📂 Vulnerable Library - legend-engine-extensions-collection-generation-4.4.5.jar
Path to dependency file: /legend-depot-server/pom.xml
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-82529-348347 |
🟣 Critical |
9.8 |
N/A |
N/A |
guava-30.1-jre.jar |
Direct |
N/A |
❌ |
|
| CVE-2022-40152 |
🔴 High |
7.1 |
Not Defined |
< 1% |
woodstox-core-6.2.1.jar |
Transitive |
N/A |
❌ |
|
| CVE-2020-8908 |
🟠 Medium |
4.8 |
Not Defined |
< 1% |
guava-30.1-jre.jar |
Direct |
com.google.guava:guava:32.0.0-android |
✅ |
|
Details
🟣CVE-82529-348347
Vulnerable Library - guava-30.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /legend-depot-artifacts-refresh/pom.xml
Dependency Hierarchy:
-
❌ guava-30.1-jre.jar (Vulnerable Library)
-
legend-depot-store-status-1.7.6-SNAPSHOT.jar (Root Library)
- legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar
- legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar
- ❌ guava-30.1-jre.jar (Vulnerable Library)
-
legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar (Root Library)
- ❌ guava-30.1-jre.jar (Vulnerable Library)
-
legend-engine-extensions-collection-generation-4.4.5.jar (Root Library)
- legend-engine-language-pure-dsl-generation-4.4.5.jar
- legend-engine-external-shared-4.4.5.jar
- legend-engine-language-pure-modelManager-4.4.5.jar
- ❌ guava-30.1-jre.jar (Vulnerable Library)
-
legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)
- legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar
- ❌ guava-30.1-jre.jar (Vulnerable Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-82529-348347
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-40152
Vulnerable Library - woodstox-core-6.2.1.jar
Woodstox is a high-performance XML processor that implements Stax (JSR-173),
SAX2 and Stax2 APIs
Library home page: http://fasterxml.com
Path to dependency file: /legend-depot-server/pom.xml
Dependency Hierarchy:
- legend-engine-extensions-collection-generation-4.4.5.jar (Root Library)
- legend-engine-xt-flatdata-model-4.4.5.jar
- legend-engine-xt-flatdata-shared-4.4.5.jar
- legend-engine-executionPlan-dependencies-4.4.5.jar
- jackson-dataformat-xml-2.10.5.jar
- ❌ woodstox-core-6.2.1.jar (Vulnerable Library)
Vulnerability Details
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Mend Note:
Publish Date: Sep 16, 2022 10:00 AM
URL: CVE-2022-40152
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-3f7h-mf4q-vrm4
Release Date: Sep 16, 2022 10:00 AM
Fix Resolution : com.fasterxml.woodstox:woodstox-core:6.4.0,com.fasterxml.woodstox:woodstox-core:5.4.0
🟠CVE-2020-8908
Vulnerable Library - guava-30.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /legend-depot-artifacts-refresh/pom.xml
Dependency Hierarchy:
-
❌ guava-30.1-jre.jar (Vulnerable Library)
-
legend-depot-store-status-1.7.6-SNAPSHOT.jar (Root Library)
- legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar
- legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar
- ❌ guava-30.1-jre.jar (Vulnerable Library)
-
legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar (Root Library)
- ❌ guava-30.1-jre.jar (Vulnerable Library)
-
legend-engine-extensions-collection-generation-4.4.5.jar (Root Library)
- legend-engine-language-pure-dsl-generation-4.4.5.jar
- legend-engine-external-shared-4.4.5.jar
- legend-engine-language-pure-modelManager-4.4.5.jar
- ❌ guava-30.1-jre.jar (Vulnerable Library)
-
legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)
- legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar
- ❌ guava-30.1-jre.jar (Vulnerable Library)
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Mend Note:
Publish Date: Dec 10, 2020 10:10 PM
URL: CVE-2020-8908
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-5mg8-w23w-74h3
Release Date: Dec 10, 2020 10:10 PM
Fix Resolution : com.google.guava:guava:32.0.0-android
📂 Vulnerable Library - legend-engine-extensions-collection-generation-4.4.5.jar
Path to dependency file: /legend-depot-server/pom.xml
Findings
Details
🟣CVE-82529-348347
Vulnerable Library - guava-30.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /legend-depot-artifacts-refresh/pom.xml
Dependency Hierarchy:
❌ guava-30.1-jre.jar (Vulnerable Library)
legend-depot-store-status-1.7.6-SNAPSHOT.jar (Root Library)
legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar (Root Library)
legend-engine-extensions-collection-generation-4.4.5.jar (Root Library)
legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)
Vulnerability Details
Created automatically by the test suite
Publish Date: Jun 07, 2010 05:12 PM
URL: CVE-82529-348347
Threat Assessment
Exploit Maturity:N/A
EPSS:N/A
Score: 9.8
Suggested Fix
Type: Upgrade version
Origin:
Release Date:
Fix Resolution :
🔴CVE-2022-40152
Vulnerable Library - woodstox-core-6.2.1.jar
Woodstox is a high-performance XML processor that implements Stax (JSR-173),
SAX2 and Stax2 APIs
Library home page: http://fasterxml.com
Path to dependency file: /legend-depot-server/pom.xml
Dependency Hierarchy:
Vulnerability Details
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Mend Note:
Publish Date: Sep 16, 2022 10:00 AM
URL: CVE-2022-40152
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 7.1
Suggested Fix
Type: Upgrade version
Origin: GHSA-3f7h-mf4q-vrm4
Release Date: Sep 16, 2022 10:00 AM
Fix Resolution : com.fasterxml.woodstox:woodstox-core:6.4.0,com.fasterxml.woodstox:woodstox-core:5.4.0
🟠CVE-2020-8908
Vulnerable Library - guava-30.1-jre.jar
Guava is a suite of core and expanded libraries that include
utility classes, Google's collections, I/O classes, and
much more.
Library home page: https://github.com/google/guava
Path to dependency file: /legend-depot-artifacts-refresh/pom.xml
Dependency Hierarchy:
❌ guava-30.1-jre.jar (Vulnerable Library)
legend-depot-store-status-1.7.6-SNAPSHOT.jar (Root Library)
legend-depot-artifacts-repository-maven-impl-1.7.6-SNAPSHOT.jar (Root Library)
legend-engine-extensions-collection-generation-4.4.5.jar (Root Library)
legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Mend Note:
Publish Date: Dec 10, 2020 10:10 PM
URL: CVE-2020-8908
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 4.8
Suggested Fix
Type: Upgrade version
Origin: GHSA-5mg8-w23w-74h3
Release Date: Dec 10, 2020 10:10 PM
Fix Resolution : com.google.guava:guava:32.0.0-android