SNOW-1304351: The threetenbp
package is vulnerable to Denial of Service (DoS) due to an Uncaught Exception
#1702
Labels
status-triage_done
Initial triage done, will be further handled by the driver team
Explanation: The
threetenbp
package is vulnerable to Denial of Service (DoS) due to an Uncaught Exception. TheTZDB.dat
file included with this package contains corrupted timezone information. Consequently, when parsed byDateTimeFormatterBuilder
, this package may yield uncaught exceptions. A remote attacker who can cause this package to parse certain crafted inputs can exploit this vulnerability to crash affected applications.Detection: The application is vulnerable by using this component.
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Issue
sonatype-2024-0639
Source
Sonatype Data Research
SONATYPE Threat Level
7
CVE CWE
394
CWE URL
https://cwe.mitre.org/data/definitions/394.html
CVE URL
https://sonatype.fiserv.one/ui/links/vln/sonatype-2024-0639
CVE CVSS 3.0
Not Set
CVE CVSS 2.0
Not Set
SONATYPE CVSS 3.0
7.5
Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!
What version of JDBC driver are you using? 3.15.0
What operating system and processor architecture are you using? Linux
What version of Java are you using?11
What did you do?
Fortify code scan
What did you expect to see?
No high security vulnerabilities
Can you set logging to DEBUG and collect the logs?
N/a
The text was updated successfully, but these errors were encountered: