Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix CVE on this plugin itself #7156

Open
jycr opened this issue Nov 14, 2024 · 0 comments
Open

Fix CVE on this plugin itself #7156

jycr opened this issue Nov 14, 2024 · 0 comments
Labels

Comments

@jycr
Copy link

jycr commented Nov 14, 2024

Describe the bug
We use your great plugin on our projects with following configuration:

<scanPlugins>true</scanPlugins>

So, dependency-check-maven reports some CVE including CVE from dependency-check-maven itself.

Version of dependency-check used
The problem occurs using version 11.1.0 of the maven plugin

Log file

DependencyName Description Sha1 Identifiers CPE CVE CWE Vulnerability Source CVSSv2_Severity CVSSv2_Score CVSSv2 CVSSv3_BaseSeverity CVSSv3_BaseScore CVSSv3
h2-2.3.232.jar H2 Database Engine 4fcc05d966ccdb2812ae8b9a718f69226c0cf4e2 pkg:maven/com.h2database/[email protected] cpe:2.3:a:h2database:h2:2.3.232:::::::* CVE-2018-14335 CWE-59 Improper Link Resolution Before File Access ('Link Following') h2database - Improper Link Resolution Before File Access The software attempts to access a file based on the filename, but it does not properly prevent that filename from identifying a link or shortcut that resolves to an unintended resource. OSSINDEX MEDIUM 6.0 CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
javax.json-1.1.4.jar Default provider for JSR 374:Java API for Processing JSON 943f240a509d3c70b448a55c6735591ecbd37c88 pkg:maven/org.glassfish/[email protected] CVE-2023-7272 CWE-787 Out-of-bounds Write In Eclipse Parsson before 1.0.4 and 1.1.3, a document with a large depth of nested objects can allow an attacker to cause a Java stack overflow exception and denial of service. Eclipse Parsson allows processing (e.g. parse, generate, transform and query) JSON documents. OSSINDEX HIGH 8.699999809265137 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
logback-core-1.2.11.jar logback-core module a01230df5ca5c34540cdaa3ad5efb012f1f1f792 pkg:maven/ch.qos.logback/[email protected] cpe:2.3:a:qos:logback:1.2.11:::::::* CVE-2023-6378 CWE-502 Deserialization of Untrusted Data A serialization vulnerability in logback receiver component part of logback version 1.4.11 allows an attacker to mount a Denial-Of-Service attack by sending poisoned data. NVD HIGH 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H/E:3.9/RC:R/MAV:A
maven-core-3.6.3.jar Maven Core classes eca800aa73e750ec9a880eb224f0bb68f5b7873b pkg:maven/org.apache.maven/[email protected] cpe:2.3:a:apache:maven:3.6.3:::::::* CVE-2021-26291 CWE-346 Origin Validation Error Apache Maven will follow repositories that are defined in a dependency‚Äôs Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html NVD MEDIUM 6.4 /AV:N/AC:L/Au:N/C:P/I:P/A:N CRITICAL 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N/E:3.9/RC:R/MAV:A
maven-settings-3.6.3.jar Maven Settings model bbf4e06dcdb0bb33d1546c080df5c8d92b535d30 pkg:maven/org.apache.maven/[email protected] CVE-2021-26291 CWE-346 Origin Validation Error Apache Maven will follow repositories that are defined in a dependency‚Äôs Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html OSSINDEX CRITICAL 9.100000381469727 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

To Reproduce
Steps to reproduce the behavior:

  1. Go to root of this project
  2. Launch following command :
    mvn org.owasp:dependency-check-maven:RELEASE:aggregate -Dformat=all
  3. go to target/ repository to see report

Expected behavior
Upgrade dependencies to fix issue (javax.json can be replaced with org.glassfish:jakarta.json:2.0.1).

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

No branches or pull requests

1 participant