WS-2019-0490 (High) detected in jcommander-1.64.jar

Question

WS-2019-0490 (High) detected in jcommander-1.64.jar

Closed this issue 4 years ago · 1 comments

mend-bolt-for-github commented 4 years ago

WS-2019-0490 - High Severity Vulnerability

Vulnerable Library - jcommander-1.64.jar

Command line parsing

Library home page: http://jcommander.org

Path to dependency file: ApkSize-Analyzer/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.beust/jcommander/1.64/456a985ac9b12d34820e4d5de063b2c2fc43ed5a/jcommander-1.64.jar

Dependency Hierarchy:

apkanalyzer-27.0.1.jar (Root Library)
- baksmali-2.2.4.jar
  - ❌ jcommander-1.64.jar (Vulnerable Library)

Found in HEAD commit: 194e141236cff70db326c0ec4edb25b034178df5

Found in base branch: main

Vulnerability Details

Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.

Publish Date: 2019-02-19

URL: WS-2019-0490

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: cbeust/jcommander#465

Release Date: 2019-02-19

Fix Resolution: com.beust:jcommander:1.75

Step up your Open Source Security Game with WhiteSource here

Answer 1 · 2020-12-08T08:20:24.000Z

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.