.construct(Constructor.java:172) at org.yaml.snakeyaml.constructor.Constructor$ConstructYamlObject.construct(Constructor.java:332) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObjectNoCheck(BaseConstructor.java:230) at org.yaml.snakeyaml.constructor.BaseConstructor.constructObject(BaseConstructor.java:220) at org.yaml.snakeyaml.constructor.BaseConstructor.constructDocument(BaseConstructor.java:174) at org.yaml.snakeyaml.constructor.BaseConstructor.getSingleData(BaseConstructor.java:158) at org.yaml.snakeyaml.Yaml.loadFromReader(Yaml.java:491) at org.yaml.snakeyaml.Yaml.load(Yaml.java:416) at Main.main(Main.java:37) Caused by: java.lang.IllegalArgumentException: Can not set java.lang.String field Main$TestDataClass.payload to javax.script.ScriptEngineManager at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:167) at java.base/jdk.internal.reflect.UnsafeFieldAccessorImpl.throwSetIllegalArgumentException(UnsafeFieldAccessorImpl.java:171) at java.base/jdk.internal.reflect.UnsafeObjectFieldAccessorImpl.set(UnsafeObjectFieldAccessorImpl.java:81) at java.base/java.lang.reflect.Field.set(Field.java:780) at org.yaml.snakeyaml.introspector.FieldProperty.set(FieldProperty.java:44) at org.yaml.snakeyaml.constructor.Constructor$ConstructMapping.constructJavaBean2ndStep(Constructor.java:286) ... 9 more [+] Dumping Received HTTP Request. Will not be empty if PoC worked GET /proof-of-concept HTTP/1.1 User-Agent: Java/11.0.14 Host: localhost:8000 Accept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2 Connection: keep-alive ``` ### Further Analysis Potential mitigations include, leveraging SnakeYaml's SafeConstructor while parsing untrusted content. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64581479 for discussion on the subject. A fix was released in version 2.0. See https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64876314 for more information. ### Timeline **Date reported**: 4/11/2022 **Date fixed**: **Date disclosed**: 10/13/2022", "impact": 0.7, @@ -2372,14 +2482,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a...", + "title": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", "id": "GHSA-668q-qrv7-99fm", "desc": "In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.", "impact": 0.5, @@ -2414,14 +2526,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending...", + "title": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html", "id": "GHSA-vmq6-5m68-f53m", "desc": "A serialization vulnerability in logback receiver component part of logback allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. This is only exploitable if logback receiver component is deployed. See https://logback.qos.ch/manual/receivers.html", "impact": 0.7, @@ -2462,14 +2576,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such...", + "title": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater", "id": "GHSA-m394-8rww-3jr7", "desc": "### Impact When Jetty handles a request containing request headers with a large number of “quality” (i.e. q) parameters (such as what are seen on the `Accept`, `Accept-Encoding`, and `Accept-Language` request headers), the server may enter a denial of service (DoS) state due to high CPU usage while sorting the list of values based on their quality values. A single request can easily consume minutes of CPU time before it is even dispatched to the application. The only features within Jetty that can trigger this behavior are: - Default Error Handling - the `Accept` request header with the `QuotedQualityCSV` is used to determine what kind of content to send back to the client (html, text, json, xml, etc) - `StatisticsServlet` - uses the `Accept` request header with the `QuotedQualityCSV` to determine what kind of content to send back to the client (xml, json, text, html, etc) - `HttpServletRequest.getLocale()` - uses the `Accept-Language` request header with the `QuotedQualityCSV` to determine which “preferred” language is returned on this call. - `HttpservletRequest.getLocales()` - is similar to the above, but returns an ordered list of locales based on the quality values on the `Accept-Language` request header. - `DefaultServlet` - uses the `Accept-Encoding` request header with the `QuotedQualityCSV` to determine which kind of pre-compressed content should be sent back for static content (content that is not matched against a url-pattern in your web app) ### Versions `QuotedQualityCSV` was introduced to Jetty 9.3.9.v20160517 and the bug that introduced the vulnerability was in 9.4.6.v20170531. Currently, known vulnerable versions include: - 9.4.6.v20170531 thru to 9.4.36.v20210114 - 10.0.0 - 11.0.0 ### Workarounds Quality ordered values are used infrequently by jetty so they can be avoided by: * Do not use the default error page/handler. * Do not deploy the `StatisticsServlet` exposed to the network * Do not call `getLocale` API * Do not enable precompressed static content in the `DefaultServlet` ### Patches All patches are available for download from the Eclipse Jetty website at [https://www.eclipse.org/jetty/download.php](https://www.eclipse.org/jetty/download.php) - 9.4.37.v20210219 and greater - 10.0.1 and greater - 11.0.1 and greater", "impact": 0.5, @@ -2504,14 +2620,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the...", + "title": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.", "id": "GHSA-m6cp-vxjx-65j6", "desc": "### Impact If an exception is thrown from the `SessionListener#sessionDestroyed()` method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in. There is no known path for an attacker to induce such an exception to be thrown, thus they must rely on an application to throw such an exception. The OP has also identified that during the call to `sessionDestroyed`, the `getLastAccessedTime()` throws an `IllegalStateException`, which potentially contrary to the servlet spec, so applications calling this method may always throw and fail to log out. If such an application was only tested on a non clustered test environment, then it may be deployed on a clustered environment with multiple contexts and fail to log out. ### Workarounds The application should catch all Throwables within their `SessionListener#sessionDestroyed()` implementations.", "impact": 0.3, @@ -2548,14 +2666,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large...", + "title": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. ### Workarounds The problem can be worked around by compiling the following class: ```java package org.eclipse.jetty.server.ssl.fix6072; import java.nio.ByteBuffer; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.ssl.SslConnection; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.BufferUtil; import org.eclipse.jetty.util.annotation.Name; import org.eclipse.jetty.util.ssl.SslContextFactory; public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory { public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol) { super(factory, nextProtocol); } @Override protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine) { return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption()) { @Override protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException { SSLEngineResult results = super.unwrap(sslEngine, input, output); if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW || results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) && BufferUtil.space(input) == 0) { BufferUtil.clear(input); throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\"); } return results; } }; } } ``` This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules` + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section: ``` [lib] lib/sslfix6072.jar ``` + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc` + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example: ```xml http/1.1 ``` + Restart Jetty", "id": "GHSA-26vr-8j45-3r4w", "desc": "### Impact When using SSL/TLS with Jetty, either with HTTP/1.1, HTTP/2, or WebSocket, the server may receive an invalid large (greater than 17408) TLS frame that is incorrectly handled, causing CPU resources to eventually reach 100% usage. ### Workarounds The problem can be worked around by compiling the following class: ```java package org.eclipse.jetty.server.ssl.fix6072; import java.nio.ByteBuffer; import javax.net.ssl.SSLEngine; import javax.net.ssl.SSLEngineResult; import javax.net.ssl.SSLException; import javax.net.ssl.SSLHandshakeException; import org.eclipse.jetty.io.EndPoint; import org.eclipse.jetty.io.ssl.SslConnection; import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.SslConnectionFactory; import org.eclipse.jetty.util.BufferUtil; import org.eclipse.jetty.util.annotation.Name; import org.eclipse.jetty.util.ssl.SslContextFactory; public class SpaceCheckingSslConnectionFactory extends SslConnectionFactory { public SpaceCheckingSslConnectionFactory(@Name(\"sslContextFactory\") SslContextFactory factory, @Name(\"next\") String nextProtocol) { super(factory, nextProtocol); } @Override protected SslConnection newSslConnection(Connector connector, EndPoint endPoint, SSLEngine engine) { return new SslConnection(connector.getByteBufferPool(), connector.getExecutor(), endPoint, engine, isDirectBuffersForEncryption(), isDirectBuffersForDecryption()) { @Override protected SSLEngineResult unwrap(SSLEngine sslEngine, ByteBuffer input, ByteBuffer output) throws SSLException { SSLEngineResult results = super.unwrap(sslEngine, input, output); if ((results.getStatus() == SSLEngineResult.Status.BUFFER_UNDERFLOW || results.getStatus() == SSLEngineResult.Status.OK && results.bytesConsumed() == 0 && results.bytesProduced() == 0) && BufferUtil.space(input) == 0) { BufferUtil.clear(input); throw new SSLHandshakeException(\"Encrypted buffer max length exceeded\"); } return results; } }; } } ``` This class can be deployed by: + The resulting class file should be put into a jar file (eg sslfix6072.jar) + The jar file should be made available to the server. For a normal distribution this can be done by putting the file into ${jetty.base}/lib + Copy the file `${jetty.home}/modules/ssl.mod` to `${jetty.base}/modules` + Edit the `${jetty.base}/modules/ssl.mod` file to have the following section: ``` [lib] lib/sslfix6072.jar ``` + Copy the file `${jetty.home}/etc/jetty-https.xml` and`${jetty.home}/etc/jetty-http2.xml` to `${jetty.base}/etc` + Edit files `${jetty.base}/etc/jetty-https.xml` and `${jetty.base}/etc/jetty-http2.xml`, changing any reference of `org.eclipse.jetty.server.SslConnectionFactory` to `org.eclipse.jetty.server.ssl.fix6072.SpaceCheckingSslConnectionFactory`. For example: ```xml http/1.1 ``` + Restart Jetty", "impact": 0.7, @@ -2590,14 +2710,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior...", + "title": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265", "id": "GHSA-p26g-97m4-6q7c", "desc": "Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with `\"` (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: `DISPLAY_LANGUAGE=\"b; JSESSIONID=1337; c=d\"` will be parsed as one cookie, with the name `DISPLAY_LANGUAGE` and a value of `b; JSESSIONID=1337; c=d` instead of 3 separate cookies. ### Impact This has security implications because if, say, `JSESSIONID` is an `HttpOnly` cookie, and the `DISPLAY_LANGUAGE` cookie value is rendered on the page, an attacker can smuggle the `JSESSIONID` cookie into the `DISPLAY_LANGUAGE` cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server. ### Patches * 9.4.51.v20230217 - via PR #9352 * 10.0.15 - via PR #9339 * 11.0.15 - via PR #9339 ### Workarounds No workarounds ### References * https://www.rfc-editor.org/rfc/rfc2965 * https://www.rfc-editor.org/rfc/rfc6265", "impact": 0.3, @@ -2633,14 +2755,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the...", + "title": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload", "id": "GHSA-qw69-rqj8-6qw8", "desc": "### Impact Servlets with multipart support (e.g. annotated with `@MultipartConfig`) that call `HttpServletRequest.getParameter()` or `HttpServletRequest.getParts()` may cause `OutOfMemoryError` when the client sends a multipart request with a part that has a name but no filename and a very large content. This happens even with the default settings of `fileSizeThreshold=0` which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw `OutOfMemoryError`. However, the server may be able to recover after the `OutOfMemoryError` and continue its service -- although it may take some time. A very large number of parts may cause the same problem. ### Patches Patched in Jetty versions * 9.4.51.v20230217 - via PR #9345 * 10.0.14 - via PR #9344 * 11.0.14 - via PR #9344 ### Workarounds Multipart parameter `maxRequestSize` must be set to a non-negative value, so the whole multipart content is limited (although still read into memory). Limiting multipart parameter `maxFileSize` won't be enough because an attacker can send a large number of parts that summed up will cause memory issues. ### References * https://github.com/eclipse/jetty.project/issues/9076 * https://github.com/jakartaee/servlet/blob/6.0.0/spec/src/main/asciidoc/servlet-spec-body.adoc#32-file-upload", "impact": 0.5, @@ -2675,14 +2799,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection...", + "title": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content.", "id": "GHSA-86wm-rrjm-8wh8", "desc": "### Impact If GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection and if an attacker can send a request with a body that is received entirely by not consumed by the application, then a subsequent request on the same connection will see that body prepended to it's body. The attacker will not see any data, but may inject data into the body of the subsequent request CVE score is [4.8 AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:L&version=3.1) ### Workarounds The problem can be worked around by either: - Disabling compressed request body inflation by GzipHandler. - By always fully consuming the request content before sending a response. - By adding a `Connection: close` to any response where the servlet does not fully consume request content.", "impact": 0.5, @@ -2717,14 +2843,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with...", + "title": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "id": "GHSA-cj7v-27pg-wf7q", "desc": "### Description URI use within Jetty's `HttpURI` class can parse invalid URIs such as `http://localhost;/path` as having an authority with a host of `localhost;`. A URIs of the type `http://localhost;/path` should be interpreted to be either invalid or as `localhost;` to be the userinfo and no host. However, `HttpURI.host` returns `localhost;` which is definitely wrong. ### Impact This can lead to errors with Jetty's `HttpClient`, and Jetty's `ProxyServlet` / `AsyncProxyServlet` / `AsyncMiddleManServlet` wrongly interpreting an authority with no host as one with a host. ### Patches Patched in PR [#8146](https://github.com/eclipse/jetty.project/pull/8146) for Jetty version 9.4.47. Patched in PR [#8014](https://github.com/eclipse/jetty.project/pull/8015) for Jetty versions 10.0.10, and 11.0.10 ### Workarounds None. ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "impact": 0.3, @@ -2761,14 +2889,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive...", + "title": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. ### Workarounds There is no workaround as there is no known exploit scenario. ### Original Report [RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling. Payload: ``` POST / HTTP/1.1 Host: a.com Content-Length: +16 Connection: close ​ 0123456789abcdef ``` When sending this payload to Jetty, it can successfully parse and identify the length. When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request. This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", "id": "GHSA-hmr7-m48g-48f6", "desc": "### Impact Jetty accepts the '+' character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. ### Workarounds There is no workaround as there is no known exploit scenario. ### Original Report [RFC 9110 Secion 8.6](https://www.rfc-editor.org/rfc/rfc9110#section-8.6) defined the value of Content-Length header should be a string of 0-9 digits. However we found that Jetty accepts \"+\" prefixed Content-Length, which could lead to potential HTTP request smuggling. Payload: ``` POST / HTTP/1.1 Host: a.com Content-Length: +16 Connection: close ​ 0123456789abcdef ``` When sending this payload to Jetty, it can successfully parse and identify the length. When sending this payload to NGINX, Apache HTTPd or other HTTP servers/parsers, they will return 400 bad request. This behavior can lead to HTTP request smuggling and can be leveraged to bypass WAF or IDS.", "impact": 0.5, @@ -2807,14 +2937,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated...", + "title": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. Additionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable. Additionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted. See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR For example: ```java import java.io.File; import java.io.IOException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ExampleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised // do something with that temp dir } } ``` Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them. ### CVSSv3.1 Evaluation This vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1) ### Patches Fixes were applied to the 9.4.x branch with: - https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb - https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3 ### Workarounds A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system. For recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory). Alternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below. The Jetty search order for finding a temporary directory is as follows: 1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it. 2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it. 3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1) 4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it. 5. Use `System.getProperty(\"java.io.tmpdir\")` and use it. Jetty will end traversal at the first successful step. To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker. #### Setting a Jetty server temporary directory. Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server. For choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty. For choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty. ``` shell [jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar ``` #### Setting a Context specific temporary directory. The rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/.xml`) Example (excluding the DTD which is version specific): ``` xml /var/web/webapps/foo.war /var/web/work/foo ``` ### References - https://github.com/eclipse/jetty.project/issues/5451 - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473) ### Similar Vulnerabilities Similar, but not the same. - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information The original report of this vulnerability is below: > On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh wrote: > Hi WebTide Security Team, > > I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty. > > https://lgtm.com/query/5615014766184643449/ > > I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users. > There exists a race condition between the deletion of the temporary file and the creation of the directory. > > ```java > // ensure file will always be unique by appending random digits > tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated > // delete the file that was created > tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. > // and make a directory of the same name > // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory > tmpDir.mkdirs(); > ``` > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518 > > In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback. > > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468 > > If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. > > Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories > > **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.** > > Cheers, > Jonathan Leitschuh", "id": "GHSA-g3wg-6mcf-8jj6", "desc": "### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. A collocated user can observe the process of creating a temporary sub directory in the shared temporary directory and race to complete the creation of the temporary subdirectory. If the attacker wins the race then they will have read and write permission to the subdirectory used to unpack web applications, including their WEB-INF/lib jar files and JSP files. If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. Additionally, any user code uses of [WebAppContext::getTempDirectory](https://www.eclipse.org/jetty/javadoc/9.4.31.v20200723/org/eclipse/jetty/webapp/WebAppContext.html#getTempDirectory()) would similarly be vulnerable. Additionally, any user application code using the `ServletContext` attribute for the tempdir will also be impacted. See: https://javaee.github.io/javaee-spec/javadocs/javax/servlet/ServletContext.html#TEMPDIR For example: ```java import java.io.File; import java.io.IOException; import javax.servlet.ServletContext; import javax.servlet.ServletException; import javax.servlet.http.HttpServlet; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; public class ExampleServlet extends HttpServlet { @Override protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { File tempDir = (File)getServletContext().getAttribute(ServletContext.TEMPDIR); // Potentially compromised // do something with that temp dir } } ``` Example: The JSP library itself will use the container temp directory for compiling the JSP source into Java classes before executing them. ### CVSSv3.1 Evaluation This vulnerability has been calculated to have a [CVSSv3.1 score of 7.8/10 (AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H&version=3.1) ### Patches Fixes were applied to the 9.4.x branch with: - https://github.com/eclipse/jetty.project/commit/53e0e0e9b25a6309bf24ee3b10984f4145701edb - https://github.com/eclipse/jetty.project/commit/9ad6beb80543b392c91653f6bfce233fc75b9d5f These will be included in releases: 9.4.33, 10.0.0.beta3, 11.0.0.beta3 ### Workarounds A work around is to set a temporary directory, either for the server or the context, to a directory outside of the shared temporary file system. For recent releases, a temporary directory can be created simple by creating a directory called `work` in the ${jetty.base} directory (the parent directory of the `webapps` directory). Alternately the java temporary directory can be set with the System Property `java.io.tmpdir`. A more detailed description of how jetty selects a temporary directory is below. The Jetty search order for finding a temporary directory is as follows: 1. If the [`WebAppContext` has a temp directory specified](https://www.eclipse.org/jetty/javadoc/current/org/eclipse/jetty/webapp/WebAppContext.html#setTempDirectory(java.io.File)), use it. 2. If the `ServletContext` has the `javax.servlet.context.tempdir` attribute set, and if directory exists, use it. 3. If a `${jetty.base}/work` directory exists, use it (since Jetty 9.1) 4. If a `ServletContext` has the `org.eclipse.jetty.webapp.basetempdir` attribute set, and if the directory exists, use it. 5. Use `System.getProperty(\"java.io.tmpdir\")` and use it. Jetty will end traversal at the first successful step. To mitigate this vulnerability the directory must be set to one that is not writable by an attacker. To avoid information leakage, the directory should also not be readable by an attacker. #### Setting a Jetty server temporary directory. Choices 3 and 5 apply to the server level, and will impact all deployed webapps on the server. For choice 3 just create that work directory underneath your `${jetty.base}` and restart Jetty. For choice 5, just specify your own `java.io.tmpdir` when you start the JVM for Jetty. ``` shell [jetty-distribution]$ java -Djava.io.tmpdir=/var/web/work -jar start.jar ``` #### Setting a Context specific temporary directory. The rest of the choices require you to configure the context for that deployed webapp (seen as `${jetty.base}/webapps/.xml`) Example (excluding the DTD which is version specific): ``` xml /var/web/webapps/foo.war /var/web/work/foo ``` ### References - https://github.com/eclipse/jetty.project/issues/5451 - [CWE-378: Creation of Temporary File With Insecure Permissions](https://cwe.mitre.org/data/definitions/378.html) - [CWE-379: Creation of Temporary File in Directory with Insecure Permissions](https://cwe.mitre.org/data/definitions/379.html) - [CodeQL Query PR To Detect Similar Vulnerabilities](https://github.com/github/codeql/pull/4473) ### Similar Vulnerabilities Similar, but not the same. - JUnit 4 - https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information The original report of this vulnerability is below: > On Thu, 15 Oct 2020 at 21:14, Jonathan Leitschuh wrote: > Hi WebTide Security Team, > > I'm a security researcher writing some custom CodeQL queries to find Local Temporary Directory Hijacking Vulnerabilities. One of my queries flagged an issue in Jetty. > > https://lgtm.com/query/5615014766184643449/ > > I've recently been looking into security vulnerabilities involving the temporary directory because on unix-like systems, the system temporary directory is shared between all users. > There exists a race condition between the deletion of the temporary file and the creation of the directory. > > ```java > // ensure file will always be unique by appending random digits > tmpDir = File.createTempFile(temp, \".dir\", parent); // Attacker knows the full path of the file that will be generated > // delete the file that was created > tmpDir.delete(); // Attacker sees file is deleted and begins a race to create their own directory before Jetty. > // and make a directory of the same name > // SECURITY VULNERABILITY: Race Condition! - Attacker beats Jetty and now owns this directory > tmpDir.mkdirs(); > ``` > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L511-L518 > > In several cases the `parent` parameter will not be the system temporary directory. However, there is one case where it will be, as the last fallback. > > > https://github.com/eclipse/jetty.project/blob/1b59672b7f668b8a421690154b98b4b2b03f254b/jetty-webapp/src/main/java/org/eclipse/jetty/webapp/WebInfConfiguration.java#L467-L468 > > If any code is ever executed out of this temporary directory, this can lead to a local privilege escalation vulnerability. > > Would your team be willing to open a GitHub security advisory to continue the discussion and disclosure there? https://github.com/eclipse/jetty.project/security/advisories > > **This vulnerability disclosure follows Google's [90-day vulnerability disclosure policy](https://www.google.com/about/appsecurity/) (I'm not an employee of Google, I just like their policy). Full disclosure will occur either at the end of the 90-day deadline or whenever a patch is made widely available, whichever occurs first.** > > Cheers, > Jonathan Leitschuh", "impact": 0.7, @@ -2849,14 +2981,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when...", + "title": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit > this vulnerability in order to achieve SSRF or cause a denial of service. > One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the > WAR includes a malicious web.xml. ### Impact There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory. However, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely. ### Patches Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067 ### Workarounds Don't use `XmlParser` to parse data from users.", "id": "GHSA-58qw-p7qm-5rvh", "desc": "### From the reporter > `XmlParser` is vulnerable to XML external entity (XXE) vulnerability. > XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit > this vulnerability in order to achieve SSRF or cause a denial of service. > One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the > WAR includes a malicious web.xml. ### Impact There are no circumstances in a normally deployed Jetty server where potentially hostile XML is given to the XmlParser class without the attacker already having arbitrary access to the server. I.e. in order to exploit `XmlParser` the attacker would already have the ability to deploy and execute hostile code. Specifically, Jetty has no protection against malicious web application and potentially hostile web applications should only be run on an isolated virtualisation. Thus this is not considered a vulnerability of the Jetty server itself, as any such usage of the jetty XmlParser is equally vulnerable as a direct usage of the JVM supplied SAX parser. No CVE will be allocated to this advisory. However, any direct usage of the `XmlParser` class by an application may be vulnerable. The impact would greatly depend on how the application uses `XmlParser`, but it could be a denial of service due to large entity expansion, or possibly the revealing local files if the XML results are accessible remotely. ### Patches Ability to configure the SAXParserFactory to fit the needs of your particular XML parser implementation have been merged as part of PR #10067 ### Workarounds Don't use `XmlParser` to parse data from users.", "impact": 0.3, @@ -2891,14 +3025,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request...", + "title": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request to the `ConcatServlet` with a URI of `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both `ConcatServlet` and `WelcomeFilter` decode the supplied path to verify it is not within the `WEB-INF` or `META-INF` directories. It then uses this decoded path to call `RequestDispatcher` which will also do decoding of the path. This double decoding allows paths with a doubly encoded `WEB-INF` to bypass this security check. ### Impact This affects all versions of `ConcatServlet` and `WelcomeFilter` in versions before 9.4.41, 10.0.3 and 11.0.3. ### Workarounds If you cannot update to the latest version of Jetty, you can instead deploy your own version of the [`ConcatServlet`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/ConcatServlet.java) and/or the [`WelcomeFilter`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/WelcomeFilter.java) by using the code from the latest version of Jetty.", "id": "GHSA-gwcr-j4wh-j3cq", "desc": "Requests to the `ConcatServlet` and `WelcomeFilter` are able to access protected resources within the `WEB-INF` directory. For example a request to the `ConcatServlet` with a URI of `/concat?/%2557EB-INF/web.xml` can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application. This occurs because both `ConcatServlet` and `WelcomeFilter` decode the supplied path to verify it is not within the `WEB-INF` or `META-INF` directories. It then uses this decoded path to call `RequestDispatcher` which will also do decoding of the path. This double decoding allows paths with a doubly encoded `WEB-INF` to bypass this security check. ### Impact This affects all versions of `ConcatServlet` and `WelcomeFilter` in versions before 9.4.41, 10.0.3 and 11.0.3. ### Workarounds If you cannot update to the latest version of Jetty, you can instead deploy your own version of the [`ConcatServlet`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/ConcatServlet.java) and/or the [`WelcomeFilter`](https://github.com/eclipse/jetty.project/blob/4204526d2fdad355e233f6bf18a44bfe028ee00b/jetty-servlets/src/main/java/org/eclipse/jetty/servlets/WelcomeFilter.java) by using the code from the latest version of Jetty.", "impact": 0.5, @@ -2935,14 +3071,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the...", + "title": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested. ```java if (execCmd.length() > 0 && execCmd.charAt(0) != '\"' && execCmd.contains(\" \")) execCmd = \"\\\"\" + execCmd + \"\\\"\"; ``` ### Exploit Scenario The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured. If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures. ### Impact Users of the `org.eclipse.jetty.servlets.CGI` Servlet with a very specific command structure may have the wrong command executed. ### Patches No patch. In Jetty 9.x, 10.x, and 11.x the `org.eclipse.jetty.servlets.CGI` has been deprecated. In Jetty 12 (all environments) the `org.eclipse.jetty.servlets.CGI` has been entirely removed. ### Workarounds The `org.eclipse.jetty.servlets.CGI` Servlet should not be used. Fast CGI support is available instead. ### References * https://github.com/eclipse/jetty.project/pull/9516 * https://github.com/eclipse/jetty.project/pull/9889 * https://github.com/eclipse/jetty.project/pull/9888", "id": "GHSA-3gh6-v5v9-6v9j", "desc": "If a user sends a request to a `org.eclipse.jetty.servlets.CGI` Servlet for a binary with a space in its name, the servlet will escape the command by wrapping it in quotation marks. This wrapped command, plus an optional command prefix, will then be executed through a call to Runtime.exec. If the original binary name provided by the user contains a quotation mark followed by a space, the resulting command line will contain multiple tokens instead of one. For example, if a request references a binary called file” name “here, the escaping algorithm will generate the command line string “file” name “here”, which will invoke the binary named file, not the one that the user requested. ```java if (execCmd.length() > 0 && execCmd.charAt(0) != '\"' && execCmd.contains(\" \")) execCmd = \"\\\"\" + execCmd + \"\\\"\"; ``` ### Exploit Scenario The cgi-bin directory contains a binary named exec and a subdirectory named exec” commands, which contains a file called bin1. The user sends to the CGI servlet a request for the filename exec” commands/bin1. This request will pass the file existence check on lines 194 through 205. The servlet will add quotation marks around this filename, resulting in the command line string “exec” commands/bin1”. When this string is passed to Runtime.exec, instead of executing the bin1 binary, the server will execute the exec binary with the argument commands/file1”. In addition to being incorrect, this behavior may bypass alias checks, and it may cause other unintended behaviors if a command prefix is configured. If the useFullPath configuration setting is off, the command need not pass the existence check. The attack would not rely on a binary and subdirectory having similar names, and the attack will succeed on a much wider variety of directory structures. ### Impact Users of the `org.eclipse.jetty.servlets.CGI` Servlet with a very specific command structure may have the wrong command executed. ### Patches No patch. In Jetty 9.x, 10.x, and 11.x the `org.eclipse.jetty.servlets.CGI` has been deprecated. In Jetty 12 (all environments) the `org.eclipse.jetty.servlets.CGI` has been entirely removed. ### Workarounds The `org.eclipse.jetty.servlets.CGI` Servlet should not be used. Fast CGI support is available instead. ### References * https://github.com/eclipse/jetty.project/pull/9516 * https://github.com/eclipse/jetty.project/pull/9889 * https://github.com/eclipse/jetty.project/pull/9888", "impact": 0.3, @@ -2980,14 +3118,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static...", + "title": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static class HasTempFolder { @Rule public TemporaryFolder folder = new TemporaryFolder(); @Test public void testUsingTempFolder() throws IOException { folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------` File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions // ... } } ``` ### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. When analyzing the impact of this vulnerability, here are the important questions to ask: 1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder? - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2. - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._ - If yes, and you answered 'yes' to question 1, this vulnerability impacts you. - If no, this vulnerability does not impact you. ### Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. - Java 1.6 and lower users: **no patch is available, you must use the workaround below.** ### Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae #### Similar Vulnerabilities - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues).", "id": "GHSA-269g-pwp5-87pp", "desc": "### Vulnerability The JUnit4 test rule [TemporaryFolder](https://junit.org/junit4/javadoc/4.13/org/junit/rules/TemporaryFolder.html) contains a local information disclosure vulnerability. Example of vulnerable code: ```java public static class HasTempFolder { @Rule public TemporaryFolder folder = new TemporaryFolder(); @Test public void testUsingTempFolder() throws IOException { folder.getRoot(); // Previous file permissions: `drwxr-xr-x`; After fix:`drwx------` File createdFile= folder.newFile(\"myfile.txt\"); // unchanged/irrelevant file permissions File createdFolder= folder.newFolder(\"subfolder\"); // unchanged/irrelevant file permissions // ... } } ``` ### Impact On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability **does not** allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. When analyzing the impact of this vulnerability, here are the important questions to ask: 1. Do the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder? - If yes, this vulnerability impacts you, but only if you also answer 'yes' to question 2. - If no, this vulnerability does not impact you. 2. Do the JUnit tests ever execute in an environment where the OS has other untrusted users. _This may apply in CI/CD environments but normally won't be 'yes' for personal developer machines._ - If yes, and you answered 'yes' to question 1, this vulnerability impacts you. - If no, this vulnerability does not impact you. ### Patches Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. - Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. - Java 1.6 and lower users: **no patch is available, you must use the workaround below.** ### Workarounds If you are unable to patch, or are stuck running on Java 1.6, specifying the `java.io.tmpdir` system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. ### References - [CWE-200: Exposure of Sensitive Information to an Unauthorized Actor](https://cwe.mitre.org/data/definitions/200.html) - Fix commit https://github.com/junit-team/junit4/commit/610155b8c22138329f0723eec22521627dbc52ae #### Similar Vulnerabilities - Google Guava - https://github.com/google/guava/issues/4011 - Apache Ant - https://nvd.nist.gov/vuln/detail/CVE-2020-1945 - JetBrains Kotlin Compiler - https://nvd.nist.gov/vuln/detail/CVE-2020-15824 ### For more information If you have any questions or comments about this advisory, please pen an issue in [junit-team/junit4](https://github.com/junit-team/junit4/issues).", "impact": 0.5, @@ -3022,7 +3162,9 @@ { "ref": [ { - "name": "INTERNAL" + "source": { + "name": "INTERNAL" + } } ] } @@ -3062,7 +3204,9 @@ { "ref": [ { - "name": "INTERNAL" + "source": { + "name": "INTERNAL" + } } ] } @@ -3103,14 +3247,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A...", + "title": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", "id": "GHSA-j8jw-g6fq-mp7h", "desc": "A flaw was found in hibernate-core in versions prior to 5.3.20.Final and in 5.4.0.Final up to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.", "impact": 0.7, @@ -3145,14 +3291,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation...", + "title": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "id": "GHSA-8grg-q944-cch5", "desc": "A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.", "impact": 0.5, @@ -3187,14 +3335,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular...", + "title": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "id": "GHSA-hwj3-m3p6-hj38", "desc": "dom4j before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j. Note: This advisory applies to `dom4j:dom4j` version 1.x legacy artifacts. To resolve this a change to the latest version of `org.dom4j:dom4j` is recommended.", "impact": 1, @@ -3229,14 +3379,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the...", + "title": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", "id": "GHSA-7r82-7xv7-xcpj", "desc": "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", "impact": 0.5, @@ -3271,14 +3423,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of...", + "title": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.", "id": "GHSA-jvfv-hrrc-6q72", "desc": "The XMLChangeLogSAXParser() function in Liquibase prior to version 4.8.0 contains an issue that may lead to to Improper Restriction of XML External Entity Reference.", "impact": 1, @@ -3314,14 +3468,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from...", + "title": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "id": "GHSA-wgmr-mf83-7x4j", "desc": "### Description Invalid HTTP/2 requests (for example, invalid URIs) are incorrectly handled by writing a blocking error response directly from the selector thread. If the client manages to exhaust the HTTP/2 flow control window, or TCP congest the connection, the selector thread will be blocked trying to write the error response. If this is repeated for all the selector threads, the server becomes unresponsive, causing the denial of service. ### Impact A malicious client may render the server unresponsive. ### Patches The fix is available in Jetty versions 9.4.47. 10.0.10, 11.0.10. ### Workarounds No workaround available within Jetty itself. One possible workaround is to filter the requests before sending them to Jetty (for example in a proxy) ### For more information If you have any questions or comments about this advisory: * Email us at security@webtide.com.", "impact": 0.7, @@ -3356,14 +3512,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should...", + "title": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", "id": "GHSA-qppj-fm5r-hxr3", "desc": "## HTTP/2 Rapid reset attack The HTTP/2 protocol allows clients to indicate to the server that a previous stream should be canceled by sending a RST_STREAM frame. The protocol does not require the client and server to coordinate the cancellation in any way, the client may do it unilaterally. The client may also assume that the cancellation will take effect immediately when the server receives the RST_STREAM frame, before any other data from that TCP connection is processed. Abuse of this feature is called a Rapid Reset attack because it relies on the ability for an endpoint to send a RST_STREAM frame immediately after sending a request frame, which makes the other endpoint start working and then rapidly resets the request. The request is canceled, but leaves the HTTP/2 connection open. The HTTP/2 Rapid Reset attack built on this capability is simple: The client opens a large number of streams at once as in the standard HTTP/2 attack, but rather than waiting for a response to each request stream from the server or proxy, the client cancels each request immediately. The ability to reset streams immediately allows each connection to have an indefinite number of requests in flight. By explicitly canceling the requests, the attacker never exceeds the limit on the number of concurrent open streams. The number of in-flight requests is no longer dependent on the round-trip time (RTT), but only on the available network bandwidth. In a typical HTTP/2 server implementation, the server will still have to do significant amounts of work for canceled requests, such as allocating new stream data structures, parsing the query and doing header decompression, and mapping the URL to a resource. For reverse proxy implementations, the request may be proxied to the backend server before the RST_STREAM frame is processed. The client on the other hand paid almost no costs for sending the requests. This creates an exploitable cost asymmetry between the server and the client. Multiple software artifacts implementing HTTP/2 are affected. This advisory was originally ingested from the `swift-nio-http2` repo advisory and their original conent follows. ## swift-nio-http2 specific advisory swift-nio-http2 is vulnerable to a denial-of-service vulnerability in which a malicious client can create and then reset a large number of HTTP/2 streams in a short period of time. This causes swift-nio-http2 to commit to a large amount of expensive work which it then throws away, including creating entirely new `Channel`s to serve the traffic. This can easily overwhelm an `EventLoop` and prevent it from making forward progress. swift-nio-http2 1.28 contains a remediation for this issue that applies reset counter using a sliding window. This constrains the number of stream resets that may occur in a given window of time. Clients violating this limit will have their connections torn down. This allows clients to continue to cancel streams for legitimate reasons, while constraining malicious actors.", "impact": 0.5, @@ -3404,14 +3562,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as...", + "title": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The client may also be impacted (if the server does not read causing a TCP congestion), but the issue is more severe for servers. ### Patches Patched versions: * 9.4.54 * 10.0.20 * 11.0.20 * 12.0.6 ### Workarounds Disable HTTP/2 and HTTP/3 support until you can upgrade to a patched version of Jetty. HTTP/1.x is not affected. ### References * https://github.com/jetty/jetty.project/issues/11256.", "id": "GHSA-rggv-cv7r-mw98", "desc": "### Impact If an HTTP/2 connection gets TCP congested, when an idle timeout occurs the HTTP/2 session is marked as closed, and then a GOAWAY frame is queued to be written. However it is not written because the connection is TCP congested. When another idle timeout period elapses, it is then supposed to hard close the connection, but it delegates to the HTTP/2 session which reports that it has already been closed so it does not attempt to hard close the connection. This leaves the connection in ESTABLISHED state (i.e. not closed), TCP congested, and idle. An attacker can cause many connections to end up in this state, and the server may run out of file descriptors, eventually causing the server to stop accepting new connections from valid clients. The client may also be impacted (if the server does not read causing a TCP congestion), but the issue is more severe for servers. ### Patches Patched versions: * 9.4.54 * 10.0.20 * 11.0.20 * 12.0.6 ### Workarounds Disable HTTP/2 and HTTP/3 support until you can upgrade to a patched version of Jetty. HTTP/1.x is not affected. ### References * https://github.com/jetty/jetty.project/issues/11256.", "impact": 0.7, @@ -3446,14 +3606,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following...", + "title": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); 298 } ``` However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java public void checkSize(int length, boolean huffman) throws SessionException { // Apply a huffman fudge factor if (huffman) length = (length * 4) / 3; if ((_size + length) > _maxSize) throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); } ``` However, no exception is thrown in the case of a negative size. Later, in `Huffman.decode`, the user-entered length is multiplied by 2 before allocating a buffer: ```java public static String decode(ByteBuffer buffer, int length) throws HpackException.CompressionException { Utf8StringBuilder utf8 = new Utf8StringBuilder(length * 2); // ... ``` This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. ### Exploit Scenario 1 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02. Each time this header is decoded: + `HpackDecode.decode` will determine that a Huffman-coded value of length 805306494 needs to be decoded. + `MetaDataBuilder.checkSize` will approve this length. + Huffman.decode will allocate a 1.6 GB string array. + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens. (Note: this can be delayed by appending valid huffman-coded characters to the end of the header.) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Exploit Scenario 2 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length -1073758081 needs to be decoded + MetaDataBuilder.checkSize will approve this length + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will allocate a 2.1 GB string array + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens (Note that this deallocation can be delayed by adding valid Huffman-coded characters to the end of the header) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Impact Users of HTTP/2 can be impacted by a remote denial of service attack. ### Patches Fixed in Jetty 10.0.16 and Jetty 11.0.16 Fixed in Jetty 9.4.53 Jetty 12.x is unaffected. ### Workarounds No workarounds possible, only patched versions of Jetty. ### References * https://github.com/eclipse/jetty.project/pull/9634", "id": "GHSA-wgh7-54f2-x98r", "desc": "An integer overflow in `MetaDataBuilder.checkSize` allows for HTTP/2 HPACK header values to exceed their size limit. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java 291 public void checkSize(int length, boolean huffman) throws SessionException 292 { 293 // Apply a huffman fudge factor 294 if (huffman) 295 length = (length * 4) / 3; 296 if ((_size + length) > _maxSize) 297 throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); 298 } ``` However, when length is very large and huffman is true, the multiplication by 4 in line 295 will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, `MetaDataBuilder.checkSize` allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. In `MetaDataBuilder.java`, the following code determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded: ```java public void checkSize(int length, boolean huffman) throws SessionException { // Apply a huffman fudge factor if (huffman) length = (length * 4) / 3; if ((_size + length) > _maxSize) throw new HpackException.SessionException(\"Header too large %d > %d\", _size + length, _maxSize); } ``` However, no exception is thrown in the case of a negative size. Later, in `Huffman.decode`, the user-entered length is multiplied by 2 before allocating a buffer: ```java public static String decode(ByteBuffer buffer, int length) throws HpackException.CompressionException { Utf8StringBuilder utf8 = new Utf8StringBuilder(length * 2); // ... ``` This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. ### Exploit Scenario 1 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ffffffffff02. Each time this header is decoded: + `HpackDecode.decode` will determine that a Huffman-coded value of length 805306494 needs to be decoded. + `MetaDataBuilder.checkSize` will approve this length. + Huffman.decode will allocate a 1.6 GB string array. + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens. (Note: this can be delayed by appending valid huffman-coded characters to the end of the header.) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Exploit Scenario 2 An attacker repeatedly sends HTTP messages with the HPACK header 0x00ff8080ffff0b. Each time this header is decoded: + HpackDecode.decode will determine that a Huffman-coded value of length -1073758081 needs to be decoded + MetaDataBuilder.checkSize will approve this length + The number will be multiplied by 2 to get 2147451134, and Huffman.decode will allocate a 2.1 GB string array + Huffman.decode will have a buffer overflow error, and the array will be deallocated the next time garbage collection happens (Note that this deallocation can be delayed by adding valid Huffman-coded characters to the end of the header) Depending on the timing of garbage collection, the number of threads, and the amount of memory available on the server, this may cause the server to run out of memory. ### Impact Users of HTTP/2 can be impacted by a remote denial of service attack. ### Patches Fixed in Jetty 10.0.16 and Jetty 11.0.16 Fixed in Jetty 9.4.53 Jetty 12.x is unaffected. ### Workarounds No workarounds possible, only patched versions of Jetty. ### References * https://github.com/eclipse/jetty.project/pull/9634", "impact": 0.7, @@ -3490,14 +3652,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to...", + "title": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", "id": "GHSA-w4g2-9hj6-5472", "desc": "Pivotal Spring AMQP, 1.x versions prior to 1.7.10 and 2.x versions prior to 2.0.6, expose a man-in-the-middle vulnerability due to lack of hostname validation. A malicious user that has the ability to intercept traffic would be able to view data in transit.", "impact": 0.5, @@ -3532,14 +3696,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a...", + "title": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error. ### PoC #### RbbitMQ * Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory) * Start RabbitMQ #### Producer * Build a String of length 256M and send it to Consumer ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = \"A\"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println(\"Send Finish\"); } } ``` #### Consumer * First set the heap memory size to 128M * Read the message sent by the Producer from the MQ and print the length ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Consumer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); Object o = amqpTemplate.receiveAndConvert(); if(o != null){ String s = o.toString(); System.out.println(\"Received Length : \" + s.length()); }else{ System.out.println(\"null\"); } } } ``` #### Results * Run the Producer first, then the Consumer * Consumer throws OOM Exception ### Impact Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.", "id": "GHSA-mm8h-8587-p46h", "desc": "### Summary `maxBodyLebgth` was not used when receiving Message objects. Attackers could just send a very large Message causing a memory overflow and triggering an OOM Error. ### PoC #### RbbitMQ * Use RabbitMQ 3.11.16 as MQ and specify Message Body size 512M (here it only needs to be larger than the Consumer memory) * Start RabbitMQ #### Producer * Build a String of length 256M and send it to Consumer ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Producer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); String s = \"A\"; for(int i=0;i<28;++i){ s = s + s; System.out.println(i); } amqpTemplate.convertAndSend(s); System.out.println(\"Send Finish\"); } } ``` #### Consumer * First set the heap memory size to 128M * Read the message sent by the Producer from the MQ and print the length ``` package org.springframework.amqp.helloworld; import org.springframework.amqp.core.AmqpTemplate; import org.springframework.amqp.core.Message; import org.springframework.context.ApplicationContext; import org.springframework.context.annotation.AnnotationConfigApplicationContext; public class Consumer { public static void main(String[] args) { ApplicationContext context = new AnnotationConfigApplicationContext(HelloWorldConfiguration.class); AmqpTemplate amqpTemplate = context.getBean(AmqpTemplate.class); Object o = amqpTemplate.receiveAndConvert(); if(o != null){ String s = o.toString(); System.out.println(\"Received Length : \" + s.length()); }else{ System.out.println(\"null\"); } } } ``` #### Results * Run the Producer first, then the Consumer * Consumer throws OOM Exception ### Impact Users of RabbitMQ may suffer from DoS attacks from RabbitMQ Java client which will ultimately exhaust the memory of the consumer.", "impact": 0.5, @@ -3574,14 +3740,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote...", + "title": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users. ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used. ### Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `` and `` as necessary. See documentation of your web server for more details. ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information.", "id": "GHSA-h376-j262-vhq6", "desc": "### Impact H2 Console in versions since 1.1.100 (2008-10-14) to 2.0.204 (2021-12-21) inclusive allows loading of custom classes from remote servers through JNDI. H2 Console doesn't accept remote connections by default. If remote access was enabled explicitly and some protection method (such as security constraint) wasn't set, an intruder can load own custom class and execute its code in a process with H2 Console (H2 Server process or a web server with H2 Console servlet). It is also possible to load them by creation a linked table in these versions, but it requires `ADMIN` privileges and user with `ADMIN` privileges has full access to the Java process by design. These privileges should never be granted to untrusted users. ### Patches Since version 2.0.206 H2 Console and linked tables explicitly forbid attempts to specify LDAP URLs for JNDI. Only local data sources can be used. ### Workarounds H2 Console should never be available to untrusted users. `-webAllowOthers` is a dangerous setting that should be avoided. H2 Console Servlet deployed on a web server can be protected with a security constraint: https://h2database.com/html/tutorial.html#usingH2ConsoleServlet If `webAllowOthers` is specified, you need to uncomment and edit `` and `` as necessary. See documentation of your web server for more details. ### References This issue was found and privately reported to H2 team by [JFrog Security](https://www.jfrog.com/)'s vulnerability research team with detailed information.", "impact": 1, @@ -3618,14 +3786,16 @@ { "ref": [ { - "name": "GITHUB", - "url": "https://github.com/advisories" + "source": { + "name": "GITHUB", + "url": "https://github.com/advisories" + } } ] } ], "source_location": {}, - "title": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring,...", + "title": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", "id": "GHSA-45hx-wfhj-473x", "desc": "H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.", "impact": 1, @@ -3640,7 +3810,7 @@ ] } ], - "sha256": "bf70242005c6b5e676974f138b98d38be83bb0d941a8a31a8985a17567976521" + "sha256": "a2a9f29c527b6e627114bf5ca676805fe7920a9ad1e0d2d63f3444f0c35d1f69" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf-withraw.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf-withraw.json index e7a30d0822..4b9bd0f71f 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf-withraw.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf-withraw.json @@ -52,37 +52,43 @@ { "ref": [ { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" + } }, - [ - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302" + { + "references": [ + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "source": { + "name": "SNYK", + "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302" + } } - } - ], - [ - { - "title": "GitHub Commit", - "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59" - }, - { - "title": "GitHub Issue", - "url": "https://github.com/FasterXML/jackson-databind/issues/2589" - }, - { - "title": "RedHat Bugzilla Bug", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664" - } - ] + ] + }, + { + "advisories": [ + { + "title": "GitHub Commit", + "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59" + }, + { + "title": "GitHub Issue", + "url": "https://github.com/FasterXML/jackson-databind/issues/2589" + }, + { + "title": "RedHat Bugzilla Bug", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664" + } + ] + } ] } ], "source_location": {}, - "title": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package...", + "title": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.", "id": "CVE-2020-25649", "desc": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.", "impact": 0.82, @@ -97,7 +103,7 @@ ] } ], - "sha256": "de340123e25d2d20c70b9ffc2f7f9f59d264b331ea37b662be6def8a5eb7705b" + "sha256": "b49665f82538e2550edbdc5cb008df636fbf721891c517523017b9aab060b92e" } ], "passthrough": { diff --git a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf.json b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf.json index 4b9730ecac..75e302f6be 100644 --- a/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf.json +++ b/libs/hdf-converters/sample_jsons/cyclonedx_sbom_mapper/sbom-vex-hdf.json @@ -52,37 +52,43 @@ { "ref": [ { - "name": "NVD", - "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" + "source": { + "name": "NVD", + "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-25649" + } }, - [ - { - "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", - "source": { - "name": "SNYK", - "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302" + { + "references": [ + { + "id": "SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302", + "source": { + "name": "SNYK", + "url": "https://security.snyk.io/vuln/SNYK-JAVA-COMFASTERXMLJACKSONCORE-1048302" + } } - } - ], - [ - { - "title": "GitHub Commit", - "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59" - }, - { - "title": "GitHub Issue", - "url": "https://github.com/FasterXML/jackson-databind/issues/2589" - }, - { - "title": "RedHat Bugzilla Bug", - "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664" - } - ] + ] + }, + { + "advisories": [ + { + "title": "GitHub Commit", + "url": "https://github.com/FasterXML/jackson-databind/commit/612f971b78c60202e9cd75a299050c8f2d724a59" + }, + { + "title": "GitHub Issue", + "url": "https://github.com/FasterXML/jackson-databind/issues/2589" + }, + { + "title": "RedHat Bugzilla Bug", + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1887664" + } + ] + } ] } ], "source_location": {}, - "title": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package...", + "title": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.", "id": "CVE-2020-25649", "desc": "com.fasterxml.jackson.core:jackson-databind is a library which contains the general-purpose data-binding functionality and tree-model for Jackson Data Processor.\n\nAffected versions of this package are vulnerable to XML External Entity (XXE) Injection. A flaw was found in FasterXML Jackson Databind, where it does not have entity expansion secured properly in the DOMDeserializer class. The highest threat from this vulnerability is data integrity.", "impact": 0.82, @@ -97,7 +103,7 @@ ] } ], - "sha256": "de340123e25d2d20c70b9ffc2f7f9f59d264b331ea37b662be6def8a5eb7705b" + "sha256": "b49665f82538e2550edbdc5cb008df636fbf721891c517523017b9aab060b92e" } ], "passthrough": { diff --git a/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts b/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts index 43cceef3a2..2659929ab1 100644 --- a/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts +++ b/libs/hdf-converters/src/cyclonedx-sbom-mapper.ts @@ -61,7 +61,7 @@ function getNISTTags(input: CweRepository): string[] { // A single SBOM vulnerability can contain multiple security ratings // Find the max of any existing ratings and then pass to `impact` -function aggregateImpact(ratings: RatingRepository): number { +function maxImpact(ratings: RatingRepository): number { let impact = 0; for (const rating of ratings) { // Prefer to use CVSS-based `score` field when possible @@ -296,7 +296,7 @@ export class CycloneDXSBOMMapper extends BaseConverter { if (input.licenses) { // Certain license reports only provide the license name in the `name` field // Check there first and then default to `id` - return [..._.cloneDeep(input.licenses)] + return [...input.licenses] .map((license) => _.has(license, 'license.name') ? _.get(license, 'license.name') @@ -386,12 +386,9 @@ export class CycloneDXSBOMMapper extends BaseConverter { input: Record ): Record => { const searchFor = ['source', 'references', 'advisories']; - const ref = []; - for (const key of searchFor) { - if (input[key]) { - ref.push(input[key] as Record); - } - } + const ref = searchFor + .filter((key) => input.hasOwnProperty(key)) + .map((key) => _.pick(input, key)); return {ref: ref}; } } @@ -399,16 +396,8 @@ export class CycloneDXSBOMMapper extends BaseConverter { source_location: {}, title: { // Give description as title if possible - // Cut off description after certain word count for frontend display on smaller screens - transformer: (input: Record): string => { - if (input.description) { - return (input.description as string).split(' ').length > 20 - ? `${(input.description as string).split(' ').splice(0, 20).join(' ')}...` - : `${input.description}`; - } else { - return `${input.id}`; - } - } + transformer: (input: Record): string => + input.description ? `${input.description}` : `${input.id}` }, id: {path: 'id'}, desc: { @@ -417,7 +406,7 @@ export class CycloneDXSBOMMapper extends BaseConverter { input: Record ): string | undefined => (input ? `${input}` : undefined) }, - impact: {path: 'ratings', transformer: aggregateImpact}, + impact: {path: 'ratings', transformer: maxImpact}, code: { transformer: (vulnerability: Record): string => JSON.stringify(