mapdb-3.0.8.jar: 8 vulnerabilities (highest severity is: 9.2) [master] (reachable)

[mend-developer-platform-dev]

📂 Vulnerable Library - mapdb-3.0.8.jar

MapDB provides concurrent Maps, Sets and Queues backed by disk storage or off-heap memory. It is a fast, scalable and easy to use embedded Java database.

Path to dependency file: /telegrambots-abilities/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mapdb/mapdb/3.0.8/mapdb-3.0.8.jar

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-2019-10101	🟣 Critical	9.2	Not Defined	< 1%	kotlin-stdlib-1.2.71.jar	Transitive	N/A	❌	Reachable
CVE-2019-10101	🟣 Critical	9.2	Not Defined	< 1%	kotlin-stdlib-common-1.2.71.jar	Transitive	N/A	❌	Unreachable
CVE-2019-10102	🟣 Critical	9.2	Not Defined	< 1%	kotlin-stdlib-1.2.71.jar	Transitive	N/A	❌	Reachable
CVE-2019-10102	🟣 Critical	9.2	Not Defined	< 1%	kotlin-stdlib-common-1.2.71.jar	Transitive	N/A	❌	Unreachable
CVE-2019-10103	🟣 Critical	9.2	Not Defined	< 1%	kotlin-stdlib-common-1.2.71.jar	Transitive	N/A	❌	Unreachable
CVE-2019-10103	🟣 Critical	9.2	Not Defined	< 1%	kotlin-stdlib-1.2.71.jar	Transitive	N/A	❌	Reachable
CVE-2020-29582	🟠 Medium	6.9	Not Defined	< 1%	kotlin-stdlib-1.2.71.jar	Transitive	N/A	❌	Reachable
CVE-2022-24329	🟠 Medium	6.9	Not Defined	< 1%	kotlin-stdlib-1.2.71.jar	Transitive	N/A	❌	Reachable

Details

🟣CVE-2019-10101

Vulnerable Library - kotlin-stdlib-1.2.71.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /telegrambots-abilities/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.2.71/kotlin-stdlib-1.2.71.jar

Dependency Hierarchy:

• mapdb-3.0.8.jar (Root Library)
  • ❌ kotlin-stdlib-1.2.71.jar (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.abilitybots.api.db.MapDBContext (Application)
    - org.mapdb.DB (Extension)
        - org.mapdb.DB$HashMapMaker (Extension)
            - org.mapdb.DB$HashMapMaker$create2$1 (Extension)
                - kotlin.jvm.internal.Lambda (Extension)
                    -> ❌ kotlin.jvm.internal.FunctionBase (Vulnerable Component)

---

Vulnerability Details

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

Publish Date: Jul 03, 2019 12:00 AM

URL: CVE-2019-10101

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.2

---

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10101

Release Date: Jul 03, 2019 12:00 AM

Fix Resolution : org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

🟣CVE-2019-10101

Vulnerable Library - kotlin-stdlib-common-1.2.71.jar

Kotlin Common Standard Library

Library home page: https://kotlinlang.org/

Path to dependency file: /telegrambots-abilities/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib-common/1.2.71/kotlin-stdlib-common-1.2.71.jar

Dependency Hierarchy:

• mapdb-3.0.8.jar (Root Library)
  • kotlin-stdlib-1.2.71.jar
    • ❌ kotlin-stdlib-common-1.2.71.jar (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

Publish Date: Jul 03, 2019 12:00 AM

URL: CVE-2019-10101

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.2

---

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10101

Release Date: Jul 03, 2019 12:00 AM

Fix Resolution : org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

🟣CVE-2019-10102

Vulnerable Library - kotlin-stdlib-1.2.71.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /telegrambots-abilities/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.2.71/kotlin-stdlib-1.2.71.jar

Dependency Hierarchy:

• mapdb-3.0.8.jar (Root Library)
  • ❌ kotlin-stdlib-1.2.71.jar (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.abilitybots.api.db.MapDBContext (Application)
    - org.mapdb.DB (Extension)
        - org.mapdb.DB$nameCatalogVerifyTree$recid$1 (Extension)
            - kotlin.jvm.internal.Lambda (Extension)
                - kotlin.jvm.internal.Reflection (Extension)
                    - kotlin.jvm.internal.ReflectionFactory (Extension)
                        -> ❌ kotlin.jvm.internal.PackageReference (Vulnerable Component)

---

Vulnerability Details

JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. This issue was fixed in Kotlin plugin version 1.3.30.

Publish Date: Jul 03, 2019 12:00 AM

URL: CVE-2019-10102

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.2

---

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10102

Release Date: Jul 03, 2019 12:00 AM

Fix Resolution : io.ktor:ktor:1.1.0,org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

🟣CVE-2019-10102

Vulnerable Library - kotlin-stdlib-common-1.2.71.jar

Kotlin Common Standard Library

Library home page: https://kotlinlang.org/

Path to dependency file: /telegrambots-abilities/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib-common/1.2.71/kotlin-stdlib-common-1.2.71.jar

Dependency Hierarchy:

• mapdb-3.0.8.jar (Root Library)
  • kotlin-stdlib-1.2.71.jar
    • ❌ kotlin-stdlib-common-1.2.71.jar (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

JetBrains Ktor framework (created using the Kotlin IDE template) versions before 1.1.0 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack. This issue was fixed in Kotlin plugin version 1.3.30.

Publish Date: Jul 03, 2019 12:00 AM

URL: CVE-2019-10102

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.2

---

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10102

Release Date: Jul 03, 2019 12:00 AM

Fix Resolution : io.ktor:ktor:1.1.0,org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

🟣CVE-2019-10103

Vulnerable Library - kotlin-stdlib-common-1.2.71.jar

Kotlin Common Standard Library

Library home page: https://kotlinlang.org/

Path to dependency file: /telegrambots-abilities/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib-common/1.2.71/kotlin-stdlib-common-1.2.71.jar

Dependency Hierarchy:

• mapdb-3.0.8.jar (Root Library)
  • kotlin-stdlib-1.2.71.jar
    • ❌ kotlin-stdlib-common-1.2.71.jar (Vulnerable Library)

---

Reachability Analysis

The vulnerable code is unreachable

---

Vulnerability Details

JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.

Publish Date: Jul 03, 2019 12:00 AM

URL: CVE-2019-10103

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.2

---

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10103

Release Date: Jul 03, 2019 12:00 AM

Fix Resolution : org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

🟣CVE-2019-10103

Vulnerable Library - kotlin-stdlib-1.2.71.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /telegrambots-abilities/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.2.71/kotlin-stdlib-1.2.71.jar

Dependency Hierarchy:

• mapdb-3.0.8.jar (Root Library)
  • ❌ kotlin-stdlib-1.2.71.jar (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.abilitybots.api.db.MapDBContext (Application)
    - org.mapdb.DBMaker (Extension)
        - org.mapdb.DBMaker$Maker (Extension)
            - kotlin.collections.ArraysKt (Extension)
                -> ❌ kotlin.jvm.JvmName (Vulnerable Component)

---

Vulnerability Details

JetBrains IntelliJ IDEA projects created using the Kotlin (JS Client/JVM Server) IDE Template were resolving Gradle artifacts using an http connection, potentially allowing an MITM attack. This issue, which was fixed in Kotlin plugin version 1.3.30, is similar to CVE-2019-10101.

Publish Date: Jul 03, 2019 12:00 AM

URL: CVE-2019-10103

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 9.2

---

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10103

Release Date: Jul 03, 2019 12:00 AM

Fix Resolution : org.jetbrains.kotlin:kotlin-stdlib:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-common:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk7:1.3.30,org.jetbrains.kotlin:kotlin-stdlib-jdk8:1.3.30,org.jetbrains.kotlin:kotlin-reflect:1.3.30

🟠CVE-2020-29582

Vulnerable Library - kotlin-stdlib-1.2.71.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /telegrambots-abilities/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.2.71/kotlin-stdlib-1.2.71.jar

Dependency Hierarchy:

• mapdb-3.0.8.jar (Root Library)
  • ❌ kotlin-stdlib-1.2.71.jar (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.abilitybots.api.db.MapDBContext (Application)
    - org.mapdb.DB (Extension)
        - kotlin.collections.MapsKt (Extension)
            - kotlin.collections.MapsKt___MapsKt (Extension)
                - kotlin.collections.MapsKt__MapsKt (Extension)
                    -> ❌ kotlin.text.StringsKt__IndentKt$prependIndent$1 (Vulnerable Component)

---

Vulnerability Details

In JetBrains Kotlin before 1.4.21, a vulnerable Java API was used for temporary file and folder creation. An attacker was able to read data from such files and list directories due to insecure permissions.

Publish Date: Feb 03, 2021 03:20 PM

URL: CVE-2020-29582

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.9

---

Suggested Fix

Type: Upgrade version

Origin: GHSA-cqj8-47ch-rvvq

Release Date: Feb 03, 2021 03:20 PM

Fix Resolution : org.jetbrains.kotlin:kotlin-stdlib:1.4.21

🟠CVE-2022-24329

Vulnerable Library - kotlin-stdlib-1.2.71.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /telegrambots-abilities/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jetbrains/kotlin/kotlin-stdlib/1.2.71/kotlin-stdlib-1.2.71.jar

Dependency Hierarchy:

• mapdb-3.0.8.jar (Root Library)
  • ❌ kotlin-stdlib-1.2.71.jar (Vulnerable Library)

---

Reachability Analysis

This vulnerability is potentially reachable:

- org.telegram.abilitybots.api.db.MapDBContext (Application)
    - org.mapdb.DB (Extension)
        - kotlin.text.Regex (Extension)
            - kotlin.sequences.SequencesKt (Extension)
                - kotlin.sequences.SequencesKt___SequencesKt (Extension)
                    -> ❌ kotlin.sequences.SequencesKt___SequencesKt$requireNoNulls$1 (Vulnerable Component)

---

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: Feb 25, 2022 02:35 PM

URL: CVE-2022-24329

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.9

---

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: Feb 25, 2022 02:35 PM

Fix Resolution : org.jetbrains.kotlin:kotlin-stdlib:1.6.0