CVE-2011-4838

[samdai]

I used the latest version 0.3.5 of thread_safe gem in my project, but when I use sonarqube to scan my code, it reports one "Using Components with Known Vulnerabilities." issue caused by thread_safe, for example CVE-2011-4838, I want to ask if thread_safe 0.3.5 version subject to the CVE-2011-4838 vulnerability?

Filename: jruby_cache_backend.jar | Reference: CVE-2011-4838 | CVSS Score: 7.8 | Category: CWE-20 Improper Input Validation | JRuby before 1.6.5.1 computes hash values without restricting the ability to trigger hash collisions predictably, which allows context-dependent attackers to cause a denial of service (CPU consumption) via crafted input to an application that maintains a hash table.

[thedarkone]

@samdai this is a completely spurious and incorrect warning, it makes no sense. I think what is happening is that sonarqube thinks jruby_cache_backend.jar is a complete bundled JRuby runtime/environment (completely wrong), then it somehow miss-attributes thread_safe's 0.3.5 version to that imaginary bundled JRuby. In the end it thinks there is a JRuby v0.3.5 in that jruby_cache_backend.jar, this is bonkers.

[samdai]

@thedarkone , thanks your reply.I have confirmed with guys of sonarqube, the rule "Using Components with Known Vulnerabilities." is not from sonarqube plugin, is from a third-party plugin, I will post this issue to the provider of this plugin.