labsai/EDDI

keycloak-server-spi-private-21.0.2.jar: 1 vulnerabilities (highest severity is: 4.3) - autoclosed

mend-bolt-for-github opened this issue · 1 comments

mend-bolt-for-github commented
Vulnerable Library - keycloak-server-spi-private-21.0.2.jar

Library home page: http://keycloak.org

Path to dependency file: /pom.xml

Path to vulnerable library: /target/quarkus-app/lib/main/org.keycloak.keycloak-server-spi-private-21.0.2.jar,/home/wss-scanner/.m2/repository/org/keycloak/keycloak-server-spi-private/21.0.2/keycloak-server-spi-private-21.0.2.jar

Found in HEAD commit: 7664dbb2a09fe36117ac9a7e072a10600a02d0c8

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (keycloak-server-spi-private version) Remediation Possible**
CVE-2023-2585 Medium 4.3 keycloak-server-spi-private-21.0.2.jar Direct 21.1.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-2585

Vulnerable Library - keycloak-server-spi-private-21.0.2.jar

Library home page: http://keycloak.org

Path to dependency file: /pom.xml

Path to vulnerable library: /target/quarkus-app/lib/main/org.keycloak.keycloak-server-spi-private-21.0.2.jar,/home/wss-scanner/.m2/repository/org/keycloak/keycloak-server-spi-private/21.0.2/keycloak-server-spi-private-21.0.2.jar

Dependency Hierarchy:

  • keycloak-server-spi-private-21.0.2.jar (Vulnerable Library)

Found in HEAD commit: 7664dbb2a09fe36117ac9a7e072a10600a02d0c8

Found in base branch: main

Vulnerability Details

Client Spoofing within the Keycloak Device Authorisation Grant

Publish Date: 2023-05-09

URL: CVE-2023-2585

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f5h4-wmp5-xhg6

Release Date: 2023-05-09

Fix Resolution: 21.1.2

Step up your Open Source Security Game with Mend here

mend-bolt-for-github commented

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.