You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Path to vulnerable library: /tmp/ws-ua_20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/guava-21.0.jar
Dependency Hierarchy:
spigot-api-1.14.4-R0.1-SNAPSHOT (Root Library)
❌ guava-21.0.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Path to vulnerable library: /tmp/ws-ua_20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/guava-21.0.jar
Dependency Hierarchy:
spigot-api-1.14.4-R0.1-SNAPSHOT (Root Library)
❌ guava-21.0.jar (Vulnerable Library)
Found in base branch: main
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/ws-ua_20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/guava-21.0.jar
Vulnerabilities
Details
Vulnerable Library - gson-2.8.0.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/ws-ua_20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/gson-2.8.0.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - snakeyaml-1.23.jar
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/ws-ua_20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
The Alias feature in SnakeYAML 1.18 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution: org.yaml:snakeyaml:1.26
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - guava-21.0.jar
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/ws-ua_20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/guava-21.0.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: 24.1.1-jre, 24.1.1-android
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - guava-21.0.jar
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /build.gradle
Path to vulnerable library: /tmp/ws-ua_20200920214152_YOPGFG/downloadResource_HGXZPV/20200920214212/guava-21.0.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: v30.0
Step up your Open Source Security Game with WhiteSource here
The text was updated successfully, but these errors were encountered: