Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar: 3 vulnerabilities (highest severity is: 7.5) - autoclosed #259

Closed
mend-for-github-com bot opened this issue Jul 27, 2023 · 2 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-github-com
Copy link
Contributor

mend-for-github-com bot commented Jul 27, 2023

Vulnerable Library - jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-xml/10.0.15/d30d139b35bf183757b7ef5372dec5096bc39a60/jetty-xml-10.0.15.jar

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jenkins-test-harness version) Remediation Possible**
CVE-2023-36478 High 7.5 jetty-http-10.0.15.jar Transitive N/A*
CVE-2023-40167 Medium 5.3 jetty-http-10.0.15.jar Transitive N/A*
WS-2023-0236 Low 3.9 jetty-xml-10.0.15.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-36478

Vulnerable Library - jetty-http-10.0.15.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/10.0.15/53c4702201c33501bc37a982e5325b5f11084a4e/jetty-http-10.0.15.jar

Dependency Hierarchy:

  • jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar (Root Library)
    • jetty-security-10.0.15.jar
      • jetty-server-10.0.15.jar
        • jetty-http-10.0.15.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in MetaDataBuilder.checkSize allows for HTTP/2 HPACK header values to
exceed their size limit. MetaDataBuilder.java determines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295
will overflow, and length will become negative. (_size+length) will now be negative, and the check on line 296 will not be triggered. Furthermore, MetaDataBuilder.checkSize allows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.

Publish Date: 2023-10-10

URL: CVE-2023-36478

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-wgh7-54f2-x98r

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-hpack:9.4.53.v20231009,10.0.16,11.0.16;org.eclipse.jetty.http3:http3-qpack:10.0.16,11.0.16;org.eclipse.jetty:jetty-http:9.4.53.v20231009,10.0.16,11.0.16

CVE-2023-40167

Vulnerable Library - jetty-http-10.0.15.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-http/10.0.15/53c4702201c33501bc37a982e5325b5f11084a4e/jetty-http-10.0.15.jar

Dependency Hierarchy:

  • jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar (Root Library)
    • jetty-security-10.0.15.jar
      • jetty-server-10.0.15.jar
        • jetty-http-10.0.15.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

Jetty is a Java based web server and servlet engine. Prior to versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1, Jetty accepts the + character proceeding the content-length value in a HTTP/1 header field. This is more permissive than allowed by the RFC and other servers routinely reject such requests with 400 responses. There is no known exploit scenario, but it is conceivable that request smuggling could result if jetty is used in combination with a server that does not close the connection after sending such a 400 response. Versions 9.4.52, 10.0.16, 11.0.16, and 12.0.1 contain a patch for this issue. There is no workaround as there is no known exploit scenario.

Publish Date: 2023-09-15

URL: CVE-2023-40167

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-hmr7-m48g-48f6

Release Date: 2023-09-15

Fix Resolution: org.eclipse.jetty:jetty-http:9.4.52.v20230823,10.0.16,11.0.16,12.0.1

WS-2023-0236

Vulnerable Library - jetty-xml-10.0.15.jar

The jetty xml utilities.

Library home page: https://eclipse.org/jetty

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-xml/10.0.15/d30d139b35bf183757b7ef5372dec5096bc39a60/jetty-xml-10.0.15.jar

Dependency Hierarchy:

  • jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar (Root Library)
    • jetty-webapp-10.0.15.jar
      • jetty-xml-10.0.15.jar (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

Vulnerability Details

XmlParser is vulnerable to XML external entity (XXE) vulnerability.
XmlParser is being used when parsing Jetty’s xml configuration files. An attacker might exploit this vulnerability in order to achieve SSRF or cause a denial of service. One possible scenario is importing a (remote) malicious WAR into a Jetty’s server, while the WAR includes a malicious web.xml. The vulnerability is patched in versions 10.0.16, 11.0.16, and 12.0.0.

Publish Date: 2023-07-10

URL: WS-2023-0236

CVSS 3 Score Details (3.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-58qw-p7qm-5rvh

Release Date: 2023-07-10

Fix Resolution: org.eclipse.jetty:jetty-xml:10.0.16,11.0.16,12.0.0

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Jul 27, 2023
@mend-for-github-com mend-for-github-com bot changed the title jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar: 1 vulnerabilities (highest severity is: 3.9) jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar: 2 vulnerabilities (highest severity is: 5.3) Oct 4, 2023
@mend-for-github-com mend-for-github-com bot changed the title jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar: 2 vulnerabilities (highest severity is: 5.3) jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar: 3 vulnerabilities (highest severity is: 7.5) Oct 17, 2023
@jordarlu
Copy link
Contributor

should be addressed by #338

@mend-for-github-com mend-for-github-com bot changed the title jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar: 3 vulnerabilities (highest severity is: 7.5) jenkins-test-harness-2002.v0b_78b_a_d69e5d.jar: 3 vulnerabilities (highest severity is: 7.5) - autoclosed Oct 19, 2023
@mend-for-github-com
Copy link
Contributor Author

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Development

No branches or pull requests

2 participants