SNOW-1304351: The threetenbp package is vulnerable to Denial of Service (DoS) due to an Uncaught Exception
#1702
Assignees
Labels
status-triage_done
Initial triage done, will be further handled by the driver team
Comments
github-actions
bot
changed the title
threetenbp package is vulnerable to Denial of Service (DoS) due to an Uncaught Exceptionthreetenbp package is vulnerable to Denial of Service (DoS) due to an Uncaught Exception
|
Hello @cheevo , Thanks for raising the issue, we are looking into it, will update. Regards, |
sfc-gh-sghosh
added
status-triage_done
sfc-gh-dszmolka
added
the
security vulnerability
sfc-gh-dszmolka
removed
the
security vulnerability
|
Hello @cheevo , Update from threetenbp. The reported CVE are invalid, and no action is needed. threetenbp provided the page about the CVE - ThreeTen/threetenbp@adcdbc4 and it's visible on their website https://www.threeten.org/threetenbp/security.html - for two reported CVEs they stated that Users of ThreeTen-Backport do not need to take any action as the CVE is invalid. So, closing this issue. Regards, |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Explanation: The
threetenbppackage is vulnerable to Denial of Service (DoS) due to an Uncaught Exception. TheTZDB.datfile included with this package contains corrupted timezone information. Consequently, when parsed byDateTimeFormatterBuilder, this package may yield uncaught exceptions. A remote attacker who can cause this package to parse certain crafted inputs can exploit this vulnerability to crash affected applications.Detection: The application is vulnerable by using this component.
Recommendation: We recommend upgrading to a version of this component that is not vulnerable to this specific issue.
Note: If this component is included as a bundled/transitive dependency of another component, there may not be an upgrade path. In this instance, we recommend contacting the maintainers who included the vulnerable package. Alternatively, we recommend investigating alternative components or a potential mitigating control.
Threat Vectors: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Issue
sonatype-2024-0639
Source
Sonatype Data Research
SONATYPE Threat Level
7
CVE CWE
394
CWE URL
https://cwe.mitre.org/data/definitions/394.html
CVE URL
https://sonatype.fiserv.one/ui/links/vln/sonatype-2024-0639
CVE CVSS 3.0
Not Set
CVE CVSS 2.0
Not Set
SONATYPE CVSS 3.0
7.5
Please answer these questions before submitting your issue.
In order to accurately debug the issue this information is required. Thanks!
What version of JDBC driver are you using? 3.15.0
What operating system and processor architecture are you using? Linux
What version of Java are you using?11
What did you do?
Fortify code scan
What did you expect to see?
No high security vulnerabilities
Can you set logging to DEBUG and collect the logs?
N/a
The text was updated successfully, but these errors were encountered: