Vulnerable Library - lint-gradle-26.6.1.jar
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Vulnerabilities
CVE |
Severity |
CVSS |
Dependency |
Type |
Fixed in (lint-gradle version) |
Remediation Possible** |
WS-2021-0419 |
High |
7.7 |
gson-2.8.5.jar |
Transitive |
N/A* |
❌ |
CVE-2021-36090 |
High |
7.5 |
commons-compress-1.12.jar |
Transitive |
N/A* |
❌ |
CVE-2019-17359 |
High |
7.5 |
bcprov-jdk15on-1.56.jar |
Transitive |
N/A* |
❌ |
CVE-2022-25647 |
High |
7.5 |
gson-2.8.5.jar |
Transitive |
N/A* |
❌ |
CVE-2022-3509 |
High |
7.5 |
protobuf-java-3.4.0.jar |
Transitive |
N/A* |
❌ |
CVE-2018-1000180 |
High |
7.5 |
bcprov-jdk15on-1.56.jar |
Transitive |
N/A* |
❌ |
CVE-2021-35517 |
High |
7.5 |
commons-compress-1.12.jar |
Transitive |
N/A* |
❌ |
CVE-2021-35516 |
High |
7.5 |
commons-compress-1.12.jar |
Transitive |
N/A* |
❌ |
CVE-2021-35515 |
High |
7.5 |
commons-compress-1.12.jar |
Transitive |
N/A* |
❌ |
CVE-2022-3171 |
High |
7.5 |
protobuf-java-3.4.0.jar |
Transitive |
N/A* |
❌ |
CVE-2023-2976 |
High |
7.1 |
guava-27.1-jre.jar |
Transitive |
N/A* |
❌ |
WS-2019-0379 |
Medium |
6.5 |
commons-codec-1.10.jar |
Transitive |
N/A* |
❌ |
CVE-2020-15522 |
Medium |
5.9 |
bcprov-jdk15on-1.56.jar |
Transitive |
N/A* |
❌ |
CVE-2021-22569 |
Medium |
5.5 |
protobuf-java-3.4.0.jar |
Transitive |
N/A* |
❌ |
CVE-2020-17521 |
Medium |
5.5 |
groovy-all-2.4.15.jar |
Transitive |
N/A* |
❌ |
CVE-2018-11771 |
Medium |
5.5 |
commons-compress-1.12.jar |
Transitive |
N/A* |
❌ |
CVE-2018-1324 |
Medium |
5.5 |
commons-compress-1.12.jar |
Transitive |
N/A* |
❌ |
CVE-2022-24329 |
Medium |
5.3 |
kotlin-stdlib-1.3.61.jar |
Transitive |
N/A* |
❌ |
CVE-2020-13956 |
Medium |
5.3 |
httpclient-4.5.6.jar |
Transitive |
N/A* |
❌ |
CVE-2020-29582 |
Medium |
5.3 |
kotlin-stdlib-1.3.61.jar |
Transitive |
N/A* |
❌ |
CVE-2023-33201 |
Medium |
5.3 |
bcprov-jdk15on-1.56.jar |
Transitive |
N/A* |
❌ |
CVE-2020-26939 |
Medium |
5.3 |
bcprov-jdk15on-1.56.jar |
Transitive |
N/A* |
❌ |
CVE-2020-8908 |
Low |
3.3 |
guava-27.1-jre.jar |
Transitive |
N/A* |
❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
WS-2021-0419
Vulnerable Library - gson-2.8.5.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- ❌ gson-2.8.5.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
Step up your Open Source Security Game with Mend here
CVE-2021-36090
Vulnerable Library - commons-compress-1.12.jar
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- ❌ commons-compress-1.12.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2021-07-13
URL: CVE-2021-36090
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: org.apache.commons:commons-compress:1.21
Step up your Open Source Security Game with Mend here
CVE-2019-17359
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- sdk-common-26.6.1.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
The ASN.1 parser in Bouncy Castle Crypto (aka BC Java) 1.63 can trigger a large attempted memory allocation, and resultant OutOfMemoryError error, via crafted ASN.1 data. This is fixed in 1.64.
Publish Date: 2019-10-08
URL: CVE-2019-17359
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17359
Release Date: 2019-10-08
Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.64
Step up your Open Source Security Game with Mend here
CVE-2022-25647
Vulnerable Library - gson-2.8.5.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- ❌ gson-2.8.5.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9
Step up your Open Source Security Game with Mend here
CVE-2022-3509
Vulnerable Library - protobuf-java-3.4.0.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.4.0/b32aba0cbe737a4ca953f71688725972e3ee927c/protobuf-java-3.4.0.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- sdk-common-26.6.1.jar
- ❌ protobuf-java-3.4.0.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-12-12
URL: CVE-2022-3509
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509
Release Date: 2022-12-12
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7
Step up your Open Source Security Game with Mend here
CVE-2018-1000180
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- sdk-common-26.6.1.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.
Publish Date: 2018-06-05
URL: CVE-2018-1000180
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000180
Release Date: 2018-06-05
Fix Resolution: org.bouncycastle:bc-fips:1.0.2;org.bouncycastle:bcprov-jdk15on:1.60;org.bouncycastle:bcprov-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk14:1.60;org.bouncycastle:bcprov-ext-jdk15on:1.60;org.bouncycastle:bcprov-debug-jdk14:1.60;org.bouncycastle:bcprov-debug-jdk15on:1.60
Step up your Open Source Security Game with Mend here
CVE-2021-35517
Vulnerable Library - commons-compress-1.12.jar
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- ❌ commons-compress-1.12.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Publish Date: 2021-07-13
URL: CVE-2021-35517
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: org.apache.commons:commons-compress:1.21
Step up your Open Source Security Game with Mend here
CVE-2021-35516
Vulnerable Library - commons-compress-1.12.jar
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- ❌ commons-compress-1.12.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35516
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: org.apache.commons:commons-compress:1.21
Step up your Open Source Security Game with Mend here
CVE-2021-35515
Vulnerable Library - commons-compress-1.12.jar
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- ❌ commons-compress-1.12.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35515
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: org.apache.commons:commons-compress:1.21
Step up your Open Source Security Game with Mend here
CVE-2022-3171
Vulnerable Library - protobuf-java-3.4.0.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.4.0/b32aba0cbe737a4ca953f71688725972e3ee927c/protobuf-java-3.4.0.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- sdk-common-26.6.1.jar
- ❌ protobuf-java-3.4.0.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: 2022-10-12
URL: CVE-2022-3171
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4h5-3hr4-j3g2
Release Date: 2022-10-12
Fix Resolution: com.google.protobuf:protobuf-java:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-javalite:3.16.3,3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin:3.19.6,3.20.3,3.21.7;com.google.protobuf:protobuf-kotlin-lite:3.19.6,3.20.3,3.21.7;google-protobuf - 3.19.6,3.20.3,3.21.7
Step up your Open Source Security Game with Mend here
CVE-2023-2976
Vulnerable Library - guava-27.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/27.1-jre/e47b59c893079b87743cdcfb6f17ca95c08c592c/guava-27.1-jre.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- ❌ guava-27.1-jre.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
Use of Java's default temporary directory for file creation in FileBackedOutputStream
in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
CVSS 3 Score Details (7.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre
Step up your Open Source Security Game with Mend here
WS-2019-0379
Vulnerable Library - commons-codec-1.10.jar
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- httpmime-4.5.6.jar
- httpclient-4.5.6.jar
- ❌ commons-codec-1.10.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Step up your Open Source Security Game with Mend here
CVE-2020-15522
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- sdk-common-26.6.1.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
Bouncy Castle BC Java before 1.66, BC C# .NET before 1.8.7, BC-FJA before 1.0.1.2, 1.0.2.1, and BC-FNA before 1.0.1.1 have a timing issue within the EC math library that can expose information about the private key when an attacker is able to observe timing information for the generation of multiple deterministic ECDSA signatures.
Publish Date: 2021-05-20
URL: CVE-2020-15522
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15522
Release Date: 2021-05-20
Fix Resolution: org.bouncycastle:bc-fips:1.0.2.1;org.bouncycastle:bcprov-ext-jdk14:1.66;org.bouncycastle:bcprov-ext-jdk15on:1.66;org.bouncycastle:bcprov-jdk14:1.66;org.bouncycastle:bcprov-jdk15on:1.66;BouncyCastle - 1.8.9;Portable.BouncyCastle - 1.8.8
Step up your Open Source Security Game with Mend here
CVE-2021-22569
Vulnerable Library - protobuf-java-3.4.0.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.protobuf/protobuf-java/3.4.0/b32aba0cbe737a4ca953f71688725972e3ee927c/protobuf-java-3.4.0.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- sdk-common-26.6.1.jar
- ❌ protobuf-java-3.4.0.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Publish Date: 2022-01-10
URL: CVE-2021-22569
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-wrvw-hg22-4m67
Release Date: 2022-01-10
Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2
Step up your Open Source Security Game with Mend here
CVE-2020-17521
Vulnerable Library - groovy-all-2.4.15.jar
Groovy: A powerful, dynamic language for the JVM
Library home page: http://groovy-lang.org
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.15/423a17aeb2f64bc6f76e8e44265a548bec80fd42/groovy-all-2.4.15.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- ❌ groovy-all-2.4.15.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Publish Date: 2020-12-07
URL: CVE-2020-17521
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/GROOVY-9824
Release Date: 2020-12-07
Fix Resolution: org.codehaus.groovy:groovy-all:2.4.21,2.5.14,3.0.7
Step up your Open Source Security Game with Mend here
CVE-2018-11771
Vulnerable Library - commons-compress-1.12.jar
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- ❌ commons-compress-1.12.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2018-08-16
URL: CVE-2018-11771
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771
Release Date: 2018-08-16
Fix Resolution: 1.18
Step up your Open Source Security Game with Mend here
CVE-2018-1324
Vulnerable Library - commons-compress-1.12.jar
Apache Commons Compress software defines an API for working with
compression and archive formats. These include: bzip2, gzip, pack200,
lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio,
jar, tar, zip, dump, 7z, arj.
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.12/84caa68576e345eb5e7ae61a0e5a9229eb100d7b/commons-compress-1.12.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- ❌ commons-compress-1.12.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2018-03-16
URL: CVE-2018-1324
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324
Release Date: 2018-03-16
Fix Resolution: 1.16
Step up your Open Source Security Game with Mend here
CVE-2022-24329
Vulnerable Library - kotlin-stdlib-1.3.61.jar
Kotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.61/4702105e97f7396ae41b113fdbdc180ec1eb1e36/kotlin-stdlib-1.3.61.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- kotlin-stdlib-jdk8-1.3.61.jar
- ❌ kotlin-stdlib-1.3.61.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0
Step up your Open Source Security Game with Mend here
CVE-2020-13956
Vulnerable Library - httpclient-4.5.6.jar
Apache HttpComponents Client
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.6/1afe5621985efe90a92d0fbc9be86271efbe796f/httpclient-4.5.6.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- lint-gradle-api-26.6.1.jar
- sdklib-26.6.1.jar
- httpmime-4.5.6.jar
- ❌ httpclient-4.5.6.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Publish Date: 2020-12-02
URL: CVE-2020-13956
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
Release Date: 2020-12-02
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3
Step up your Open Source Security Game with Mend here
CVE-2020-29582
Vulnerable Library - kotlin-stdlib-1.3.61.jar
Kotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.61/4702105e97f7396ae41b113fdbdc180ec1eb1e36/kotlin-stdlib-1.3.61.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- kotlin-stdlib-jdk8-1.3.61.jar
- ❌ kotlin-stdlib-1.3.61.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.
Publish Date: 2021-02-03
URL: CVE-2020-29582
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Origin: GHSA-cqj8-47ch-rvvq
Release Date: 2021-02-03
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.4.21
Step up your Open Source Security Game with Mend here
CVE-2023-33201
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- sdk-common-26.6.1.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
Bouncy Castle For Java before 1.74 is affected by an LDAP injection vulnerability. The vulnerability only affects applications that use an LDAP CertStore from Bouncy Castle to validate X.509 certificates. During the certificate validation process, Bouncy Castle inserts the certificate's Subject Name into an LDAP search filter without any escaping, which leads to an LDAP injection vulnerability.
Publish Date: 2023-07-05
URL: CVE-2023-33201
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2023-07-05
Fix Resolution: org.bouncycastle:bcprov-ext-jdk18on:1.74, org.bouncycastle:bcprov-jdk18on:1.74, org.bouncycastle:bcprov-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-debug-jdk18on:1.74, org.bouncycastle:bcprov-ext-jdk15to18:1.74, org.bouncycastle:bcprov-jdk15to18:1.74, org.bouncycastle:bcprov-debug-jdk14:1.74, org.bouncycastle:bcprov-debug-jdk15to18:1.74, org.bouncycastle:bcprov-ext-debug-jdk14:1.74, org.bouncycastle:bcprov-ext-debug-jdk15to18:1.74, org.bouncycastle:bcprov-jdk14:1.74
Step up your Open Source Security Game with Mend here
CVE-2020-26939
Vulnerable Library - bcprov-jdk15on-1.56.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /app/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk15on/1.56/a153c6f9744a3e9dd6feab5e210e1c9861362ec7/bcprov-jdk15on-1.56.jar
Dependency Hierarchy:
- lint-gradle-26.6.1.jar (Root Library)
- sdk-common-26.6.1.jar
- ❌ bcprov-jdk15on-1.56.jar (Vulnerable Library)
Found in HEAD commit: ac44988aecc9ce7ddd3c91d34fd25bfd7c324feb
Found in base branch: master
Vulnerability Details
In Legion of the Bouncy Castle BC before 1.61 and BC-FJA before 1.0.1.2, attackers can obtain sensitive information about a private exponent because of Observable Differences in Behavior to Error Inputs. This occurs in org.bouncycastle.crypto.encodings.OAEPEncoding. Sending invalid ciphertext that decrypts to a short payload in the OAEP Decoder could result in the throwing of an early exception, potentially leaking some information about the private exponent of the RSA private key performing the encryption.
Publish Date: 2020-11-02
URL: CVE-2020-26939
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.
Suggested Fix
Type: Upgrade version
Release Date: 2020-11-02
Fix Resolution: org.bouncycastle:bcprov-jdk14:1.61,org.bouncycastle:bcprov-ext-debug-jdk15on:1.61,org.bouncycastle:bcprov-debug-jdk15on:1.61,org.bouncycastle:bcprov-ext-jdk15on:1.61,org.bouncycastle:bcprov-jdk15on:1.61
Step up your Open Source Security Game with Mend here