CVE-2021-33813 (High) detected in jdom-1.1-NODEP.jar

[mend-bolt-for-github]

CVE-2021-33813 - High Severity Vulnerability

Vulnerable Library - jdom-1.1-NODEP.jar

JDOM is, quite simply, a Java representation of an XML document. JDOM provides a way to represent that document for easy and efficient reading, manipulation, and writing. It has a straightforward API, is a lightweight and fast, and is optimized for the Java programmer. It's an alternative to DOM and SAX, although it integrates well with both DOM and SAX.

Library home page: http://www.jdom.org/

Path to dependency file: /zheng-oss/zheng-oss-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jdom/jdom/1.1/jdom-1.1.jar,/home/wss-scanner/.m2/repository/org/jdom/jdom/1.1/jdom-1.1.jar,/home/wss-scanner/.m2/repository/org/jdom/jdom/1.1/jdom-1.1.jar,/zheng-oss/zheng-oss-web/target/zheng-oss-web/WEB-INF/lib/jdom-1.1.jar

Dependency Hierarchy:

• ❌ jdom-1.1-NODEP.jar (Vulnerable Library)

Found in HEAD commit: 97d32da277b91666d72080a5f39e4e612062663a

Found in base branch: master

Vulnerability Details

An XXE issue in SAXBuilder in JDOM through 2.0.6 allows attackers to cause a denial of service via a crafted HTTP request.

Publish Date: 2021-06-16

URL: CVE-2021-33813

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-33813

Release Date: 2021-06-16

Fix Resolution: org.apache.servicemix.bundles:org.apache.servicemix.bundles.jdom - 2.0.5_1;org.jdom:jdom2:2.0.6.1

---

Step up your Open Source Security Game with Mend here