This table represents the known exploitable and non-exploitable vulnerabilities in third party packages used in the project.
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| msb-apigateway | com.fasterxml.jackson.core | CVE-2019-12086 | Effective | No |
Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization. | MSB Project will monitor for a fix. |
| msb-apigateway | jquery | N/A | Effective | Yes | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | MSB Project will update the dependency to a newer version in which the issue is fixed. |
| msb-apigateway | com.squareup.okhttp3 | CVE-2018-20200 | Effective | Yes | ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967. | MSB Project will update the dependency to a newer version in which the issue is fixed. |
| msb-apigateway | commons-codec | N/A | Effective | No | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | MSB Project will monitor for a fix. |
| msb-apigateway | org.eclipse.jetty | CVE-2019-10241 CVE-2019-10247 | Effective | No | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | MSB Project will monitor for a fix. |
| msb-apigateway | org.eclipse.jetty | CVE-2019-10241 CVE-2019-10246 | Effective | No | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | MSB Project will monitor for a fix. |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| msb-discovery | com.fasterxml.jackson.core | CVE-2019-12086 | Effective | No |
Note: This vulnerability exists due to the incomplete fix for CVE-2017-7525, CVE-2017-15095, CVE-2017-17485, CVE-2018-5968, CVE-2018-7489, CVE-2018-11307, CVE-2018-12022, CVE-2018-12023, CVE-2018-14718, CVE-2018-14719, CVE-2018-14720, and CVE-2018-14721. Evidence of this can be found at https://pivotal.io/security/cve-2017-4995. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialization. | MSB Project will monitor for a fix. |
| msb-discovery | com.smoketurner.dropwizard | CVE-2019-12086 CVE-2019-10241 CVE-2019-10246 CVE-2019-10247 | Ineffective zipkin-example will not be invoked in the MSB codes. | No | The jquery package is vulnerable to Prototype Pollution. The jQuery.extend and jQuery.fn.extend functions defined in many files allow an untrusted object to extend Object.prototype. An attacker can modify and add prototype properties to JavaScript objects and can potentially leverage those changes to crash the application or execute remote code. | Can't find zipkin-example jar in the dependency tree, it might not exist or a false report by nexus IQ. |
| msb-discovery | commons-codec | N/A | Effective | No | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | MSB Project will monitor for a fix. |
| msb-discovery | org.eclipse.jetty | CVE-2019-10241 CVE-2019-10247 | Effective | No | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | MSB Project will monitor for a fix. |
| msb-discovery | org.eclipse.jetty | CVE-2019-10241 CVE-2019-10246 | Effective | No | In Eclipse Jetty version 9.2.26 and older, 9.3.25 and older, and 9.4.15 and older, the server is vulnerable to XSS conditions if a remote client USES a specially formatted URL against the DefaultServlet or ResourceHandler that is configured for showing a Listing of directory contents. The jetty package is vulnerable to Cross-Site Scripting (XSS). The sendDirectory() function in ResourceService.class and DefaultServlet.class files and the doDirectory() function in the ResourceHandler.class file use the getListHTML() function in the Resource.class file to fetch resource list as an HTML directory listing. This allows any JavaScript present in the list items to get fetched and rendered without proper sanitization of user-supplied input, leading to XSS. | MSB Project will monitor for a fix. |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| msb-java-sdk | com.fasterxml.jackson.core | CVE-2018-7489 | Effective | No | FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath. jackson-databind is vulnerable to Remote Code Execution (RCE). The validateSubType() function in the SubTypeValidator class allows untrusted Java objects to be deserialized. A remote attacker can exploit this by uploading a malicious serialized object that will result in RCE if the application attempts to deserialize it. The application is vulnerable by using this component, when default typing is enabled and passing in untrusted data to be deserialized. | MSB Project will monitor for a fix. |
| msb-java-sdk | com.squareup.okhttp3 | CVE-2018-20200 | Effective | Yes | ** DISPUTED ** CertificatePinner.java in OkHttp 3.x through 3.12.0 allows man-in-the-middle attackers to bypass certificate pinning by changing SSLContext and the boolean values while hooking the application. NOTE: This id is disputed because some parties don't consider this is a vulnerability. Their rationale can be found in https://github.com/square/okhttp/issues/4967. | MSB Project will update the dependency to a newer version in which the issue is fixed. |
| msb-java-sdk | commons-codec | N/A | Effective | No | The Apache commons-codec package contains an Improper Input Validation vulnerability. The decode() method in the Base32, Base64, and BCodec classes fails to reject malformed Base32 and Base64 encoded strings and consequently decodes them into arbitrary values. A remote attacker can leverage this vulnerability to potentially tunnel additional information via seemingly legitimate Base32 or Base64 encoded strings. | MSB Project will monitor for a fix. |
| Repository | Group | Problem Code | Effective/Ineffective | Resolvable by Project | Impact Analysis | Action |
|---|---|---|---|---|---|---|
| msb-swagger-sdk | com.fasterxml.jackson.core | CVE-2017-7525 | Effective | No | A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. The application is vulnerable by using this component, when default typing is enabled. DMaaP client is not using the jackson-core.jar, in such a way that it will cause the vulnerability. Ticket #54030 has been opened with the LF by dmaap team. | MSB Project will monitor for a fix. |
| msb-swagger-sdk | com.fasterxml.jackson.dataformat | CVE-2016-3720 | Effective | Yes | XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors. ackson, a library to serialize or map Java objects to JSON, is vulnerable to an XML External Entity (XXE) attack as it processes external entities within XML input. The XmlFactory() method in XmlFactory.java does not disable external entities in the input XML data. A remote attacker can exploit the vulnerability by maliciously crafting the input XML file with external entities which when parsed leads to disclosure of sensitive data on the server for which the application has access to. | MSB Project will update the dependency to a newer version in which the issue is fixed. |
| msb-swagger-sdk | com.fasterxml.jackson.dataformat | CVE-2016-7051 | Effective | No | XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD. Jackson's jackson-dataformat-xml component is vulnerable to Server-Side Request Forgery. The XmlFactory() function in XmlFactory.class processes Document Type Definitions (DTDs) within XML input without any validation. A remote attacker can exploit the vulnerability by crafting the input XML file with malicious DTDs which when parsed leads to Server-Side Request Forgery and may lead to further attacks. | MSB Project will monitor for a fix. |
| msb-swagger-sdk | commons-beanutils | CVE-2014-0114 | Effective | No | Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1. pache Commons BeanUtils is vulnerable to ClassLoader manipulation which can lead to Remote Code Execution (RCE). Access to the class property is not suppressed, exposing it by default. An attacker can construct malicious input using the class property in order to manipulate the ClassLoader potentially leading to arbitrary code execution. If you are the calling application, you are vulnerable by running this component without filtering the class property name. If this is a transitive dependency, you will want to contact the parent project to ensure they have added a mitigating control. | MSB Project will monitor for a fix. |
| msb-swagger-sdk | commons-collections | N/A | Effective | Yes | The commons-collections package is vulnerable to Remote Code Execution (RCE). Due to the behavior of InvokerTransformer, a remote code execution attack may be executed against any application performing deserialization of user supplied objects when commons-collections is present on the classpath. The intended behavior of InvokerTransformer is to allow for the invocation of any method on the Java classpath. The InvokerTransformer class implements Serializable and therefore can be included in a serialized object. A combination of the intended functionality of the InvokerTransformer class and its serializable nature allows an attacker to embed malicious content, such as Runtime.getRuntime().exec() via Java reflection, allowing execution of remote code. | MSB Project will update the dependency to a newer version in which the issue is fixed. |