buji-pac4j-3.2.0.jar: 14 vulnerabilities (highest severity is: 9.8) #156
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-for-github-com
bot
added
the
Mend: dependency security vulnerability
1 task
mend-for-github-com
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Vulnerabilities
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
Publish Date: 2023-07-24
URL: CVE-2023-34478
Threat Assessment
Exploit Maturity: High
EPSS: 0.2%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-07-24
Fix Resolution (org.apache.shiro:shiro-core): 1.12.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 9.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - pac4j-core-2.2.1.jar
Profile & Authentication Client for Java
Library home page: https://github.com/pac4j/pac4j
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/pac4j/pac4j-core/2.2.1/pac4j-core-2.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
pac4j is a security framework for Java.
pac4j-coreprior to version 4.0.0 is affected by a Java deserialization vulnerability. The vulnerability affects systems that store externally controlled values in attributes of theUserProfileclass from pac4j-core. It can be exploited by providing an attribute that contains a serialized Java object with a special prefix{#sb64}and Base64 encoding. This issue may lead to Remote Code Execution (RCE) in the worst case. Although aRestrictedObjectInputStreamis in place, that puts some restriction on what classes can be deserialized, it still allows a broad range of java packages and potentially exploitable with different gadget chains. pac4j versions 4.0.0 and greater are not affected by this issue. Users are advised to upgrade. There are no known workarounds for this vulnerability.Publish Date: 2024-10-10
URL: CVE-2023-25581
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.0%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://securitylab.github.com/advisories/GHSL-2022-085_pac4j/
Release Date: 2024-10-10
Fix Resolution (org.pac4j:pac4j-core): 4.0.0-RC1
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
Publish Date: 2022-10-12
URL: CVE-2022-40664
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 1.3000001%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg
Release Date: 2022-10-12
Fix Resolution (org.apache.shiro:shiro-web): 1.10.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 8.1.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with
.in the regular expression are possibly vulnerable to an authorization bypass.Publish Date: 2022-06-28
URL: CVE-2022-32532
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 5.5%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-4cf5-xmhp-3xj7
Release Date: 2022-06-28
Fix Resolution (org.apache.shiro:shiro-core): 1.9.1
Direct dependency fix Resolution (io.buji:buji-pac4j): 8.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Publish Date: 2021-09-17
URL: CVE-2021-41303
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 13.9%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-f6jp-j6w3-w9hm
Release Date: 2021-09-17
Fix Resolution (org.apache.shiro:shiro-core): 1.8.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 6.1.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-03-25
URL: CVE-2020-1957
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.8%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://shiro.apache.org/news.html
Release Date: 2020-03-25
Fix Resolution (org.apache.shiro:shiro-web): 1.5.2
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-11-05
URL: CVE-2020-17510
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 5.9%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E
Release Date: 2020-11-05
Fix Resolution (org.apache.shiro:shiro-web): 1.7.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 6.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-06-22
URL: CVE-2020-11989
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 25.099998%
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/SHIRO-753
Release Date: 2020-06-22
Fix Resolution (org.apache.shiro:shiro-web): 1.5.3
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.1
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-core-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.4.0/shiro-core-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-08-17
URL: CVE-2020-13933
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2vgm-wxr3-6w2j
Release Date: 2020-08-17
Fix Resolution (org.apache.shiro:shiro-core): 1.6.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 6.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-crypto-cipher-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-crypto-cipher/1.4.0/shiro-crypto-cipher-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.4.2, when using the default "remember me" configuration, cookies could be susceptible to a padding attack.
Publish Date: 2019-11-18
URL: CVE-2019-12422
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12422
Release Date: 2019-11-18
Fix Resolution (org.apache.shiro:shiro-crypto-cipher): 1.4.2
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - commons-beanutils-1.9.3.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.4%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - commons-beanutils-1.9.3.jar
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 97.2%
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4
Direct dependency fix Resolution (io.buji:buji-pac4j): 5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
Apache Shiro before 1.13.0 or 2.0.0-alpha-4, may be susceptible to a path traversal attack that results in an authentication bypass when used together with path rewriting
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+, or ensure
blockSemicolonis enabled (this is the default).Publish Date: 2024-01-15
URL: CVE-2023-46749
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.2%
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-46749
Release Date: 2024-01-15
Fix Resolution (org.apache.shiro:shiro-web): 1.13.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 9.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Vulnerable Library - shiro-web-1.4.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: https://www.apache.org/
Path to dependency file: /web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.4.0/shiro-web-1.4.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4e5656db54be4b22481fe3774c2caeba51bac190
Found in base branch: main
Vulnerability Details
URL Redirection to Untrusted Site ('Open Redirect') vulnerability when "form" authentication is used in Apache Shiro.
Mitigation: Update to Apache Shiro 1.13.0+ or 2.0.0-alpha-4+.
Publish Date: 2023-12-14
URL: CVE-2023-46750
Threat Assessment
Exploit Maturity: Not Defined
EPSS: 0.3%
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-hhw5-c326-822h
Release Date: 2023-12-14
Fix Resolution (org.apache.shiro:shiro-web): 1.13.0
Direct dependency fix Resolution (io.buji:buji-pac4j): 9.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
The text was updated successfully, but these errors were encountered: