serverlessworkflow-api-4.0.4.Final.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Question

serverlessworkflow-api-4.0.4.Final.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

mend-for-github-com opened this issue a year ago · 1 comments

mend-for-github-com commented a year ago

Vulnerable Library - serverlessworkflow-api-4.0.4.Final.jar

Path to dependency file: /core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar

Found in HEAD commit: d9d6bd3ab59971d099644378433aab2e4f88ed1a

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (serverlessworkflow-api version)	Remediation Possible**
CVE-2023-5072	High	7.5	json-20230618.jar	Transitive	4.0.5.Final	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-5072

Vulnerable Library - json-20230618.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

    The files in this package implement JSON encoders/decoders in Java.
    It also includes the capability to convert between JSON and XML, HTTP
    headers, Cookies, and CDL.

    This is a reference implementation. There is a large number of JSON packages
    in Java. Perhaps someday the Java community will standardize on one. Until
    then, choose carefully.</p>

Path to dependency file: /core/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.json/json/20230618/1ae16df7d556d02713e241086f878399e99260d6/json-20230618.jar

Dependency Hierarchy:

serverlessworkflow-api-4.0.4.Final.jar (Root Library)
- ❌ json-20230618.jar (Vulnerable Library)

Found in HEAD commit: d9d6bd3ab59971d099644378433aab2e4f88ed1a

Found in base branch: main

Vulnerability Details

Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

Publish Date: 2023-10-12

URL: CVE-2023-5072

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rm7j-f5g5-27vv

Release Date: 2023-10-12

Fix Resolution (org.json:json): 20231013

Direct dependency fix Resolution (io.serverlessworkflow:serverlessworkflow-api): 4.0.5.Final

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Answer 1 · 2024-02-12T20:07:53.000Z

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.