legend-depot-artifacts-repository-api-1.7.6-SNAPSHOT.jar: 2 vulnerabilities (highest severity is: 9.8) [master]

[mend-developer-platform-dev]

📂 Vulnerable Library - legend-depot-artifacts-repository-api-1.7.6-SNAPSHOT.jar

Findings

Finding	Severity	🎯 CVSS	Exploit Maturity	EPSS	Library	Type	Fixed in	Remediation Available	Reachability
CVE-842749-413332	🟣 Critical	9.8	N/A	N/A	commons-lang-2.6.jar	Direct	N/A	❌
CVE-2025-48924	🟠 Medium	6.9	Not Defined	< 1%	commons-lang-2.6.jar	Direct	N/A	❌

Details

🟣CVE-842749-413332

Vulnerable Library - commons-lang-2.6.jar

Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.

Library home page: http://www.apache.org/

Path to dependency file: /legend-depot-artifacts-repository-api/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar

Dependency Hierarchy:

• ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-store-api-1.7.6-SNAPSHOT.jar (Root Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar
    • ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-artifacts-repository-api-1.7.6-SNAPSHOT.jar (Root Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar
    • ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

  • legend-shared-pac4j-0.23.3.jar
    • ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-model-1.7.6-SNAPSHOT.jar (Root Library)

  • ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-store-mongo-1.7.6-SNAPSHOT.jar (Root Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar
    • ❌ commons-lang-2.6.jar (Vulnerable Library)

---

Vulnerability Details

Created automatically by the test suite

Publish Date: Jun 07, 2010 05:12 PM

URL: CVE-842749-413332

Threat Assessment

Exploit Maturity:N/A

EPSS:N/A

Score: 9.8

---

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :

🟠CVE-2025-48924

Vulnerable Library - commons-lang-2.6.jar

Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.

Library home page: http://www.apache.org/

Path to dependency file: /legend-depot-artifacts-repository-api/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar

Dependency Hierarchy:

• ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-store-api-1.7.6-SNAPSHOT.jar (Root Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar
    • ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-artifacts-repository-api-1.7.6-SNAPSHOT.jar (Root Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar
    • ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-core-http-1.7.6-SNAPSHOT.jar (Root Library)

  • legend-shared-pac4j-0.23.3.jar
    • ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-model-1.7.6-SNAPSHOT.jar (Root Library)

  • ❌ commons-lang-2.6.jar (Vulnerable Library)

• legend-depot-store-mongo-1.7.6-SNAPSHOT.jar (Root Library)

  • legend-depot-model-1.7.6-SNAPSHOT.jar
    • ❌ commons-lang-2.6.jar (Vulnerable Library)

---

Vulnerability Details

Uncontrolled Recursion vulnerability in Apache Commons Lang. This issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0. The methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a StackOverflowError could cause an application to stop. Users are recommended to upgrade to version 3.18.0, which fixes the issue.

Publish Date: Jul 12, 2025 04:01 AM

URL: CVE-2025-48924

Threat Assessment

Exploit Maturity:Not Defined

EPSS:< 1%

Score: 6.9

---

Suggested Fix

Type: Upgrade version

Origin:

Release Date:

Fix Resolution :