stocator icon indicating copy to clipboard operation
stocator copied to clipboard
verified publisher icon CODAIT

stocator-1.1.5.jar: 7 vulnerabilities (highest severity is: 9.8)

Open joseroque96 opened this issue 6 months ago • 0 comments

Hi team,

I am currently detecting Mend vulnerabilities in our Spark application, which utilizes the IBM Stocator library to interact with an IBM Cloud Object Storage (COS) bucket.

Additionally, I have observed on the Maven repository that the Stocator tool has not been maintained since August 25, 2022: https://mvnrepository.com/artifact/com.ibm.stocator/stocator/1.1.5

Could someone assist with updating the dependency versions and publishing an updated version of the Stocator library?

Vulnerable Library - stocator-1.1.5.jar

Path to vulnerable library: /home/wss-scanner/.ivy2/cache/junit/junit/jars/junit-4.10.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (stocator version) Remediation Possible**
CVE-2019-10202 Critical 9.8 jackson-mapper-asl-1.9.13.jar Transitive N/A*
CVE-2022-31159 High 7.9 aws-java-sdk-s3-1.12.249.jar Transitive N/A*
CVE-2024-21634 High 7.5 ion-java-1.0.2.jar Transitive N/A*
CVE-2019-10172 High 7.5 jackson-mapper-asl-1.9.13.jar Transitive N/A*
CVE-2023-2976 Medium 5.5 guava-30.0-jre.jar Transitive N/A*
CVE-2024-29025 Medium 5.3 netty-codec-http-4.1.77.Final.jar Transitive N/A*
CVE-2020-15250 Medium 4.4 junit-4.10.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-10202

Vulnerable Library - jackson-mapper-asl-1.9.13.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Library home page: http://fasterxml.com

Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.codehaus.jackson/jackson-mapper-asl/jars/jackson-mapper-asl-1.9.13.jar

Dependency Hierarchy:

  • stocator-1.1.5.jar (Root Library)
    • :x: jackson-mapper-asl-1.9.13.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0

CVE-2022-31159

Vulnerable Library - aws-java-sdk-s3-1.12.249.jar

The AWS Java SDK for Amazon S3 module holds the client classes that are used for communicating with Amazon Simple Storage Service

Library home page: https://aws.amazon.com/sdkforjava

Path to vulnerable library: /home/wss-scanner/.ivy2/cache/com.amazonaws/aws-java-sdk-s3/jars/aws-java-sdk-s3-1.12.249.jar

Dependency Hierarchy:

  • stocator-1.1.5.jar (Root Library)
    • aws-java-sdk-1.12.249.jar
      • :x: aws-java-sdk-s3-1.12.249.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

The AWS SDK for Java enables Java developers to work with Amazon Web Services. A partial-path traversal issue exists within the downloadDirectory method in the AWS S3 TransferManager component of the AWS SDK for Java v1 prior to version 1.12.261. Applications using the SDK control the destinationDirectory argument, but S3 object keys are determined by the application that uploaded the objects. The downloadDirectory method allows the caller to pass a filesystem object in the object key but contained an issue in the validation logic for the key name. A knowledgeable actor could bypass the validation logic by including a UNIX double-dot in the bucket key. Under certain conditions, this could permit them to retrieve a directory from their S3 bucket that is one level up in the filesystem from their working directory. This issue’s scope is limited to directories whose name prefix matches the destinationDirectory. E.g. for destination directory/tmp/foo, the actor can cause a download to /tmp/foo-bar, but not /tmp/bar. If com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory is used to download an untrusted buckets contents, the contents of that bucket can be written outside of the intended destination directory. Version 1.12.261 contains a patch for this issue. As a workaround, when calling com.amazonaws.services.s3.transfer.TransferManager::downloadDirectory, pass a KeyFilter that forbids S3ObjectSummary objects that getKey method return a string containing the substring .. .

Publish Date: 2022-07-15

URL: CVE-2022-31159

CVSS 3 Score Details (7.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/aws/aws-sdk-java/security/advisories/GHSA-c28r-hw5m-5gv3

Release Date: 2022-07-15

Fix Resolution: com.amazonaws:aws-java-sdk-s3:1.12.261

CVE-2024-21634

Vulnerable Library - ion-java-1.0.2.jar

A Java implementation of the Amazon Ion data notation.

Library home page: https://github.com/amznlabs/ion-java/

Path to vulnerable library: /home/wss-scanner/.ivy2/cache/software.amazon.ion/ion-java/bundles/ion-java-1.0.2.jar

Dependency Hierarchy:

  • stocator-1.1.5.jar (Root Library)
    • aws-java-sdk-1.12.249.jar
      • aws-java-sdk-proton-1.12.249.jar
        • aws-java-sdk-core-1.12.249.jar
          • :x: ion-java-1.0.2.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Amazon Ion is a Java implementation of the Ion data notation. Prior to version 1.10.5, a potential denial-of-service issue exists in ion-java for applications that use ion-java to deserialize Ion text encoded data, or deserialize Ion text or binary encoded data into the IonValue model and then invoke certain IonValue methods on that in-memory representation. An actor could craft Ion data that, when loaded by the affected application and/or processed using the IonValue model, results in a StackOverflowError originating from the ion-java library. The patch is included in ion-java 1.10.5. As a workaround, do not load data which originated from an untrusted source or that could have been tampered with.

Publish Date: 2024-01-03

URL: CVE-2024-21634

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/amazon-ion/ion-java/security/advisories/GHSA-264p-99wq-f4j6

Release Date: 2024-01-03

Fix Resolution: com.amazon.ion:ion-java:1.10.5

CVE-2019-10172

Vulnerable Library - jackson-mapper-asl-1.9.13.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Library home page: http://fasterxml.com

Path to vulnerable library: /home/wss-scanner/.ivy2/cache/org.codehaus.jackson/jackson-mapper-asl/jars/jackson-mapper-asl-1.9.13.jar

Dependency Hierarchy:

  • stocator-1.1.5.jar (Root Library)
    • :x: jackson-mapper-asl-1.9.13.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

Publish Date: 2019-11-18

URL: CVE-2019-10172

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172

Release Date: 2019-11-18

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0-RC1

CVE-2023-2976

Vulnerable Library - guava-30.0-jre.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to vulnerable library: /home/wss-scanner/.ivy2/cache/com.google.guava/guava/bundles/guava-30.0-jre.jar

Dependency Hierarchy:

  • stocator-1.1.5.jar (Root Library)
    • :x: guava-30.0-jre.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.

Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Mend Note: Even though the security vulnerability is fixed in version 32.0.0, maintainers recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.

Publish Date: 2023-06-14

URL: CVE-2023-2976

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/advisories/GHSA-7g45-4rm6-3mm3

Release Date: 2023-06-14

Fix Resolution: com.google.guava:guava:32.0.1-android,32.0.1-jre

CVE-2024-29025

Vulnerable Library - netty-codec-http-4.1.77.Final.jar

Library home page: https://netty.io/

Path to vulnerable library: /home/wss-scanner/.ivy2/cache/io.netty/netty-codec-http/jars/netty-codec-http-4.1.77.Final.jar

Dependency Hierarchy:

  • stocator-1.1.5.jar (Root Library)
    • aws-java-sdk-1.12.249.jar
      • aws-java-sdk-kinesisvideo-1.12.249.jar
        • :x: netty-codec-http-4.1.77.Final.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The HttpPostRequestDecoder can be tricked to accumulate data. While the decoder can store items on the disk if configured so, there are no limits to the number of fields the form can have, an attacher can send a chunked post consisting of many small fields that will be accumulated in the bodyListHttpData list. The decoder cumulates bytes in the undecodedChunk buffer until it can decode a field, this field can cumulate data without limits. This vulnerability is fixed in 4.1.108.Final.

Publish Date: 2024-03-25

URL: CVE-2024-29025

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-29025

Release Date: 2024-03-25

Fix Resolution: io.netty:netty-codec-http:4.1.108.Final

CVE-2020-15250

Vulnerable Library - junit-4.10.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://www.junit.org

Path to vulnerable library: /home/wss-scanner/.ivy2/cache/junit/junit/jars/junit-4.10.jar

Dependency Hierarchy:

  • stocator-1.1.5.jar (Root Library)
    • json-simple-1.1.1.jar
      • :x: junit-4.10.jar (Vulnerable Library)

Found in base branch: main

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (4.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None
For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/junit-team/junit4/security/advisories/GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: junit:junit:4.13.1

joseroque96 avatar Jun 25 '25 18:06 joseroque96