google-cloud-datastore-1.0.0.jar: 41 vulnerabilities (highest severity is: 9.1) - autoclosed

[mend-bolt-for-github]

Vulnerable Library - google-cloud-datastore-1.0.0.jar

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.3.Final/netty-codec-http2-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.3.Final/netty-codec-http2-4.1.3.Final.jar

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (google-cloud-datastore version)	Remediation Possible**
CVE-2020-7692	Critical	9.1	google-oauth-client-1.21.0.jar	Transitive	1.13.0	❌
CVE-2019-20445	Critical	9.1	netty-codec-http-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2019-20444	Critical	9.1	netty-codec-http-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2015-5237	High	8.8	protobuf-java-3.2.0.jar	Transitive	1.13.0	❌
WS-2021-0419	High	7.7	gson-2.7.jar	Transitive	N/A*	❌
WS-2017-3805	High	7.5	json-20160810.jar	Transitive	1.13.0	❌
CVE-2023-5072	High	7.5	json-20160810.jar	Transitive	1.13.0	❌
CVE-2023-44487	High	7.5	netty-codec-http2-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2023-3635	High	7.5	okio-1.6.0.jar	Transitive	1.13.0	❌
CVE-2022-45688	High	7.5	json-20160810.jar	Transitive	1.13.0	❌
CVE-2022-3509	High	7.5	protobuf-java-3.2.0.jar	Transitive	1.13.0	❌
CVE-2022-3171	High	7.5	protobuf-java-3.2.0.jar	Transitive	1.13.0	❌
CVE-2022-25647	High	7.5	gson-2.7.jar	Transitive	N/A*	❌
CVE-2021-37137	High	7.5	netty-codec-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2021-37136	High	7.5	netty-codec-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2020-7238	High	7.5	netty-codec-http-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2020-11612	High	7.5	netty-codec-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2019-9518	High	7.5	netty-codec-http2-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2019-9515	High	7.5	netty-codec-http2-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2019-9514	High	7.5	netty-codec-http2-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2019-9512	High	7.5	netty-codec-http2-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2019-16869	High	7.5	netty-codec-http-4.1.3.Final.jar	Transitive	1.13.0	❌
WS-2020-0408	High	7.4	netty-handler-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2021-22573	High	7.3	google-oauth-client-1.21.0.jar	Transitive	2.9.1	❌
CVE-2023-2976	High	7.1	guava-19.0.jar	Transitive	N/A*	❌
CVE-2023-34462	Medium	6.5	netty-handler-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2021-43797	Medium	6.5	netty-codec-http-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2021-21409	Medium	5.9	netty-codec-http2-4.1.3.Final.jar	Transitive	1.13.0	❌
CVE-2021-21295	Medium	5.9	detected in multiple dependencies	Transitive	1.13.0	❌
CVE-2018-10237	Medium	5.9	guava-19.0.jar	Transitive	1.13.0	❌
CVE-2016-2402	Medium	5.9	okhttp-2.5.0.jar	Transitive	1.13.0	❌
CVE-2022-24823	Medium	5.5	netty-common-4.1.3.Final.jar	Transitive	N/A*	❌
CVE-2021-22569	Medium	5.5	protobuf-java-3.2.0.jar	Transitive	1.13.0	❌
CVE-2021-21290	Medium	5.5	detected in multiple dependencies	Transitive	1.13.0	❌
WS-2018-0125	Medium	5.3	jackson-core-2.1.3.jar	Transitive	1.13.0	❌
WS-2018-0124	Medium	5.3	jackson-core-2.1.3.jar	Transitive	1.13.0	❌
CVE-2020-13956	Medium	5.3	httpclient-4.0.1.jar	Transitive	1.13.0	❌
CVE-2014-3577	Medium	4.8	httpclient-4.0.1.jar	Transitive	1.13.0	❌
CVE-2012-6153	Low	3.7	httpclient-4.0.1.jar	Transitive	1.13.0	❌
CVE-2011-1498	Low	3.7	httpclient-4.0.1.jar	Transitive	1.13.0	❌
CVE-2020-8908	Low	3.3	guava-19.0.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2020-7692

Vulnerable Library - google-oauth-client-1.21.0.jar

Google OAuth Client Library for Java. Functionality that works on all supported Java platforms, including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.

Library home page: https://github.com/google/google-oauth-java-client

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/oauth-client/google-oauth-client/1.21.0/google-oauth-client-1.21.0.jar,/home/wss-scanner/.m2/repository/com/google/oauth-client/google-oauth-client/1.21.0/google-oauth-client-1.21.0.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • google-cloud-core-http-1.0.0.jar
    • ❌ google-oauth-client-1.21.0.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

PKCE support is not implemented in accordance with the RFC for OAuth 2.0 for Native Apps. Without the use of PKCE, the authorization code returned by an authorization server is not enough to guarantee that the client that issued the initial authorization request is the one that will be authorized. An attacker is able to obtain the authorization code using a malicious app on the client-side and use it to gain authorization to the protected resource. This affects the package com.google.oauth-client:google-oauth-client before 1.31.0.

Publish Date: 2020-07-09

URL: CVE-2020-7692

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-07-09

Fix Resolution (com.google.oauth-client:google-oauth-client): 1.31.0

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2019-20445

Vulnerable Library - netty-codec-http-4.1.3.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-gcloud/jetty-gcloud-session-manager/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.3.Final/netty-codec-http-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.3.Final/netty-codec-http-4.1.3.Final.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-netty-1.0.1.jar
          • netty-codec-http2-4.1.3.Final.jar
            • ❌ netty-codec-http-4.1.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.

Publish Date: 2020-01-29

URL: CVE-2019-20445

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445

Release Date: 2020-01-29

Fix Resolution (io.netty:netty-codec-http): 4.1.44.Final

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2019-20444

Vulnerable Library - netty-codec-http-4.1.3.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-gcloud/jetty-gcloud-session-manager/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.3.Final/netty-codec-http-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.3.Final/netty-codec-http-4.1.3.Final.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-netty-1.0.1.jar
          • netty-codec-http2-4.1.3.Final.jar
            • ❌ netty-codec-http-4.1.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."

Publish Date: 2020-01-29

URL: CVE-2019-20444

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444

Release Date: 2020-01-29

Fix Resolution (io.netty:netty-codec-http): 4.1.44.Final

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2015-5237

Vulnerable Library - protobuf-java-3.2.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.2.0/protobuf-java-3.2.0.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.2.0/protobuf-java-3.2.0.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • google-cloud-core-1.0.0.jar
    • protobuf-java-util-3.2.0.jar
      • ❌ protobuf-java-3.2.0.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.

Publish Date: 2017-09-25

URL: CVE-2015-5237

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-09-25

Fix Resolution (com.google.protobuf:protobuf-java): 3.4.0

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

WS-2021-0419

Vulnerable Library - gson-2.7.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.7/gson-2.7.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.7/gson-2.7.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • google-cloud-core-1.0.0.jar
    • protobuf-java-util-3.2.0.jar
      • ❌ gson-2.7.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: com.google.code.gson:gson:2.8.9

Step up your Open Source Security Game with Mend here

WS-2017-3805

Vulnerable Library - json-20160810.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20160810/json-20160810.jar,/home/wss-scanner/.m2/repository/org/json/json/20160810/json-20160810.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • google-cloud-core-1.0.0.jar
    • ❌ json-20160810.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

Affected versions of JSON In Java are vulnerable to Denial of Service (DoS) when trying to initialize a JSONArray object and the input is [. This will cause the jvm to crash with StackOverflowError due to non-cyclical stack overflow.

Publish Date: 2017-10-30

URL: WS-2017-3805

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-10-30

Fix Resolution (org.json:json): 20180130

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2023-5072

Vulnerable Library - json-20160810.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20160810/json-20160810.jar,/home/wss-scanner/.m2/repository/org/json/json/20160810/json-20160810.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • google-cloud-core-1.0.0.jar
    • ❌ json-20160810.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

Denial of Service in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used. 

Publish Date: 2023-10-12

URL: CVE-2023-5072

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rm7j-f5g5-27vv

Release Date: 2023-10-12

Fix Resolution (org.json:json): 20231013

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2023-44487

Vulnerable Library - netty-codec-http2-4.1.3.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.3.Final/netty-codec-http2-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.3.Final/netty-codec-http2-4.1.3.Final.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-netty-1.0.1.jar
          • ❌ netty-codec-http2-4.1.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

The HTTP/2 protocol allows a denial of service (server resource consumption) because request cancellation can reset many streams quickly, as exploited in the wild in August through October 2023.

Publish Date: 2023-10-10

URL: CVE-2023-44487

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-44487

Release Date: 2023-10-10

Fix Resolution (io.netty:netty-codec-http2): 4.1.100.Final

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2023-3635

Vulnerable Library - okio-1.6.0.jar

A modern I/O API for Java

Library home page: https://github.com/square/okio

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.6.0/okio-1.6.0.jar,/home/wss-scanner/.m2/repository/com/squareup/okio/okio/1.6.0/okio-1.6.0.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-okhttp-1.0.1.jar
          • ❌ okio-1.6.0.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

GzipSource does not handle an exception that might be raised when parsing a malformed gzip buffer. This may lead to denial of service of the Okio client when handling a crafted GZIP archive, by using the GzipSource class.

Publish Date: 2023-07-12

URL: CVE-2023-3635

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2023-3635

Release Date: 2023-07-12

Fix Resolution (com.squareup.okio:okio): 1.17.6

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2022-45688

Vulnerable Library - json-20160810.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20160810/json-20160810.jar,/home/wss-scanner/.m2/repository/org/json/json/20160810/json-20160810.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • google-cloud-core-1.0.0.jar
    • ❌ json-20160810.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Publish Date: 2022-12-13

URL: CVE-2022-45688

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3vqj-43w4-2q58

Release Date: 2022-12-13

Fix Resolution (org.json:json): 20230227

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2022-3509

Vulnerable Library - protobuf-java-3.2.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.2.0/protobuf-java-3.2.0.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.2.0/protobuf-java-3.2.0.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • google-cloud-core-1.0.0.jar
    • protobuf-java-util-3.2.0.jar
      • ❌ protobuf-java-3.2.0.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-12-12

URL: CVE-2022-3509

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-3509

Release Date: 2022-12-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2022-3171

Vulnerable Library - protobuf-java-3.2.0.jar

Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

Library home page: https://developers.google.com/protocol-buffers/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.2.0/protobuf-java-3.2.0.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.2.0/protobuf-java-3.2.0.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • google-cloud-core-1.0.0.jar
    • protobuf-java-util-3.2.0.jar
      • ❌ protobuf-java-3.2.0.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.

Publish Date: 2022-10-12

URL: CVE-2022-3171

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4h5-3hr4-j3g2

Release Date: 2022-10-12

Fix Resolution (com.google.protobuf:protobuf-java): 3.16.3

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2022-25647

Vulnerable Library - gson-2.7.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.7/gson-2.7.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.7/gson-2.7.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • google-cloud-core-1.0.0.jar
    • protobuf-java-util-3.2.0.jar
      • ❌ gson-2.7.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9

Step up your Open Source Security Game with Mend here

CVE-2021-37137

Vulnerable Library - netty-codec-4.1.3.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-gcloud/jetty-gcloud-session-manager/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.3.Final/netty-codec-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.3.Final/netty-codec-4.1.3.Final.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-netty-1.0.1.jar
          • netty-codec-http2-4.1.3.Final.jar
            • netty-codec-http-4.1.3.Final.jar
              • ❌ netty-codec-4.1.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.

Publish Date: 2021-10-19

URL: CVE-2021-37137

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-9vjp-v76f-g363

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-codec): 4.1.68.Final

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2021-37136

Vulnerable Library - netty-codec-4.1.3.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-gcloud/jetty-gcloud-session-manager/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.3.Final/netty-codec-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.3.Final/netty-codec-4.1.3.Final.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-netty-1.0.1.jar
          • netty-codec-http2-4.1.3.Final.jar
            • netty-codec-http-4.1.3.Final.jar
              • ❌ netty-codec-4.1.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack

Publish Date: 2021-10-19

URL: CVE-2021-37136

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-grg4-wf29-r9vv

Release Date: 2021-10-19

Fix Resolution (io.netty:netty-codec): 4.1.68.Final

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2020-7238

Vulnerable Library - netty-codec-http-4.1.3.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-gcloud/jetty-gcloud-session-manager/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.3.Final/netty-codec-http-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.3.Final/netty-codec-http-4.1.3.Final.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-netty-1.0.1.jar
          • netty-codec-http2-4.1.3.Final.jar
            • ❌ netty-codec-http-4.1.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

Publish Date: 2020-01-27

URL: CVE-2020-7238

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-27

Fix Resolution (io.netty:netty-codec-http): 4.1.44.Final

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2020-11612

Vulnerable Library - netty-codec-4.1.3.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/jetty-gcloud/jetty-gcloud-session-manager/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.3.Final/netty-codec-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.3.Final/netty-codec-4.1.3.Final.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-netty-1.0.1.jar
          • netty-codec-http2-4.1.3.Final.jar
            • netty-codec-http-4.1.3.Final.jar
              • ❌ netty-codec-4.1.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Publish Date: 2020-04-07

URL: CVE-2020-11612

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html

Release Date: 2020-04-07

Fix Resolution (io.netty:netty-codec): 4.1.46.Final

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2019-9518

Vulnerable Library - netty-codec-http2-4.1.3.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.3.Final/netty-codec-http2-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.3.Final/netty-codec-http2-4.1.3.Final.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-netty-1.0.1.jar
          • ❌ netty-codec-http2-4.1.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.

Publish Date: 2019-08-13

URL: CVE-2019-9518

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://netty.io/news/2019/08/13/4-1-39-Final.html

Release Date: 2019-08-13

Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

CVE-2019-9515

Vulnerable Library - netty-codec-http2-4.1.3.Final.jar

Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.

Library home page: http://netty.io/

Path to dependency file: /tmp/ws-scm/Jetty_v9.4.31_CVE-2021-28169/tests/test-sessions/test-gcloud-sessions/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.3.Final/netty-codec-http2-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.3.Final/netty-codec-http2-4.1.3.Final.jar

Dependency Hierarchy:

• google-cloud-datastore-1.0.0.jar (Root Library)
  • datastore-v1-protos-1.3.0.jar
    • grpc-google-common-protos-0.1.0.jar
      • grpc-all-1.0.1.jar
        • grpc-netty-1.0.1.jar
          • ❌ netty-codec-http2-4.1.3.Final.jar (Vulnerable Library)

Found in HEAD commit: 8db6417fcbff3d4fc1ea975604b0ac9aefd5c4a3

Found in base branch: master

Vulnerability Details

Some HTTP/2 implementations are vulnerable to a settings flood, potentially leading to a denial of service. The attacker sends a stream of SETTINGS frames to the peer. Since the RFC requires that the peer reply with one acknowledgement per SETTINGS frame, an empty SETTINGS frame is almost equivalent in behavior to a ping. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.

Publish Date: 2019-08-13

URL: CVE-2019-9515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9515

Release Date: 2019-08-13

Fix Resolution (io.netty:netty-codec-http2): 4.1.39.Final

Direct dependency fix Resolution (com.google.cloud:google-cloud-datastore): 1.13.0

Step up your Open Source Security Game with Mend here

[mend-bolt-for-github]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.