pitest icon indicating copy to clipboard operation
pitest copied to clipboard

Vulnerabilities in Latest Release of Plugin

Open milindbangar79 opened this issue 1 year ago • 5 comments

Hi ,

While trying to get the pitest-maven-plugin V1.15.6 , I am seeing the following vulnerabilities, due to which our BOM vulnerability engine is not able to import the dependency/JAR .

Artifact: MAVEN - org.pitest:pitest-maven:1.15.6:jar Dependencies (114) Dependency: MAVEN - org.netbeans.lib:cvsclient:20060125:jar RejectReasons (2) RejectReason: 968ee164-ce17-4134-8549-de6af5e04ec6 Type: UNAPPROVED_LICENSE License: Sun Public License RejectReason: 373a6bdd-2bf8-40e6-9000-053e4351edc3 Type: UNKNOWN_LICENSE_FOUND License: Sun Public License
Dependency: MAVEN - org.apache.maven.scm:maven-scm-provider-gitexe:1.9.4:jar RejectReasons (6) RejectReason: a9fdae4a-0878-43c5-8072-8a2c1cbf9017 Type: VULNERABILITY Name: CVE-2018-19486 CVSS Score v2: 7.5 Severity: high Description: Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017. RejectReason: 6fc3fd31-072f-4a7d-8d2a-f89335c16fec Type: VULNERABILITY Name: CVE-2010-2542 CVSS Score v2: 7.5 Severity: high Description: Stack-based buffer overflow in the is_git_directory function in setup.c in Git before 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file in a working copy. RejectReason: 391f5b22-9d0b-4712-a6cd-7610820b345d Type: VULNERABILITY Name: CVE-2015-7082 CVSS Score v2: 10 Severity: high Description: Multiple unspecified vulnerabilities in Git before 2.5.4, as used in Apple Xcode before 7.2, have unknown impact and attack vectors. NOTE: this CVE is associated only with Xcode use cases. RejectReason: 53a7dec0-cb40-4b74-a5f5-1d38f8cd8548 Type: VULNERABILITY Name: CVE-2015-7545 CVSS Score v2: 7.5 Severity: high Description: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule. RejectReason: 591542f6-a1d6-4337-9861-da68a4232f8f Type: VULNERABILITY Name: CVE-2016-2324 CVSS Score v2: 10 Severity: high Description: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow. RejectReason: 626377e5-c777-45dd-b5e6-c9261d761718 Type: VULNERABILITY Name: CVE-2017-14867 CVSS Score v2: 9 Severity: high Description: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support. Dependency: MAVEN - commons-lang:commons-lang:2.6:jar (SEAL Component ID: 2079390) Dependency: MAVEN - org.apache.maven.scm:maven-scm-provider-git-commons:1.9.4:jar RejectReasons (4) RejectReason: 1ae05f9a-eba9-4ccc-8b1d-cd629442b24b Type: VULNERABILITY Name: CVE-2010-2542 CVSS Score v2: 7.5 Severity: high Description: Stack-based buffer overflow in the is_git_directory function in setup.c in Git before 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file in a working copy. RejectReason: 66fc47e8-69cb-4365-90f6-9ecde401927a Type: VULNERABILITY Name: CVE-2015-7082 CVSS Score v2: 10 Severity: high Description: Multiple unspecified vulnerabilities in Git before 2.5.4, as used in Apple Xcode before 7.2, have unknown impact and attack vectors. NOTE: this CVE is associated only with Xcode use cases. RejectReason: 7c82e905-65b4-4a95-befc-37ffe3935dba Type: VULNERABILITY Name: CVE-2015-7545 CVSS Score v2: 7.5 Severity: high Description: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule. RejectReason: 7ebf4f1d-855d-4723-bd6f-e346d0b11b40 Type: VULNERABILITY Name: CVE-2017-14867 CVSS Score v2: 9 Severity: high Description: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support. Dependency: MAVEN - org.apache.maven.scm:maven-scm-provider-svnexe:1.9.4:jar RejectReasons (1) RejectReason: 44d50ba2-7f68-476f-8ec3-4cf15a338a75 Type: VULNERABILITY Name: CVE-2017-9800 CVSS Score v2: 7.5 Severity: high Description: A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://. Dependency: MAVEN - org.apache.maven.scm:maven-scm-provider-svn-commons:1.9.4:jar RejectReasons (1) RejectReason: 9120ea25-9b1d-47bc-8abc-bce1f00de9b6 Type: VULNERABILITY Name: CVE-2017-9800 CVSS Score v2: 7.5 Severity: high Description: A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.

As we are moving to JDK 21 for app development, not having the proper dependency becomes a blocker and we really want to use the plugin.

Thanks

milindbangar79 avatar Jan 26 '24 16:01 milindbangar79

Hi @milindbangar79,

It's not clear that this represents a real vulnerability in pitest. How would it be exploited?

hcoles avatar Jan 26 '24 16:01 hcoles

Hi Henry,

We scan all open source software using Synk and if there are issues cant use in the organization, even though it cannot be exploited. So, I am stuck to use the latest version . I tried v1.15.0 , which came up with similar issues.

Any help would be greatly appreciated. Thanks in advance

milindbangar79 avatar Jan 29 '24 08:01 milindbangar79

I'll take a look at this when I get chance, or you're welcome to submit a PR.

As it doesn't look to be a exploitable security issue it may take a while before I can look at it. If you need a faster response and don't want to submit a PR, JP Morgan might want to consider an arcmutate subscription.

https://www.arcmutate.com/

In addition to the extensions in functionality, it comes with priority support that includes the open source product.

hcoles avatar Jan 29 '24 16:01 hcoles

Hi Henry,

Thanks for the response. I will look into it.

milindbangar79 avatar Jan 30 '24 13:01 milindbangar79

#1308 updates the maven vcs dependencies to their latest versions. This may or may not satisfy your vulnerability scanner.

hcoles avatar Feb 08 '24 12:02 hcoles

@milindbangar79 did #1308 resolve the issue?

hcoles avatar Feb 27 '24 08:02 hcoles

Closing as no response from OP.

hcoles avatar Apr 02 '24 07:04 hcoles