Vulnerable Library - webdrivermanager-4.0.0.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

CVE-2024-25710

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • jarchivelib-1.0.0.jar
    • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-25710

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

WS-2021-0419

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25647

Vulnerable Library - gson-2.8.6.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.6/gson-2.8.6.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • ❌ gson-2.8.6.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution (com.google.code.gson:gson): 2.8.9

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-37714

Vulnerable Library - jsoup-1.13.1.jar

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

Library home page: https://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.13.1/jsoup-1.13.1.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • ❌ jsoup-1.13.1.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Publish Date: 2021-08-18

URL: CVE-2021-37714

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://jsoup.org/news/release-1.14.2

Release Date: 2021-08-18

Fix Resolution (org.jsoup:jsoup): 1.14.2

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-36090

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • jarchivelib-1.0.0.jar
    • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-35517

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • jarchivelib-1.0.0.jar
    • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-35516

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • jarchivelib-1.0.0.jar
    • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-35515

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • jarchivelib-1.0.0.jar
    • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-12402

Vulnerable Library - commons-compress-1.18.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • jarchivelib-1.0.0.jar
    • ❌ commons-compress-1.18.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.

Publish Date: 2019-08-29

URL: CVE-2019-12402

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402

Release Date: 2019-08-29

Fix Resolution (org.apache.commons:commons-compress): 1.19

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 4.2.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-36033

Vulnerable Library - jsoup-1.13.1.jar

jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.

Library home page: https://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.13.1/jsoup-1.13.1.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • ❌ jsoup-1.13.1.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Publish Date: 2022-08-29

URL: CVE-2022-36033

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gp7f-rwcx-9369

Release Date: 2022-08-29

Fix Resolution (org.jsoup:jsoup): 1.15.3

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.1.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-13956

Vulnerable Library - httpclient5-5.0.jar

Apache HttpComponents Client

Library home page: http://hc.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/client5/httpclient5/5.0/httpclient5-5.0.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • ❌ httpclient5-5.0.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-12-02

Fix Resolution (org.apache.httpcomponents.client5:httpclient5): 5.0.3

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 4.3.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-29425

Vulnerable Library - commons-io-2.6.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/proper/commons-io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar

Dependency Hierarchy:

• webdrivermanager-4.0.0.jar (Root Library)
  • ❌ commons-io-2.6.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution (commons-io:commons-io): 2.7

Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 4.1.0

⛑️ Automatic Remediation will be attempted for this issue.

Vulnerable Library - selenium-java-4.0.0-alpha-6.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.3.70/kotlin-stdlib-1.3.70.jar

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

CVE-2023-44487

Vulnerable Library - netty-codec-http2-4.1.48.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.48.Final/netty-codec-http2-4.1.48.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • reactor-netty-0.9.6.RELEASE.jar
            • ❌ netty-codec-http2-4.1.48.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution (io.netty:netty-codec-http2): 4.1.100.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-37137

Vulnerable Library - netty-codec-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.49.Final/netty-codec-4.1.49.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • netty-reactive-streams-2.0.4.jar
            • netty-handler-4.1.43.Final.jar
              • ❌ netty-codec-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Publish Date: 2021-10-19

URL: CVE-2021-37137

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vjp-v76f-g363

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-codec): 4.1.68.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-37136

Vulnerable Library - netty-codec-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.49.Final/netty-codec-4.1.49.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • netty-reactive-streams-2.0.4.jar
            • netty-handler-4.1.43.Final.jar
              • ❌ netty-codec-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Publish Date: 2021-10-19

URL: CVE-2021-37136

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-grg4-wf29-r9vv

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-codec): 4.1.68.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2020-0408

Vulnerable Library - netty-handler-4.1.43.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.43.Final/netty-handler-4.1.43.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • netty-reactive-streams-2.0.4.jar
            • ❌ netty-handler-4.1.43.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.

Publish Date: 2020-06-22

URL: WS-2020-0408

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408

Release Date: 2020-06-22

Fix Resolution (io.netty:netty-handler): 4.1.69.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-34462

Vulnerable Library - netty-handler-4.1.43.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.43.Final/netty-handler-4.1.43.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • netty-reactive-streams-2.0.4.jar
            • ❌ netty-handler-4.1.43.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.

Publish Date: 2023-06-22

URL: CVE-2023-34462

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6mjq-h674-j845

Release Date: 2023-06-22

Fix Resolution (io.netty:netty-handler): 4.1.94.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-43797

Vulnerable Library - netty-codec-http-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.49.Final/netty-codec-http-4.1.49.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • ❌ netty-codec-http-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
Mend Note: After conducting further research, Mend has determined that all versions of netty up to version 4.1.71.Final are vulnerable to CVE-2021-43797.

Publish Date: 2021-12-09

URL: CVE-2021-43797

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: CVE-2021-43797

Release Date: 2021-12-09

Fix Resolution (io.netty:netty-codec-http): 4.1.71.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-21290

Vulnerable Libraries - netty-handler-4.1.43.Final.jar, netty-codec-http-4.1.49.Final.jar

netty-handler-4.1.43.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.43.Final/netty-handler-4.1.43.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • netty-reactive-streams-2.0.4.jar
            • ❌ netty-handler-4.1.43.Final.jar (Vulnerable Library)

netty-codec-http-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.49.Final/netty-codec-http-4.1.49.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • ❌ netty-codec-http-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Publish Date: 2021-02-08

URL: CVE-2021-21290

CVSS 3 Score Details (6.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5mcr-gq6c-3hq2

Release Date: 2021-02-08

Fix Resolution (io.netty:netty-handler): 4.1.59.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

Fix Resolution (io.netty:netty-codec-http): 4.1.59.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-3635

Vulnerable Library - okio-2.6.0.jar

A modern I/O API for Java

Library home page: https://github.com/square/okio/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/squareup/okio/okio/2.6.0/okio-2.6.0.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • okhttp-4.5.0.jar
            • ❌ okio-2.6.0.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Publish Date: 2023-07-12

URL: CVE-2023-3635

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635

Release Date: 2023-07-12

Fix Resolution (com.squareup.okio:okio): 3.0.0-alpha.10

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-21409

Vulnerable Library - netty-codec-http2-4.1.48.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.48.Final/netty-codec-http2-4.1.48.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • reactor-netty-0.9.6.RELEASE.jar
            • ❌ netty-codec-http2-4.1.48.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.

Publish Date: 2021-03-30

URL: CVE-2021-21409

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f256-j965-7f32

Release Date: 2021-03-30

Fix Resolution (io.netty:netty-codec-http2): 4.1.61.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-21295

Vulnerable Libraries - netty-codec-http-4.1.49.Final.jar, netty-codec-http2-4.1.48.Final.jar

netty-codec-http-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.49.Final/netty-codec-http-4.1.49.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • ❌ netty-codec-http-4.1.49.Final.jar (Vulnerable Library)

netty-codec-http2-4.1.48.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.48.Final/netty-codec-http2-4.1.48.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • reactor-netty-0.9.6.RELEASE.jar
            • ❌ netty-codec-http2-4.1.48.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodec and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.

Publish Date: 2021-03-09

URL: CVE-2021-21295

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-wm47-8v5p-wjpj

Release Date: 2021-03-09

Fix Resolution (io.netty:netty-codec-http): 4.1.60.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

Fix Resolution (io.netty:netty-codec-http2): 4.1.60.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-2976

Vulnerable Library - guava-29.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • auto-service-1.0-rc6.jar
      • auto-common-0.10.jar
        • ❌ guava-29.0-jre.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-7g45-4rm6-3mm3

Release Date: 2023-06-14

Fix Resolution (com.google.guava:guava): 32.0.1-android

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.12.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24823

Vulnerable Library - netty-common-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.49.Final/netty-common-4.1.49.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • netty-reactive-streams-2.0.4.jar
            • netty-handler-4.1.43.Final.jar
              • ❌ netty-common-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.

Publish Date: 2022-05-06

URL: CVE-2022-24823

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823

Release Date: 2022-05-06

Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final

CVE-2024-29025

Vulnerable Library - netty-codec-http-4.1.49.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.49.Final/netty-codec-http-4.1.49.Final.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • ❌ netty-codec-http-4.1.49.Final.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

Publish Date: 2024-03-25

URL: CVE-2024-29025

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-29025

Release Date: 2024-03-25

Fix Resolution (io.netty:netty-codec-http): 4.1.108.Final

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.14.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-34054

Vulnerable Library - reactor-netty-0.9.6.RELEASE.jar

Reactive Streams Netty driver

Library home page: https://github.com/reactor/reactor-netty

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/projectreactor/netty/reactor-netty/0.9.6.RELEASE/reactor-netty-0.9.6.RELEASE.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • ❌ reactor-netty-0.9.6.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

In Reactor Netty HTTP Server, versions 1.1.x prior to 1.1.13 and versions 1.0.x prior to 1.0.39, it is possible for a user to provide specially crafted HTTP requests that may cause a denial-of-service (DoS) condition.

Specifically, an application is vulnerable if Reactor Netty HTTP Server built-in integration with Micrometer is enabled.

Publish Date: 2023-11-28

URL: CVE-2023-34054

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-34054

Release Date: 2023-11-28

Fix Resolution (io.projectreactor.netty:reactor-netty): 1.0.39

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-24329

Vulnerable Library - kotlin-stdlib-1.3.70.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.3.70/kotlin-stdlib-1.3.70.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • okhttp-4.5.0.jar
            • okio-2.6.0.jar
              • ❌ kotlin-stdlib-1.3.70.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-29582

Vulnerable Library - kotlin-stdlib-1.3.70.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.3.70/kotlin-stdlib-1.3.70.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • okhttp-4.5.0.jar
            • okio-2.6.0.jar
              • ❌ kotlin-stdlib-1.3.70.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

Publish Date: 2021-02-03

URL: CVE-2020-29582

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-cqj8-47ch-rvvq

Release Date: 2021-02-03

Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.4.21

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-0833

Vulnerable Library - okhttp-4.5.0.jar

Square’s meticulous HTTP client for Java and Kotlin.

Library home page: https://square.github.io/okhttp/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/squareup/okhttp3/okhttp/4.5.0/okhttp-4.5.0.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • selenium-chromium-driver-4.0.0-alpha-6.jar
      • selenium-devtools-4.0.0-alpha-6.jar
        • selenium-remote-driver-4.0.0-alpha-6.jar
          • ❌ okhttp-4.5.0.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

A flaw was found in Red Hat's AMQ-Streams, which ships a version of the OKHttp component with an information disclosure flaw via an exception triggered by a header containing an illegal value. This issue could allow an authenticated attacker to access information outside of their regular permissions.

Publish Date: 2023-09-27

URL: CVE-2023-0833

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2023-09-27

Fix Resolution (com.squareup.okhttp3:okhttp): 4.9.2

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-8908

Vulnerable Library - guava-29.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/29.0-jre/guava-29.0-jre.jar

Dependency Hierarchy:

• selenium-java-4.0.0-alpha-6.jar (Root Library)
  • selenium-chrome-driver-4.0.0-alpha-6.jar
    • auto-service-1.0-rc6.jar
      • auto-common-0.10.jar
        • ❌ guava-29.0-jre.jar (Vulnerable Library)

Found in HEAD commit: 9e4be02f6b4458044445ed967d75f771631e5dc9

Found in base branch: master

Vulnerability Details

A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.

Publish Date: 2020-12-10

URL: CVE-2020-8908

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-8908

Release Date: 2020-12-10

Fix Resolution (com.google.guava:guava): 30.0-android

Direct dependency fix Resolution (org.seleniumhq.selenium:selenium-java): 4.0.0

⛑️ Automatic Remediation will be attempted for this issue.