structure-base-3.252.jar: 4 vulnerabilities (highest severity is: 8.1)

[mend-for-github-com]

Vulnerable Library - structure-base-3.252.jar

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.23.0/4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc/commons-compress-1.23.0.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (structure-base version)	Remediation Possible**	Reachability
CVE-2024-25710	High	8.1	commons-compress-1.23.0.jar	Transitive	N/A*	❌
CVE-2024-26308	Medium	5.5	commons-compress-1.23.0.jar	Transitive	N/A*	❌
CVE-2023-42503	Medium	5.5	commons-compress-1.23.0.jar	Transitive	N/A*	❌
CVE-2024-47554	Medium	4.3	commons-io-2.10.0.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-25710

Vulnerable Library - commons-compress-1.23.0.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.23.0/4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc/commons-compress-1.23.0.jar

Dependency Hierarchy:

• structure-base-3.252.jar (Root Library)
  • ❌ commons-compress-1.23.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.

Users are recommended to upgrade to version 1.26.0 which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-25710

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

CVE-2024-26308

Vulnerable Library - commons-compress-1.23.0.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.23.0/4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc/commons-compress-1.23.0.jar

Dependency Hierarchy:

• structure-base-3.252.jar (Root Library)
  • ❌ commons-compress-1.23.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.

Users are recommended to upgrade to version 1.26, which fixes the issue.

Publish Date: 2024-02-19

URL: CVE-2024-26308

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.cve.org/CVERecord?id=CVE-2024-26308

Release Date: 2024-02-19

Fix Resolution: org.apache.commons:commons-compress:1.26.0

CVE-2023-42503

Vulnerable Library - commons-compress-1.23.0.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.23.0/4af2060ea9b0c8b74f1854c6cafe4d43cfc161fc/commons-compress-1.23.0.jar

Dependency Hierarchy:

• structure-base-3.252.jar (Root Library)
  • ❌ commons-compress-1.23.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress: from 1.22 before 1.24.0.

Users are recommended to upgrade to version 1.24.0, which fixes the issue.

A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.

In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 1). The format for the PAX extended headers carrying this data consists of two numbers separated by a period 2, indicating seconds and subsecond precision (for example “1647221103.5998539”). The impacted fields are “atime”, “ctime”, “mtime” and “LIBARCHIVE.creationtime”. No input validation is performed prior to the parsing of header values.

Parsing of these numbers uses the BigDecimal 3 class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 4). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as “9e9999999”) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 5.

Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.

Publish Date: 2023-09-14

URL: CVE-2023-42503

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/5xwcyr600mn074vgxq92tjssrchmc93c

Release Date: 2023-09-14

Fix Resolution: org.apache.commons:commons-compress:1.24.0

CVE-2024-47554

Vulnerable Library - commons-io-2.10.0.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: https://www.apache.org/

Path to dependency file: /build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.10.0/79384da84646660c57b89aa86a5a1eb98af50e00/commons-io-2.10.0.jar

Dependency Hierarchy:

• structure-base-3.252.jar (Root Library)
  • ❌ commons-io-2.10.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Uncontrolled Resource Consumption vulnerability in Apache Commons IO.

The org.apache.commons.io.input.XmlStreamReader class may excessively consume CPU resources when processing maliciously crafted input.

This issue affects Apache Commons IO: from 2.0 before 2.14.0.

Users are recommended to upgrade to version 2.14.0 or later, which fixes the issue.

Publish Date: 2024-10-03

URL: CVE-2024-47554

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/6ozr91rr9cj5lm0zyhv30bsp317hk5z1

Release Date: 2024-10-03

Fix Resolution: commons-io:commons-io:2.14.0