Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar: 13 vulnerabilities (highest severity is: 8.2) #28

Open
mend-for-jackfan.us.kg bot opened this issue Feb 5, 2025 · 0 comments
Open

spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar: 13 vulnerabilities (highest severity is: 8.2) #28

mend-for-jackfan.us.kg bot opened this issue Feb 5, 2025 · 0 comments
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend

Comments

@mend-for-jackfan.us.kg
Copy link

mend-for-jackfan.us.kg bot commented Feb 5, 2025
edited
Loading

Vulnerable Library - spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar

Path to dependency file: /spring-cloud-alibaba-coverage/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-cloud-starter-bus-rocketmq version) Remediation Possible** Reachability
CVE-2024-22271 High 8.2 spring-cloud-function-context-4.0.0.jar Transitive 2023.0.1.3
CVE-2022-25845 High 8.1 fastjson-1.2.76.jar Transitive 2023.0.1.0
WS-2022-0468 High 7.5 jackson-core-2.14.1.jar Transitive N/A*
CVE-2024-30172 High 7.5 bcprov-jdk15on-1.69.jar Transitive N/A*
CVE-2024-29857 High 7.5 bcprov-jdk15on-1.69.jar Transitive N/A*
CVE-2023-44487 High 7.5 netty-codec-http2-4.1.87.Final.jar Transitive N/A*
CVE-2023-34462 Medium 6.5 detected in multiple dependencies Transitive 2022.0.0.0
CVE-2024-30171 Medium 5.9 bcprov-jdk15on-1.69.jar Transitive N/A*
CVE-2025-25193 Medium 5.5 netty-common-4.1.87.Final.jar Transitive N/A*
CVE-2024-47535 Medium 5.5 netty-common-4.1.87.Final.jar Transitive N/A*
CVE-2023-33202 Medium 5.5 bcprov-jdk15on-1.69.jar Transitive N/A*
CVE-2024-29025 Medium 5.3 netty-codec-http-4.1.87.Final.jar Transitive 2023.0.1.3
CVE-2023-33201 Medium 5.3 bcprov-jdk15on-1.69.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (9 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2024-22271

Vulnerable Library - spring-cloud-function-context-4.0.0.jar

Implementation of core API for Spring Cloud Function

Library home page: https://www.spring.io

Path to dependency file: /spring-cloud-alibaba-examples/rocketmq-example/rocketmq-pollable-consume-example/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar,/home/wss-scanner/.m2/repository/org/springframework/cloud/spring-cloud-function-context/4.0.0/spring-cloud-function-context-4.0.0.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-starter-stream-rocketmq-2022.0.0.0-RC2.jar
      • spring-cloud-stream-4.0.0.jar
        • spring-cloud-function-context-4.0.0.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

In Spring Cloud Function framework, versions 4.1.x prior to 4.1.2, 4.0.x prior to 4.0.8 an application is vulnerable to a DOS attack when attempting to compose functions with non-existing functions.

Specifically, an application is vulnerable when all of the following are true:

User is using Spring Cloud Function Web module

Affected Spring Products and Versions Spring Cloud Function Framework 4.1.0 to 4.1.2 4.0.0 to 4.0.8

References https://spring.io/security/cve-2022-22979   https://checkmarx.com/blog/spring-function-cloud-dos-cve-2022-22979-and-unintended-function-invocation/  History 2020-01-16: Initial vulnerability report published.

Publish Date: 2024-07-09

URL: CVE-2024-22271

CVSS 3 Score Details (8.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2024-22271

Release Date: 2024-07-09

Fix Resolution (org.springframework.cloud:spring-cloud-function-context): 4.1.2

Direct dependency fix Resolution (com.alibaba.cloud:spring-cloud-starter-bus-rocketmq): 2023.0.1.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-25845

Vulnerable Library - fastjson-1.2.76.jar

Fastjson is a JSON processor (JSON parser + JSON generator) written in Java

Library home page: https://github.com/alibaba

Path to dependency file: /spring-cloud-alibaba-examples/rocketmq-example/rocketmq-sql-consume-example/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar,/home/wss-scanner/.m2/repository/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-starter-stream-rocketmq-2022.0.0.0-RC2.jar
      • rocketmq-client-4.9.3.jar
        • rocketmq-common-4.9.3.jar
          • rocketmq-remoting-4.9.3.jar
            • fastjson-1.2.76.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.

Publish Date: 2022-06-10

URL: CVE-2022-25845

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-10

Fix Resolution (com.alibaba:fastjson): 1.2.83

Direct dependency fix Resolution (com.alibaba.cloud:spring-cloud-starter-bus-rocketmq): 2023.0.1.0

⛑️ Automatic Remediation will be attempted for this issue.

WS-2022-0468

Vulnerable Library - jackson-core-2.14.1.jar

Core Jackson processing abstractions (aka Streaming API), implementation for JSON

Library home page: http://fasterxml.com/

Path to dependency file: /spring-cloud-alibaba-examples/seata-example/account-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.14.1/jackson-core-2.14.1.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-starter-stream-rocketmq-2022.0.0.0-RC2.jar
      • spring-cloud-stream-4.0.0.jar
        • spring-cloud-function-context-4.0.0.jar
          • jackson-databind-2.14.1.jar
            • jackson-core-2.14.1.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

The jackson-core package is vulnerable to a Denial of Service (DoS) attack. The methods in the classes listed below fail to restrict input size when performing numeric type conversions. A remote attacker can exploit this vulnerability by causing the application to deserialize data containing certain numeric types with large values. Deserializing many of the aforementioned objects may cause the application to exhaust all available resources, resulting in a DoS condition.

Publish Date: 2022-12-07

URL: WS-2022-0468

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-07

Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.15.0

CVE-2024-30172

Vulnerable Library - bcprov-jdk15on-1.69.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /spring-cloud-alibaba-tests/nacos-tests/nacos-config-test/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-bus-4.0.0.jar
      • spring-cloud-starter-4.0.0.jar
        • spring-security-rsa-1.0.11.RELEASE.jar
          • bcpkix-jdk15on-1.69.jar
            • bcprov-jdk15on-1.69.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

An issue was discovered in Bouncy Castle Java Cryptography APIs before 1.78. An Ed25519 verification code infinite loop can occur via a crafted signature and public key.

Publish Date: 2024-05-09

URL: CVE-2024-30172

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2024-30172

Release Date: 2024-03-24

Fix Resolution: org.bouncycastle:bcprov-jdk18on:1.78,org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk14:1.78

CVE-2024-29857

Vulnerable Library - bcprov-jdk15on-1.69.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /spring-cloud-alibaba-tests/nacos-tests/nacos-config-test/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-bus-4.0.0.jar
      • spring-cloud-starter-4.0.0.jar
        • spring-security-rsa-1.0.11.RELEASE.jar
          • bcpkix-jdk15on-1.69.jar
            • bcprov-jdk15on-1.69.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

An issue was discovered in ECCurve.java and ECCurve.cs in Bouncy Castle Java (BC Java) before 1.78, BC Java LTS before 2.73.6, BC-FJA before 1.0.2.5, and BC C# .Net before 2.3.1. Importing an EC certificate with crafted F2m parameters can lead to excessive CPU consumption during the evaluation of the curve parameters.

Publish Date: 2024-05-14

URL: CVE-2024-29857

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8xfc-gm6g-vgpv

Release Date: 2024-05-14

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2023-44487

Vulnerable Library - netty-codec-http2-4.1.87.Final.jar

Library home page: https://netty.io/

Path to dependency file: /spring-cloud-alibaba-examples/seata-example/account-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.87.Final/netty-codec-http2-4.1.87.Final.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-starter-stream-rocketmq-2022.0.0.0-RC2.jar
      • rocketmq-client-4.9.3.jar
        • rocketmq-common-4.9.3.jar
          • rocketmq-remoting-4.9.3.jar
            • netty-all-4.1.87.Final.jar
              • netty-codec-http2-4.1.87.Final.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3,v1.57.1,v1.58.3, kubernetes/kubernetes - v1.25.15,v1.26.10,v1.27.7,v1.28.3,v1.29.0, kubernetes/apimachinery - v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0, kubernetes/apiserver- v0.25.15,v0.26.10,v0.27.7,v0.28.3,v0.29.0

CVE-2023-34462

Vulnerable Libraries - netty-handler-4.1.87.Final.jar, netty-all-4.1.87.Final.jar

netty-handler-4.1.87.Final.jar

Library home page: https://netty.io/

Path to dependency file: /spring-cloud-alibaba-starters/spring-cloud-starter-bus-rocketmq/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.87.Final/netty-handler-4.1.87.Final.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-starter-stream-rocketmq-2022.0.0.0-RC2.jar
      • rocketmq-client-4.9.3.jar
        • rocketmq-common-4.9.3.jar
          • rocketmq-remoting-4.9.3.jar
            • netty-all-4.1.87.Final.jar
              • netty-handler-4.1.87.Final.jar (Vulnerable Library)

netty-all-4.1.87.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: https://netty.io/

Path to dependency file: /spring-cloud-alibaba-examples/integrated-example/integrated-order/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-all/4.1.87.Final/netty-all-4.1.87.Final.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-starter-stream-rocketmq-2022.0.0.0-RC2.jar
      • rocketmq-client-4.9.3.jar
        • rocketmq-common-4.9.3.jar
          • rocketmq-remoting-4.9.3.jar
            • netty-all-4.1.87.Final.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. The SniHandler can allocate up to 16MB of heap for each channel during the TLS handshake. When the handler or the channel does not have an idle timeout, it can be used to make a TCP server using the SniHandler to allocate 16MB of heap. The SniHandler class is a handler that waits for the TLS handshake to configure a SslHandler according to the indicated server name by the ClientHello record. For this matter it allocates a ByteBuf using the value defined in the ClientHello record. Normally the value of the packet should be smaller than the handshake packet but there are not checks done here and the way the code is written, it is possible to craft a packet that makes the SslClientHelloHandler. This vulnerability has been fixed in version 4.1.94.Final.

Publish Date: 2023-06-22

URL: CVE-2023-34462

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-6mjq-h674-j845

Release Date: 2023-06-22

Fix Resolution (io.netty:netty-handler): 4.1.94.Final

Direct dependency fix Resolution (com.alibaba.cloud:spring-cloud-starter-bus-rocketmq): 2022.0.0.0

Fix Resolution (io.netty:netty-all): 4.1.94.Final

Direct dependency fix Resolution (com.alibaba.cloud:spring-cloud-starter-bus-rocketmq): 2022.0.0.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2024-30171

Vulnerable Library - bcprov-jdk15on-1.69.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 and up.

Library home page: https://www.bouncycastle.org/java.html

Path to dependency file: /spring-cloud-alibaba-tests/nacos-tests/nacos-config-test/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar,/home/wss-scanner/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.69/bcprov-jdk15on-1.69.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-bus-4.0.0.jar
      • spring-cloud-starter-4.0.0.jar
        • spring-security-rsa-1.0.11.RELEASE.jar
          • bcpkix-jdk15on-1.69.jar
            • bcprov-jdk15on-1.69.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

An issue was discovered in Bouncy Castle Java TLS API and JSSE Provider before 1.78. Timing-based leakage may occur in RSA based handshakes because of exception processing.

Publish Date: 2024-05-09

URL: CVE-2024-30171

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v435-xc8x-wvr9

Release Date: 2024-05-09

Fix Resolution: org.bouncycastle:bcprov-jdk15to18:1.78, org.bouncycastle:bcprov-jdk18on:1.78, BouncyCastle.Cryptography - 2.3.1

CVE-2025-25193

Vulnerable Library - netty-common-4.1.87.Final.jar

Library home page: https://netty.io/

Path to dependency file: /spring-cloud-alibaba-examples/rocketmq-example/rocketmq-delay-consume-example/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.87.Final/netty-common-4.1.87.Final.jar

Dependency Hierarchy:

  • spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar (Root Library)
    • spring-cloud-starter-stream-rocketmq-2022.0.0.0-RC2.jar
      • rocketmq-client-4.9.3.jar
        • rocketmq-common-4.9.3.jar
          • rocketmq-remoting-4.9.3.jar
            • netty-all-4.1.87.Final.jar
              • netty-common-4.1.87.Final.jar (Vulnerable Library)

Found in base branch: 2022.x

Vulnerability Details

Netty, an asynchronous, event-driven network application framework, has a vulnerability in versions up to and including 4.1.118.Final. An unsafe reading of environment file could potentially cause a denial of service in Netty. When loaded on an Windows application, Netty attempts to load a file that does not exist. If an attacker creates such a large file, the Netty application crash. A similar issue was previously reported as CVE-2024-47535. This issue was fixed, but the fix was incomplete in that null-bytes were not counted against the input limit. Commit d1fbda62d3a47835d3fb35db8bd42ecc205a5386 contains an updated fix.

Publish Date: 2025-02-10

URL: CVE-2025-25193

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-389x-839f-4rhx

Release Date: 2025-02-10

Fix Resolution: io.netty:netty-common:4.1.118.Final

⛑️Automatic Remediation will be attempted for this issue.
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot added the Mend: dependency security vulnerability Security vulnerability detected by Mend label Feb 5, 2025
@mend-for-jackfan.us.kg mend-for-jackfan.us.kg bot changed the title spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar: 12 vulnerabilities (highest severity is: 8.2) spring-cloud-starter-bus-rocketmq-2022.0.0.0-RC2.jar: 13 vulnerabilities (highest severity is: 8.2) Feb 11, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Mend: dependency security vulnerability Security vulnerability detected by Mend
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
0 participants