swagger-codegen icon indicating copy to clipboard operation
swagger-codegen copied to clipboard

Published 20 hours ago verified publisher icon swagger-api

CVE-2017-5929 (High) detected in logback-core-1.1.3.jar, logback-classic-1.1.3.jar

Open mend-for-github-com[bot] opened this issue 3 years ago • 0 comments

CVE-2017-5929 - High Severity Vulnerability

Vulnerable Libraries - logback-core-1.1.3.jar, logback-classic-1.1.3.jar

logback-core-1.1.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /samples/client/petstore/java/retrofit2-play24/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.1.3/e3c02049f2dbbc764681b40094ecf0dcbc99b157/logback-core-1.1.3.jar

Dependency Hierarchy:

  • play-java-ws_2.11-2.4.11.jar (Root Library)
    • play_2.11-2.4.11.jar
      • :x: logback-core-1.1.3.jar (Vulnerable Library)
logback-classic-1.1.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /samples/client/petstore/java/retrofit2-play24/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.3/d90276fff414f06cb375f2057f6778cd63c6082f/logback-classic-1.1.3.jar

Dependency Hierarchy:

  • play-java-ws_2.11-2.4.11.jar (Root Library)
    • play_2.11-2.4.11.jar
      • :x: logback-classic-1.1.3.jar (Vulnerable Library)

Found in HEAD commit: 4b7a8d7d7384aa6a27d6309c35ade0916edae7ed

Found in base branches: 3.0.0, master

Vulnerability Details

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Publish Date: 2017-03-13

URL: CVE-2017-5929

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929

Release Date: 2017-03-13

Fix Resolution (ch.qos.logback:logback-core): 1.1.6

Direct dependency fix Resolution (com.typesafe.play:play-java-ws_2.11): 2.5.0

Fix Resolution (ch.qos.logback:logback-classic): 1.2.0

Direct dependency fix Resolution (com.typesafe.play:play-java-ws_2.11): 2.5.0

  • [ ] Check this box to open an automated fix PR

mend-for-github-com[bot] avatar Dec 29 '21 22:12 mend-for-github-com[bot]