apacheds-protocol-ldap-1.5.5.jar: 2 vulnerabilities (highest severity is: 7.5) #3
Labels
security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github-com
bot
added
the
security vulnerability
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /itest/ldap/embedded-ldap-mode-apacheds/spring-security-itest-ldap-embedded-mode-apacheds.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar
Found in HEAD commit: 3fcb26b5887fc226b006a838ede289b6cae3e3c7
Vulnerabilities
Details
Vulnerable Library - mina-core-2.0.0-M6.jar
Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.
Library home page: http://mina.apache.org
Path to dependency file: /ldap/spring-security-ldap.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar
Dependency Hierarchy:
Found in HEAD commit: 3fcb26b5887fc226b006a838ede289b6cae3e3c7
Found in base branch: main
Vulnerability Details
Handling of the close_notify SSL/TLS message does not lead to a connection closure, leading the server to retain the socket opened and to have the client potentially receive clear text messages afterward. Mitigation: 2.0.20 users should migrate to 2.0.21, 2.1.0 users should migrate to 2.1.1. This issue affects: Apache MINA.
Publish Date: 2019-10-01
URL: CVE-2019-0231
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0231
Release Date: 2019-10-08
Fix Resolution (org.apache.mina:mina-core): 2.0.21
Direct dependency fix Resolution (org.apache.directory.server:apacheds-protocol-ldap): 2.0.0.AM25
⛑️ Automatic Remediation is available for this issue
Vulnerable Library - mina-core-2.0.0-M6.jar
Apache MINA is a network application framework which helps users develop high performance and highly scalable network applications easily. It provides an abstract event-driven asynchronous API over various transports such as TCP/IP and UDP/IP via Java NIO.
Library home page: http://mina.apache.org
Path to dependency file: /ldap/spring-security-ldap.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.mina/mina-core/2.0.0-M6/1c5f4564ae6e5f5a7b4d6c5f780ef290c5cbc9d7/mina-core-2.0.0-M6.jar
Dependency Hierarchy:
Found in HEAD commit: 3fcb26b5887fc226b006a838ede289b6cae3e3c7
Found in base branch: main
Vulnerability Details
In Apache MINA, a specifically crafted, malformed HTTP request may cause the HTTP Header decoder to loop indefinitely. The decoder assumed that the HTTP Header begins at the beginning of the buffer and loops if there is more data than expected. Please update MINA to 2.1.5 or greater.
Publish Date: 2021-11-01
URL: CVE-2021-41973
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-6mcm-j9cj-3vc3
Release Date: 2021-11-01
Fix Resolution (org.apache.mina:mina-core): 2.0.22
Direct dependency fix Resolution (org.apache.directory.server:apacheds-protocol-ldap): 2.0.0.AM25
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
The text was updated successfully, but these errors were encountered: