spotbugs-4.7.3.jar: 1 vulnerabilities (highest severity is: 9.8) - autoclosed

[mend-for-github.aaakk.us.kg]

Vulnerable Library - spotbugs-4.7.3.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.bcel/bcel/6.5.0/79b1975ec0c7a6c1a15e19fb3a58cc4041b4aaea/bcel-6.5.0.jar

Found in HEAD commit: e0d6a0c6e69d9778b478218c81179169acbbcbea

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spotbugs version)	Remediation Available
CVE-2022-42920	High	9.8	bcel-6.5.0.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-42920

Vulnerable Library - bcel-6.5.0.jar

Apache Commons Bytecode Engineering Library

Library home page: https://commons.apache.org/proper/commons-bcel

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.bcel/bcel/6.5.0/79b1975ec0c7a6c1a15e19fb3a58cc4041b4aaea/bcel-6.5.0.jar

Dependency Hierarchy:

• spotbugs-4.7.3.jar (Root Library)
  • ❌ bcel-6.5.0.jar (Vulnerable Library)

Found in HEAD commit: e0d6a0c6e69d9778b478218c81179169acbbcbea

Found in base branch: main

Vulnerability Details

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

Publish Date: 2022-11-07

URL: CVE-2022-42920

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4

Release Date: 2022-11-07

Fix Resolution: org.apache.bcel:bcel:6.6.0

[mend-for-github.aaakk.us.kg]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.