OpenSearch icon indicating copy to clipboard operation
OpenSearch copied to clipboard

Published 20 hours ago verified publisher icon opensearch-project

hdfs-fixture-3.0.0-SNAPSHOT: 5 vulnerabilities (highest severity is: 7.5)

Open mend-for-github-com[bot] opened this issue 1 year ago • 11 comments

Vulnerable Library - hdfs-fixture-3.0.0-SNAPSHOT

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-configuration2/2.8.0/6a76acbe14d2c01d4758a57171f3f6a150dbd462/commons-configuration2-2.8.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-configuration2/2.8.0/6a76acbe14d2c01d4758a57171f3f6a150dbd462/commons-configuration2-2.8.0.jar

Found in HEAD commit: 45e73c43e36926a8a03b094ec1ea254f5de91beb

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (hdfs-fixture version) Remediation Possible**
CVE-2023-5685 High 7.5 xnio-api-3.8.8.Final.jar Transitive N/A*
CVE-2023-52428 High 7.5 nimbus-jose-jwt-9.31.jar Transitive N/A*
CVE-2023-50572 Medium 5.5 jline-3.22.0.jar Transitive N/A*
CVE-2024-29133 Medium 4.4 commons-configuration2-2.8.0.jar Transitive N/A*
CVE-2024-29131 Medium 4.4 commons-configuration2-2.8.0.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-5685

Vulnerable Library - xnio-api-3.8.8.Final.jar

The API JAR of the XNIO project

Library home page: http://www.jboss.org/xnio

Path to dependency file: /plugins/repository-hdfs/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jboss.xnio/xnio-api/3.8.8.Final/1ba9c8b9a8dea1c6cd656155943e6d4c2c631fa7/xnio-api-3.8.8.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jboss.xnio/xnio-api/3.8.8.Final/1ba9c8b9a8dea1c6cd656155943e6d4c2c631fa7/xnio-api-3.8.8.Final.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jboss.xnio/xnio-api/3.8.8.Final/1ba9c8b9a8dea1c6cd656155943e6d4c2c631fa7/xnio-api-3.8.8.Final.jar

Dependency Hierarchy:

  • hdfs-fixture-3.0.0-SNAPSHOT (Root Library)
    • kerb-admin-2.0.3.jar
      • :x: xnio-api-3.8.8.Final.jar (Vulnerable Library)

Found in HEAD commit: 45e73c43e36926a8a03b094ec1ea254f5de91beb

Found in base branch: main

Vulnerability Details

A flaw was found in XNIO. The XNIO NotifierState that can cause a Stack Overflow Exception when the chain of notifier states becomes problematically large can lead to uncontrolled resource management and a possible denial of service (DoS).

Publish Date: 2024-03-22

URL: CVE-2023-5685

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

CVE-2023-52428

Vulnerable Library - nimbus-jose-jwt-9.31.jar

Java library for Javascript Object Signing and Encryption (JOSE) and JSON Web Tokens (JWT)

Library home page: https://bitbucket.org/connect2id/nimbus-jose-jwt

Path to dependency file: /test/fixtures/hdfs-fixture/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.31/229ba7b31d1f886968896c48aeeba5a1586b00bc/nimbus-jose-jwt-9.31.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.nimbusds/nimbus-jose-jwt/9.31/229ba7b31d1f886968896c48aeeba5a1586b00bc/nimbus-jose-jwt-9.31.jar

Dependency Hierarchy:

  • hdfs-fixture-3.0.0-SNAPSHOT (Root Library)
    • hadoop-minicluster-3.4.0.jar
      • hadoop-common-3.4.0.jar
        • hadoop-auth-3.4.0.jar
          • :x: nimbus-jose-jwt-9.31.jar (Vulnerable Library)

Found in HEAD commit: 45e73c43e36926a8a03b094ec1ea254f5de91beb

Found in base branch: main

Vulnerability Details

In Connect2id Nimbus JOSE+JWT before 9.37.2, an attacker can cause a denial of service (resource consumption) via a large JWE p2c header value (aka iteration count) for the PasswordBasedDecrypter (PBKDF2) component.

Publish Date: 2024-02-11

URL: CVE-2023-52428

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-52428

Release Date: 2024-02-11

Fix Resolution: com.nimbusds:nimbus-jose-jwt:9.37.2

CVE-2023-50572

Vulnerable Library - jline-3.22.0.jar

Path to dependency file: /test/fixtures/hdfs-fixture/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jline/jline/3.22.0/512dde71f1ba9cb87f318e4e1e3acc77dc67a712/jline-3.22.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jline/jline/3.22.0/512dde71f1ba9cb87f318e4e1e3acc77dc67a712/jline-3.22.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jline/jline/3.22.0/512dde71f1ba9cb87f318e4e1e3acc77dc67a712/jline-3.22.0.jar

Dependency Hierarchy:

  • hdfs-fixture-3.0.0-SNAPSHOT (Root Library)
    • kerb-admin-2.0.3.jar
      • :x: jline-3.22.0.jar (Vulnerable Library)

Found in HEAD commit: 45e73c43e36926a8a03b094ec1ea254f5de91beb

Found in base branch: main

Vulnerability Details

An issue in the component GroovyEngine.execute of jline-groovy v3.24.1 allows attackers to cause an OOM (OutofMemory) error.

Publish Date: 2023-12-29

URL: CVE-2023-50572

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-12-29

Fix Resolution: org.jline:jline-console:3.25.0,org.jline:jline:3.25.0

CVE-2024-29133

Vulnerable Library - commons-configuration2-2.8.0.jar

Tools to assist in the reading of configuration/preferences files in various formats

Library home page: https://commons.apache.org/proper/commons-configuration/

Path to dependency file: /test/fixtures/hdfs-fixture/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-configuration2/2.8.0/6a76acbe14d2c01d4758a57171f3f6a150dbd462/commons-configuration2-2.8.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-configuration2/2.8.0/6a76acbe14d2c01d4758a57171f3f6a150dbd462/commons-configuration2-2.8.0.jar

Dependency Hierarchy:

  • hdfs-fixture-3.0.0-SNAPSHOT (Root Library)
    • hadoop-minicluster-3.4.0.jar
      • hadoop-common-3.4.0.jar
        • :x: commons-configuration2-2.8.0.jar (Vulnerable Library)

Found in HEAD commit: 45e73c43e36926a8a03b094ec1ea254f5de91beb

Found in base branch: main

Vulnerability Details

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.

Publish Date: 2024-03-21

URL: CVE-2024-29133

CVSS 3 Score Details (4.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/ccb9w15bscznh6tnp3wsvrrj9crbszh2

Release Date: 2024-03-21

Fix Resolution: org.apache.commons:commons-configuration2:2.10.1

CVE-2024-29131

Vulnerable Library - commons-configuration2-2.8.0.jar

Tools to assist in the reading of configuration/preferences files in various formats

Library home page: https://commons.apache.org/proper/commons-configuration/

Path to dependency file: /test/fixtures/hdfs-fixture/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-configuration2/2.8.0/6a76acbe14d2c01d4758a57171f3f6a150dbd462/commons-configuration2-2.8.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-configuration2/2.8.0/6a76acbe14d2c01d4758a57171f3f6a150dbd462/commons-configuration2-2.8.0.jar

Dependency Hierarchy:

  • hdfs-fixture-3.0.0-SNAPSHOT (Root Library)
    • hadoop-minicluster-3.4.0.jar
      • hadoop-common-3.4.0.jar
        • :x: commons-configuration2-2.8.0.jar (Vulnerable Library)

Found in HEAD commit: 45e73c43e36926a8a03b094ec1ea254f5de91beb

Found in base branch: main

Vulnerability Details

Out-of-bounds Write vulnerability in Apache Commons Configuration.This issue affects Apache Commons Configuration: from 2.0 before 2.10.1.

Users are recommended to upgrade to version 2.10.1, which fixes the issue.

Publish Date: 2024-03-21

URL: CVE-2024-29131

CVSS 3 Score Details (4.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/03nzzzjn4oknyw5y0871tw7ltj0t3r37

Release Date: 2024-03-21

Fix Resolution: org.apache.commons:commons-configuration2:2.10.1

mend-for-github-com[bot] avatar Jun 11 '24 15:06 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jun 11 '24 16:06 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jun 13 '24 17:06 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jun 14 '24 20:06 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jun 14 '24 21:06 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jun 17 '24 14:06 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jun 19 '24 23:06 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jun 20 '24 17:06 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jun 22 '24 16:06 mend-for-github-com[bot]

[Triage - attendees 1 2 3] @mingshl Can you look into this, seems like this has been a systemic issue that is still not resolved?

peternied avatar Jun 26 '24 15:06 peternied

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jun 27 '24 17:06 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jun 28 '24 19:06 mend-for-github-com[bot]

[Catch All Triage - Attendees 1, 2, 3, 4, 5]

dblock avatar Jul 01 '24 16:07 dblock

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jul 01 '24 23:07 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jul 08 '24 15:07 mend-for-github-com[bot]

[Catch All Triage, attendees 1, 2, 3, 4, 5, 6, 7]

dblock avatar Jul 08 '24 16:07 dblock

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jul 09 '24 19:07 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jul 22 '24 17:07 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jul 22 '24 18:07 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jul 22 '24 21:07 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jul 24 '24 12:07 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jul 29 '24 15:07 mend-for-github-com[bot]

Can someone from storage please take a look of why mend keeps opening and closing this issue? @gbbafna?

[Catch All Triage - 1, 2, 3]

dblock avatar Jul 29 '24 16:07 dblock

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Jul 31 '24 04:07 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Jul 31 '24 13:07 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Aug 02 '24 20:08 mend-for-github-com[bot]

@gbbafna This keeps being opened then closed then reopened, help investigate?

dblock avatar Aug 05 '24 20:08 dblock

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Aug 07 '24 17:08 mend-for-github-com[bot]

:heavy_check_mark: This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

mend-for-github-com[bot] avatar Aug 09 '24 05:08 mend-for-github-com[bot]

:information_source: This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.

mend-for-github-com[bot] avatar Aug 12 '24 13:08 mend-for-github-com[bot]

cc: @varun-lodaya @gbbafna

dblock avatar Aug 12 '24 16:08 dblock