blackduck reporting vulnerabilities

[ryanhamilton]

user-sit user-rd Would like blackduck scan to pass.

com.h2database:h2:1.4.200	1.4.200	BDSA-2018-2507
com.h2database:h2:1.4.200	1.4.200	CVE-2021-23463 (BDSA-2021-3744)
com.h2database:h2:1.4.200	1.4.200	CVE-2021-42392 (BDSA-2022-0048)
com.h2database:h2:1.4.200	1.4.200	CVE-2022-23221 (BDSA-2022-0186)
com.h2database:h2:1.4.200	1.4.200	CVE-2022-45868 (BDSA-2022-3649)
org.json:json:20211205	20211205	CVE-2022-45688 (BDSA-2022-4165)
org.json:json:20211205	20211205	CVE-2023-5072 (BDSA-2023-2760)
ch.qos.logback:logback-classic:1.3.13	1.3.13	BDSA-2023-3307
ch.qos.logback:logback-classic:1.3.13	1.3.13	CVE-2023-6481 (BDSA-2023-3341)
com.mysql:mysql-connector-j:8.0.31	8.0.31	CVE-2023-21971 (BDSA-2023-0906)
com.mysql:mysql-connector-j:8.0.31	8.0.31	CVE-2023-22102
com.mysql:mysql-connector-j:8.0.31	8.0.31	BDSA-2024-4581
io.netty:netty-common:4.1.107.Final	4.1.107.Final	BDSA-2024-0720
io.netty:netty-common:4.1.107.Final	4.1.107.Final	BDSA-2024-8565
org.postgresql:postgresql:42.5.0	42.5.0	CVE-2022-41946 (BDSA-2022-3347)
org.postgresql:postgresql:42.5.0	42.5.0	CVE-2024-1597 (BDSA-2024-0368)

#282 Upgrade MySQL
#283 Upgrade postgres

Examining the details, many of the vulnerabilities are not real but upgrading may be the easiest to resolve.

[ryanhamilton]

Component origin id	Component origin version name	Vulnerability id	Description
com.h2database:h2:1.4.200	1.4.200	BDSA-2018-2507	H2 Database's backup function contains an arbitrary file read flaw due to insecure file permissions. This could be exploited by an attacker supplying a specially crafted database file which triggers a symlink attack. If successfully exploited, the user could read protected files on the system without valid permissions.
com.h2database:h2:1.4.200	1.4.200	CVE-2021-23463 (BDSA-2021-3744)	The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
com.h2database:h2:1.4.200	1.4.200	CVE-2021-42392 (BDSA-2022-0048)	The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
com.h2database:h2:1.4.200	1.4.200	CVE-2022-23221 (BDSA-2022-0186)	H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
com.h2database:h2:1.4.200	1.4.200	CVE-2022-45868 (BDSA-2022-3649)	The web-based admin console in H2 Database Engine before 2.2.220 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that." Nonetheless, the issue was fixed in 2.2.220.
org.json:json:20211205	20211205	CVE-2022-45688 (BDSA-2022-4165)	A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.
org.json:json:20211205	20211205	CVE-2023-5072 (BDSA-2023-2760)	Denial of Service  in JSON-Java versions up to and including 20230618.  A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.
ch.qos.logback:logback-classic:1.3.13	1.3.13	BDSA-2023-3307	Logback contains a denial-of-service (DoS) vulnerability. An attacker could exploit this issue by connecting to a receiver and sending maliciously crafted data, which could in turn allow them to slow the logging of events or crash the application.  Successful exploitation of this vulnerability requires that logback-receiver component is enabled and also reachable by the attacker.
ch.qos.logback:logback-classic:1.3.13	1.3.13	CVE-2023-6481 (BDSA-2023-3341)	A serialization vulnerability in logback receiver component part of  logback version 1.4.13, 1.3.13 and 1.2.12 allows an attacker to mount a Denial-Of-Service  attack by sending poisoned data.
com.mysql:mysql-connector-j:8.0.31	8.0.31	CVE-2023-21971 (BDSA-2023-0906)	Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).  Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors.  Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors as well as  unauthorized update, insert or delete access to some of MySQL Connectors accessible data and  unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H).
com.mysql:mysql-connector-j:8.0.31	8.0.31	CVE-2023-22102	Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J).  Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors.  Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts).  CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
com.mysql:mysql-connector-j:8.0.31	8.0.31	BDSA-2024-4581	Oracle MySQL Connectors contains a vulnerability within the Connector/Python component. A low privileged remote attacker could exploit this vulnerability via MySQL protocol in order to disclose sensitive information, damage the application's integrity, or cause a denial-of-service (DoS) condition.
io.netty:netty-common:4.1.107.Final	4.1.107.Final	BDSA-2024-0720	Netty is vulnerable to denial-of-service (DoS) due to insufficient restrictions on the amount of memory that is allocated in the HttpPostRequestDecoder component. An attacker could exploit this by sending maliciously crafted data in order to cause an out-of-memory (OOM) error and a denial-of-service (DoS).  Note: The vendor has mentioned that any Netty based HTTP server that uses the HttpPostRequestDecoder to decode a form is impacted.
io.netty:netty-common:4.1.107.Final	4.1.107.Final	BDSA-2024-8565	Netty when in use in a Windows application is vulnerable to a denial-of-service (DoS) issue due to a lack of sufficient validation of environment files that are read during the Netty startup sequence.  During the startup sequence, Netty has not yet verified what operating system is in use and attempts to access directories that are not normally present on Windows. An attacker with access to the system on which Netty is running could place large crafted files in the directories that Netty attempts to load and trigger a Java out-of-memory error that results in a crash of the Java based application using Netty.
org.postgresql:postgresql:42.5.0	42.5.0	CVE-2022-41946 (BDSA-2022-3347)	pgjdbc is an open source postgresql JDBC Driver. In affected versions a prepared statement using either PreparedStatement.setText(int, InputStream) or PreparedStatemet.setBytea(int, InputStream) will create a temporary file if the InputStream is larger than 2k. This will create a temporary file which is readable by other users on Unix like systems, but not MacOS. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. Java 1.7 and higher users: this vulnerability is fixed in 4.5.0. Java 1.6 and lower users: no patch is available. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will mitigate this vulnerability.
org.postgresql:postgresql:42.5.0	42.5.0	CVE-2024-1597 (BDSA-2024-0368)	pgjdbc, the PostgreSQL JDBC Driver, allows attacker to inject SQL if using PreferQueryMode=SIMPLE. Note this is not the default. In the default mode there is no vulnerability. A placeholder for a numeric value must be immediately preceded by a minus. There must be a second placeholder for a string value after the first placeholder; both must be on the same line. By constructing a matching string payload, the attacker can inject SQL to alter the query,bypassing the protections that parameterized queries bring against SQL Injection attacks. Versions before 42.7.2, 42.6.1, 42.5.5, 42.4.4, 42.3.9, and 42.2.28 are affected.

[ryanhamilton]

Babel JSON unaffected: