📂 Vulnerable Library - mysql-connector-java-8.0.30.jar
JDBC Type 4 driver for MySQL
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/8.0.30/mysql-connector-java-8.0.30.jar
Findings
| Finding |
Severity |
🎯 CVSS |
Exploit Maturity |
EPSS |
Library |
Type |
Fixed in |
Remediation Available |
Reachability |
| CVE-2022-3509 |
🔴 High |
8.7 |
Not Defined |
< 1% |
protobuf-java-3.19.4.jar |
Transitive |
N/A |
❌ |
|
| CVE-2022-3510 |
🔴 High |
8.7 |
Not Defined |
< 1% |
protobuf-java-3.19.4.jar |
Transitive |
N/A |
❌ |
|
| CVE-2022-3171 |
🟠 Medium |
5.3 |
Not Defined |
< 1% |
protobuf-java-3.19.4.jar |
Transitive |
N/A |
❌ |
|
Details
🔴CVE-2022-3509
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
- mysql-connector-java-8.0.30.jar (Root Library)
- ❌ protobuf-java-3.19.4.jar (Vulnerable Library)
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Mend Note:
Publish Date: Nov 01, 2022 06:09 PM
URL: CVE-2022-3509
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-g5ww-5jh7-63cx
Release Date: Nov 01, 2022 06:09 PM
Fix Resolution : com.google.protobuf:protobuf-javalite:3.19.6,com.google.protobuf:protobuf-java:3.16.3,com.google.protobuf:protobuf-java:3.21.7,com.google.protobuf:protobuf-javalite:3.20.3,com.google.protobuf:protobuf-java:3.20.3,com.google.protobuf:protobuf-java:3.19.6,com.google.protobuf:protobuf-javalite:3.16.3,com.google.protobuf:protobuf-javalite:3.21.7
🔴CVE-2022-3510
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
- mysql-connector-java-8.0.30.jar (Root Library)
- ❌ protobuf-java-3.19.4.jar (Vulnerable Library)
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 11, 2022 04:35 PM
URL: CVE-2022-3510
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-4gg5-vx3j-xwc7
Release Date: Nov 11, 2022 04:35 PM
Fix Resolution : com.google.protobuf:protobuf-java:3.20.3,com.google.protobuf:protobuf-javalite:3.20.3,com.google.protobuf:protobuf-javalite:3.19.6,com.google.protobuf:protobuf-java:3.21.7,com.google.protobuf:protobuf-java:3.19.6,com.google.protobuf:protobuf-javalite:3.21.7,com.google.protobuf:protobuf-java:3.16.3,com.google.protobuf:protobuf-javalite:3.16.3
🟠CVE-2022-3171
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
- mysql-connector-java-8.0.30.jar (Root Library)
- ❌ protobuf-java-3.19.4.jar (Vulnerable Library)
Vulnerability Details
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: Oct 12, 2022 12:00 AM
URL: CVE-2022-3171
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4h5-3hr4-j3g2
Release Date: Oct 12, 2022 12:00 AM
Fix Resolution : google-protobuf - 3.21.7,com.google.protobuf:protobuf-javalite:3.20.3,google-protobuf - 3.19.6,com.google.protobuf:protobuf-kotlin:3.19.6,com.google.protobuf:protobuf-javalite:3.19.6,com.google.protobuf:protobuf-kotlin-lite:3.21.7,com.google.protobuf:protobuf-java:3.16.3,com.google.protobuf:protobuf-java:3.20.3,com.google.protobuf:protobuf-kotlin-lite:3.19.6,com.google.protobuf:protobuf-kotlin-lite:3.20.3,com.google.protobuf:protobuf-kotlin:3.20.3,com.google.protobuf:protobuf-kotlin:3.21.7,com.google.protobuf:protobuf-javalite:3.16.3,com.google.protobuf:protobuf-java:3.21.7,com.google.protobuf:protobuf-javalite:3.21.7,com.google.protobuf:protobuf-java:3.19.6,google-protobuf - 3.20.3
📂 Vulnerable Library - mysql-connector-java-8.0.30.jar
JDBC Type 4 driver for MySQL
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/8.0.30/mysql-connector-java-8.0.30.jar
Findings
Details
🔴CVE-2022-3509
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with textformat in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Mend Note:
Publish Date: Nov 01, 2022 06:09 PM
URL: CVE-2022-3509
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-g5ww-5jh7-63cx
Release Date: Nov 01, 2022 06:09 PM
Fix Resolution : com.google.protobuf:protobuf-javalite:3.19.6,com.google.protobuf:protobuf-java:3.16.3,com.google.protobuf:protobuf-java:3.21.7,com.google.protobuf:protobuf-javalite:3.20.3,com.google.protobuf:protobuf-java:3.20.3,com.google.protobuf:protobuf-java:3.19.6,com.google.protobuf:protobuf-javalite:3.16.3,com.google.protobuf:protobuf-javalite:3.21.7
🔴CVE-2022-3510
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
Vulnerability Details
A parsing issue similar to CVE-2022-3171, but with Message-Type Extensions in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Mend Note: The description of this vulnerability differs from MITRE.
Publish Date: Nov 11, 2022 04:35 PM
URL: CVE-2022-3510
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 8.7
Suggested Fix
Type: Upgrade version
Origin: GHSA-4gg5-vx3j-xwc7
Release Date: Nov 11, 2022 04:35 PM
Fix Resolution : com.google.protobuf:protobuf-java:3.20.3,com.google.protobuf:protobuf-javalite:3.20.3,com.google.protobuf:protobuf-javalite:3.19.6,com.google.protobuf:protobuf-java:3.21.7,com.google.protobuf:protobuf-java:3.19.6,com.google.protobuf:protobuf-javalite:3.21.7,com.google.protobuf:protobuf-java:3.16.3,com.google.protobuf:protobuf-javalite:3.16.3
🟠CVE-2022-3171
Vulnerable Library - protobuf-java-3.19.4.jar
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an
efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /liquibase/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.19.4/protobuf-java-3.19.4.jar
Dependency Hierarchy:
Vulnerability Details
A parsing issue with binary data in protobuf-java core and lite versions prior to 3.21.7, 3.20.3, 3.19.6 and 3.16.3 can lead to a denial of service attack. Inputs containing multiple instances of non-repeated embedded messages with repeated or unknown fields causes objects to be converted back-n-forth between mutable and immutable forms, resulting in potentially long garbage collection pauses. We recommend updating to the versions mentioned above.
Publish Date: Oct 12, 2022 12:00 AM
URL: CVE-2022-3171
Threat Assessment
Exploit Maturity:Not Defined
EPSS:< 1%
Score: 5.3
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4h5-3hr4-j3g2
Release Date: Oct 12, 2022 12:00 AM
Fix Resolution : google-protobuf - 3.21.7,com.google.protobuf:protobuf-javalite:3.20.3,google-protobuf - 3.19.6,com.google.protobuf:protobuf-kotlin:3.19.6,com.google.protobuf:protobuf-javalite:3.19.6,com.google.protobuf:protobuf-kotlin-lite:3.21.7,com.google.protobuf:protobuf-java:3.16.3,com.google.protobuf:protobuf-java:3.20.3,com.google.protobuf:protobuf-kotlin-lite:3.19.6,com.google.protobuf:protobuf-kotlin-lite:3.20.3,com.google.protobuf:protobuf-kotlin:3.20.3,com.google.protobuf:protobuf-kotlin:3.21.7,com.google.protobuf:protobuf-javalite:3.16.3,com.google.protobuf:protobuf-java:3.21.7,com.google.protobuf:protobuf-javalite:3.21.7,com.google.protobuf:protobuf-java:3.19.6,google-protobuf - 3.20.3