Skip to content

legend-depot-store-notifications-1.7.6-SNAPSHOT.jar: 22 vulnerabilities (highest severity is: 8.9) [master] #40

Open
Open
legend-depot-store-notifications-1.7.6-SNAPSHOT.jar: 22 vulnerabilities (highest severity is: 8.9) [master]#40
@mend-developer-platform-dev

Description

@mend-developer-platform-dev
mend-developer-platform-dev
bot
opened on Sep 28, 2025
📂 Vulnerable Library - legend-depot-store-notifications-1.7.6-SNAPSHOT.jar

Findings

Finding Severity 🎯 CVSS Exploit Maturity EPSS Library Type Fixed in Remediation Available Reachability
CVE-2022-42889 🔴 High 8.9 Proof of concept 94.2% commons-text-1.9.jar Transitive N/A
CVE-2021-28165 🔴 High 8.7 Not Defined 10.2% jetty-io-9.4.35.v20201120.jar Transitive N/A
CVE-2022-25857 🔴 High 8.7 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2023-6378 🔴 High 8.2 Not Defined < 1% logback-core-1.2.3.jar Transitive N/A
CVE-2021-42550 🔴 High 7.5 Not Defined 4.3% logback-core-1.2.3.jar Transitive N/A
CVE-2021-42550 🔴 High 7.5 Not Defined 4.3% logback-classic-1.2.3.jar Transitive N/A
CVE-2022-1471 🔴 High 7.4 Functional 93.8% snakeyaml-1.26.jar Transitive N/A
CVE-2022-38749 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2022-38750 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2022-38751 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2022-38752 🔴 High 7.1 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2020-10693 🟠 Medium 6.9 Not Defined < 1% hibernate-validator-5.4.2.Final.jar Transitive N/A
CVE-2020-27223 🟠 Medium 6.9 Not Defined 28.099998% jetty-http-9.4.35.v20201120.jar Transitive N/A
CVE-2021-28169 🟠 Medium 6.9 Not Defined 92.1% jetty-servlets-9.4.35.v20201120.jar Transitive N/A
CVE-2021-28169 🟠 Medium 6.9 Not Defined 92.1% jetty-server-9.4.35.v20201120.jar Transitive N/A
CVE-2021-28169 🟠 Medium 6.9 Not Defined 92.1% jetty-http-9.4.35.v20201120.jar Transitive N/A
CVE-2022-41854 🟠 Medium 6.9 Not Defined < 1% snakeyaml-1.26.jar Transitive N/A
CVE-2023-26048 🟠 Medium 6.9 Not Defined 36.1% jetty-server-9.4.35.v20201120.jar Transitive N/A
CVE-2022-2047 🟠 Medium 5.1 Not Defined < 1% jetty-server-9.4.35.v20201120.jar Transitive N/A
CVE-2022-2047 🟠 Medium 5.1 Not Defined < 1% jetty-http-9.4.35.v20201120.jar Transitive N/A
CVE-2023-26049 🟠 Medium 4.8 Not Defined < 1% jetty-http-9.4.35.v20201120.jar Transitive N/A
CVE-2021-34428 🟡 Low 1.0 Not Defined < 1% jetty-server-9.4.35.v20201120.jar Transitive N/A

Details

🔴CVE-2022-42889

Vulnerable Library - commons-text-1.9.jar

Apache Commons Text is a library focused on algorithms working on strings.

Library home page: https://www.apache.org/

Path to dependency file: /legend-depot-artifacts-purge/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • commons-text-1.9.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • commons-text-1.9.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • commons-text-1.9.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • commons-text-1.9.jar (Vulnerable Library)

Vulnerability Details

Apache Commons Text performs variable interpolation, allowing properties to be dynamically evaluated and expanded. The standard format for interpolation is "${prefix:name}", where "prefix" is used to locate an instance of org.apache.commons.text.lookup.StringLookup that performs the interpolation. Starting with version 1.5 and continuing through 1.9, the set of default Lookup instances included interpolators that could result in arbitrary code execution or contact with remote servers. These lookups are: - "script" - execute expressions using the JVM script execution engine (javax.script) - "dns" - resolve dns records - "url" - load values from urls, including from remote servers Applications using the interpolation defaults in the affected versions may be vulnerable to remote code execution or unintentional contact with remote servers if untrusted configuration values are used. Users are recommended to upgrade to Apache Commons Text 1.10.0, which disables the problematic interpolators by default.
Mend Note:

Publish Date: Oct 13, 2022 12:00 AM

URL: CVE-2022-42889

Threat Assessment

Exploit Maturity:Proof of concept

EPSS:94.2%

Score: 8.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-599f-7c49-w659

Release Date: Oct 13, 2022 12:00 AM

Fix Resolution : org.apache.commons:commons-text:1.10.0

🔴CVE-2021-28165

Vulnerable Library - jetty-io-9.4.35.v20201120.jar

Library home page: https://webtide.com

Path to dependency file: /legend-depot-server/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar
              • jetty-http-9.4.35.v20201120.jar
                • jetty-io-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar
                • jetty-http-9.4.35.v20201120.jar
                  • jetty-io-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar
            • jetty-http-9.4.35.v20201120.jar
              • jetty-io-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar
          • jetty-http-9.4.35.v20201120.jar
            • jetty-io-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Mend Note:

Publish Date: Apr 01, 2021 02:20 PM

URL: CVE-2021-28165

Threat Assessment

Exploit Maturity:Not Defined

EPSS:10.2%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-26vr-8j45-3r4w

Release Date: Apr 01, 2021 02:20 PM

Fix Resolution : org.eclipse.jetty:jetty-server:10.0.2,org.eclipse.jetty:jetty-server:11.0.2

🔴CVE-2022-25857

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Mend Note:

Publish Date: Aug 30, 2022 05:05 AM

URL: CVE-2022-25857

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.7

Suggested Fix

Type: Upgrade version

Origin: GHSA-3mc7-4q67-w48m

Release Date: Aug 30, 2022 05:05 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2023-6378

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /legend-depot-artifacts-refresh/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-logging-1.3.29.jar
          • logback-core-1.2.3.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-logging-1.3.29.jar
            • logback-core-1.2.3.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-logging-1.3.29.jar
        • logback-core-1.2.3.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-logging-1.3.29.jar
      • logback-core-1.2.3.jar (Vulnerable Library)

Vulnerability Details

A serialization vulnerability in logback receiver component part of
logback version 1.4.11 allows an attacker to mount a Denial-Of-Service
attack by sending poisoned data.
Mend Note:

Publish Date: Nov 29, 2023 12:02 PM

URL: CVE-2023-6378

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 8.2

Suggested Fix

Type: Upgrade version

Origin: GHSA-vmq6-5m68-f53m

Release Date: Nov 29, 2023 12:02 PM

Fix Resolution : ch.qos.logback:logback-core:1.2.13,ch.qos.logback:logback-classic:1.3.12,ch.qos.logback:logback-core:1.4.12,ch.qos.logback:logback-core:1.3.12,ch.qos.logback:logback-classic:1.4.12,ch.qos.logback:logback-classic:1.2.13

🔴CVE-2021-42550

Vulnerable Library - logback-core-1.2.3.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /legend-depot-artifacts-refresh/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-logging-1.3.29.jar
          • logback-core-1.2.3.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-logging-1.3.29.jar
            • logback-core-1.2.3.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-logging-1.3.29.jar
        • logback-core-1.2.3.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-logging-1.3.29.jar
      • logback-core-1.2.3.jar (Vulnerable Library)

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: Dec 16, 2021 12:00 AM

URL: CVE-2021-42550

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.3%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-668q-qrv7-99fm

Release Date: Dec 16, 2021 12:00 AM

Fix Resolution : ch.qos.logback:logback-core:1.2.9

🔴CVE-2021-42550

Vulnerable Library - logback-classic-1.2.3.jar

logback-classic module

Library home page: http://www.qos.ch

Path to dependency file: /legend-depot-artifacts-purge/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-logging-1.3.29.jar
          • logback-classic-1.2.3.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-logging-1.3.29.jar
            • logback-classic-1.2.3.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-logging-1.3.29.jar
        • logback-classic-1.2.3.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-logging-1.3.29.jar
      • logback-classic-1.2.3.jar (Vulnerable Library)

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers. Converted from WS-2021-0491, on 2022-11-07.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.

Publish Date: Dec 16, 2021 12:00 AM

URL: CVE-2021-42550

Threat Assessment

Exploit Maturity:Not Defined

EPSS:4.3%

Score: 7.5

Suggested Fix

Type: Upgrade version

Origin: GHSA-668q-qrv7-99fm

Release Date: Dec 16, 2021 12:00 AM

Fix Resolution : ch.qos.logback:logback-core:1.2.9

🔴CVE-2022-1471

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.

Publish Date: Dec 01, 2022 10:47 AM

URL: CVE-2022-1471

Threat Assessment

Exploit Maturity:Functional

EPSS:93.8%

Score: 7.4

Suggested Fix

Type: Upgrade version

Origin: GHSA-mjmj-j48q-9wg2

Release Date: Dec 01, 2022 10:47 AM

Fix Resolution : org.yaml:snakeyaml:2.0

🔴CVE-2022-38749

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Mend Note:

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38749

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-c4r9-r8fh-9vj2

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-38750

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Mend Note:

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38750

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-hhhw-99gj-p3c3

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-38751

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Mend Note:

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38751

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-98wm-3w3q-mw94

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.31

🔴CVE-2022-38752

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Mend Note:

Publish Date: Sep 05, 2022 12:00 AM

URL: CVE-2022-38752

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 7.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: Sep 05, 2022 12:00 AM

Fix Resolution : org.yaml:snakeyaml:1.32

🟠CVE-2020-10693

Vulnerable Library - hibernate-validator-5.4.2.Final.jar

Hibernate's Bean Validation (JSR-303) reference implementation.

Library home page: http://hibernate.org/validator

Path to dependency file: /legend-depot-artifacts-purge/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-validation-1.3.29.jar
          • hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-validation-1.3.29.jar
            • hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-validation-1.3.29.jar
        • hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-validation-1.3.29.jar
      • hibernate-validator-5.4.2.Final.jar (Vulnerable Library)

Vulnerability Details

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

Publish Date: May 06, 2020 01:03 PM

URL: CVE-2020-10693

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-rmrm-75hp-phr2

Release Date: May 06, 2020 01:03 PM

Fix Resolution : org.hibernate.validator:hibernate-validator:6.1.5.Final,org.hibernate.validator:hibernate-validator:6.0.20.Final

🟠CVE-2020-27223

Vulnerable Library - jetty-http-9.4.35.v20201120.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-core-http/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar
              • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar
                • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar
            • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar
          • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Mend Note:

Publish Date: Feb 26, 2021 09:55 PM

URL: CVE-2020-27223

Threat Assessment

Exploit Maturity:Not Defined

EPSS:28.099998%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-m394-8rww-3jr7

Release Date: Feb 26, 2021 09:55 PM

Fix Resolution : org.eclipse.jetty:jetty-server:11.0.1,org.eclipse.jetty:jetty-server:10.0.1

🟠CVE-2021-28169

Vulnerable Library - jetty-servlets-9.4.35.v20201120.jar

Utility Servlets from Jetty

Library home page: https://webtide.com

Path to dependency file: /legend-depot-server/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-jetty-1.3.29.jar
          • jetty-servlets-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-jetty-1.3.29.jar
            • jetty-servlets-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-jetty-1.3.29.jar
        • jetty-servlets-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-jetty-1.3.29.jar
      • jetty-servlets-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to "/concat?/%2557EB-INF/web.xml" can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jun 09, 2021 01:55 AM

URL: CVE-2021-28169

Threat Assessment

Exploit Maturity:Not Defined

EPSS:92.1%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: Jun 09, 2021 01:55 AM

Fix Resolution : org.eclipse.jetty:jetty-servlets:10.0.3,org.eclipse.jetty:jetty-servlets:11.0.3

🟠CVE-2021-28169

Vulnerable Library - jetty-server-9.4.35.v20201120.jar

The core jetty server artifact.

Library home page: https://webtide.com

Path to dependency file: /legend-depot-store-notifications/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to "/concat?/%2557EB-INF/web.xml" can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jun 09, 2021 01:55 AM

URL: CVE-2021-28169

Threat Assessment

Exploit Maturity:Not Defined

EPSS:92.1%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: Jun 09, 2021 01:55 AM

Fix Resolution : org.eclipse.jetty:jetty-servlets:10.0.3,org.eclipse.jetty:jetty-servlets:11.0.3

🟠CVE-2021-28169

Vulnerable Library - jetty-http-9.4.35.v20201120.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-core-http/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar
              • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar
                • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar
            • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar
          • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to "/concat?/%2557EB-INF/web.xml" can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Jun 09, 2021 01:55 AM

URL: CVE-2021-28169

Threat Assessment

Exploit Maturity:Not Defined

EPSS:92.1%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-gwcr-j4wh-j3cq

Release Date: Jun 09, 2021 01:55 AM

Fix Resolution : org.eclipse.jetty:jetty-servlets:10.0.3,org.eclipse.jetty:jetty-servlets:11.0.3

🟠CVE-2022-41854

Vulnerable Library - snakeyaml-1.26.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /legend-depot-store-status/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-configuration-1.3.29.jar
          • jackson-dataformat-yaml-2.10.5.jar
            • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-configuration-1.3.29.jar
            • jackson-dataformat-yaml-2.10.5.jar
              • snakeyaml-1.26.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-configuration-1.3.29.jar
        • jackson-dataformat-yaml-2.10.5.jar
          • snakeyaml-1.26.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-configuration-1.3.29.jar
      • jackson-dataformat-yaml-2.10.5.jar
        • snakeyaml-1.26.jar (Vulnerable Library)

Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Mend Note:

Publish Date: Nov 11, 2022 01:10 PM

URL: CVE-2022-41854

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-w37g-rhq8-7m4j

Release Date: Nov 11, 2022 01:10 PM

Fix Resolution : org.yaml:snakeyaml:1.32

🟠CVE-2023-26048

Vulnerable Library - jetty-server-9.4.35.v20201120.jar

The core jetty server artifact.

Library home page: https://webtide.com

Path to dependency file: /legend-depot-store-notifications/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

Jetty is a java based web server and servlet engine. In affected versions servlets with multipart support (e.g. annotated with "@MultipartConfig") that call "HttpServletRequest.getParameter()" or "HttpServletRequest.getParts()" may cause "OutOfMemoryError" when the client sends a multipart request with a part that has a name but no filename and very large content. This happens even with the default settings of "fileSizeThreshold=0" which should stream the whole part content to disk. An attacker client may send a large multipart request and cause the server to throw "OutOfMemoryError". However, the server may be able to recover after the "OutOfMemoryError" and continue its service -- although it may take some time. This issue has been patched in versions 9.4.51, 10.0.14, and 11.0.14. Users are advised to upgrade. Users unable to upgrade may set the multipart parameter "maxRequestSize" which must be set to a non-negative value, so the whole multipart content is limited (although still read into memory).
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Apr 18, 2023 08:30 PM

URL: CVE-2023-26048

Threat Assessment

Exploit Maturity:Not Defined

EPSS:36.1%

Score: 6.9

Suggested Fix

Type: Upgrade version

Origin: GHSA-qw69-rqj8-6qw8

Release Date: Apr 18, 2023 08:30 PM

Fix Resolution : org.eclipse.jetty:jetty-server:11.0.14,org.eclipse.jetty:jetty-server:10.0.14,org.eclipse.jetty:jetty-server:9.4.51.v20230217

🟠CVE-2022-2047

Vulnerable Library - jetty-server-9.4.35.v20201120.jar

The core jetty server artifact.

Library home page: https://webtide.com

Path to dependency file: /legend-depot-store-notifications/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

Publish Date: Jul 07, 2022 08:45 PM

URL: CVE-2022-2047

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 5.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj7v-27pg-wf7q

Release Date: Jul 07, 2022 08:45 PM

Fix Resolution : org.eclipse.jetty:jetty-http:11.0.10,org.eclipse.jetty:jetty-http:10.0.10

🟠CVE-2022-2047

Vulnerable Library - jetty-http-9.4.35.v20201120.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-core-http/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar
              • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar
                • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar
            • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar
          • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

In Eclipse Jetty versions 9.4.0 thru 9.4.46, and 10.0.0 thru 10.0.9, and 11.0.0 thru 11.0.9 versions, the parsing of the authority segment of an http scheme URI, the Jetty HttpURI class improperly detects an invalid input as a hostname. This can lead to failures in a Proxy scenario.

Publish Date: Jul 07, 2022 08:45 PM

URL: CVE-2022-2047

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 5.1

Suggested Fix

Type: Upgrade version

Origin: GHSA-cj7v-27pg-wf7q

Release Date: Jul 07, 2022 08:45 PM

Fix Resolution : org.eclipse.jetty:jetty-http:11.0.10,org.eclipse.jetty:jetty-http:10.0.10

🟠CVE-2023-26049

Vulnerable Library - jetty-http-9.4.35.v20201120.jar

Library home page: https://eclipse.org/jetty

Path to dependency file: /legend-depot-core-http/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar
              • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar
                • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar
            • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar
          • jetty-http-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

Jetty is a java based web server and servlet engine. Nonstandard cookie parsing in Jetty may allow an attacker to smuggle cookies within other cookies, or otherwise perform unintended behavior by tampering with the cookie parsing mechanism. If Jetty sees a cookie VALUE that starts with """ (double quote), it will continue to read the cookie string until it sees a closing quote -- even if a semicolon is encountered. So, a cookie header such as: "DISPLAY_LANGUAGE="b; JSESSIONID=1337; c=d"" will be parsed as one cookie, with the name DISPLAY_LANGUAGE and a value of b; JSESSIONID=1337; c=d instead of 3 separate cookies. This has security implications because if, say, JSESSIONID is an HttpOnly cookie, and the DISPLAY_LANGUAGE cookie value is rendered on the page, an attacker can smuggle the JSESSIONID cookie into the DISPLAY_LANGUAGE cookie and thereby exfiltrate it. This is significant when an intermediary is enacting some policy based on cookies, so a smuggled cookie can bypass that policy yet still be seen by the Jetty server or its logging system. This issue has been addressed in versions 9.4.51, 10.0.14, 11.0.14, and 12.0.0.beta0 and users are advised to upgrade. There are no known workarounds for this issue.
Mend Note: The description of this vulnerability differs from MITRE.

Publish Date: Apr 18, 2023 08:35 PM

URL: CVE-2023-26049

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 4.8

Suggested Fix

Type: Upgrade version

Origin: GHSA-p26g-97m4-6q7c

Release Date: Apr 18, 2023 08:35 PM

Fix Resolution : org.eclipse.jetty:jetty-server:11.0.14,org.eclipse.jetty:jetty-server:12.0.0.beta0,org.eclipse.jetty:jetty-server:10.0.14,org.eclipse.jetty:jetty-server:9.4.51.v20230217

🟡CVE-2021-34428

Vulnerable Library - jetty-server-9.4.35.v20201120.jar

The core jetty server artifact.

Library home page: https://webtide.com

Path to dependency file: /legend-depot-store-notifications/pom.xml

Dependency Hierarchy:

  • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-core-http-1.7.6-SNAPSHOT.jar
      • dropwizard-core-1.3.29.jar
        • dropwizard-metrics-1.3.29.jar
          • dropwizard-lifecycle-1.3.29.jar
            • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-artifacts-refresh-1.7.6-SNAPSHOT.jar (Root Library)

    • legend-depot-store-notifications-1.7.6-SNAPSHOT.jar
      • legend-depot-core-http-1.7.6-SNAPSHOT.jar
        • dropwizard-core-1.3.29.jar
          • dropwizard-metrics-1.3.29.jar
            • dropwizard-lifecycle-1.3.29.jar
              • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

    • dropwizard-core-1.3.29.jar
      • dropwizard-metrics-1.3.29.jar
        • dropwizard-lifecycle-1.3.29.jar
          • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

  • dropwizard-core-1.3.29.jar (Root Library)

    • dropwizard-metrics-1.3.29.jar
      • dropwizard-lifecycle-1.3.29.jar
        • jetty-server-9.4.35.v20201120.jar (Vulnerable Library)

Vulnerability Details

For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.

Publish Date: Jun 22, 2021 02:45 PM

URL: CVE-2021-34428

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 1.0

Suggested Fix

Type: Upgrade version

Origin: GHSA-m6cp-vxjx-65j6

Release Date: Jun 22, 2021 02:45 PM

Fix Resolution : org.eclipse.jetty:jetty-server:11.0.3,org.eclipse.jetty:jetty-server:10.0.3

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions