jraft-core-1.3.15.bugfix.jar: 1 vulnerabilities (highest severity is: 9.8) #3130
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
mend-bolt-for-github
bot
added
the
Mend: dependency security vulnerability
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
1 similar comment
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
|
ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to dependency file: /laokou-sample/laokou-sample-seata/laokou-sample-seata-server/pom.xml
Path to vulnerable library: /laokou-sample/laokou-sample-seata/laokou-sample-seata-server/pom.xml
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - hessian-3.3.6.jar
An internal improved version of Hessian powered by Ant Financial.
Library home page: http://www.antfin.com/
Path to dependency file: /laokou-sample/laokou-sample-seata/laokou-sample-seata-server/pom.xml
Path to vulnerable library: /laokou-sample/laokou-sample-seata/laokou-sample-seata-server/pom.xml
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
sofa-hessian is an internal improved version of Hessian3/4 powered by Ant Group CO., Ltd. The SOFA Hessian protocol uses a blacklist mechanism to restrict deserialization of potentially dangerous classes for security protection. But there is a gadget chain that can bypass the SOFA Hessian blacklist protection mechanism, and this gadget chain only relies on JDK and does not rely on any third-party components. This issue is fixed by an update to the blacklist, users can upgrade to sofahessian version 3.5.5 to avoid this issue. Users unable to upgrade may maintain a blacklist themselves in the directory
external/serialize.blacklist.Publish Date: 2024-09-19
URL: CVE-2024-46983
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-c459-2m73-67hj
Release Date: 2024-09-19
Fix Resolution: com.alipay.sofa:hessian:3.5.5
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: