CVE-2017-5929 (High) detected in multiple libraries - autoclosed #201
Labels
Mend: dependency security vulnerability
Security vulnerability detected by WhiteSource
Comments
mend-for-github.lhy31512.workers.dev
bot
added
the
Mend: dependency security vulnerability
1 task
This was referenced Apr 18, 2022
This was referenced May 5, 2022
1 task
mend-for-github.lhy31512.workers.dev
bot
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
CVE-2017-5929 - High Severity Vulnerability
logback-classic-1.1.9.jar
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /dd-java-agent/appsec/weblog/weblog-spring-app/weblog-spring-app.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.9/978cd9fbb43b7abed6379d7b02de052d216e30fc/logback-classic-1.1.9.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.9/978cd9fbb43b7abed6379d7b02de052d216e30fc/logback-classic-1.1.9.jar
Dependency Hierarchy:
logback-classic-1.1.11.jar
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /dd-smoke-tests/springboot/springboot.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.11/ccedfbacef4a6515d2983e3f89ed753d5d4fb665/logback-classic-1.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.11/ccedfbacef4a6515d2983e3f89ed753d5d4fb665/logback-classic-1.1.11.jar
Dependency Hierarchy:
logback-classic-1.1.1.jar
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /dd-java-agent/instrumentation/play-2.3/play-2.3.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.1/19e1e2be2670b33c5dcc835550527028dddddcd1/logback-classic-1.1.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.1/19e1e2be2670b33c5dcc835550527028dddddcd1/logback-classic-1.1.1.jar
Dependency Hierarchy:
logback-core-1.1.3.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /dd-java-agent/instrumentation/play-2.4/play-2.4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.1.3/e3c02049f2dbbc764681b40094ecf0dcbc99b157/logback-core-1.1.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.1.3/e3c02049f2dbbc764681b40094ecf0dcbc99b157/logback-core-1.1.3.jar
Dependency Hierarchy:
logback-core-1.1.9.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /dd-java-agent/appsec/weblog/weblog-spring-app/weblog-spring-app.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.1.9/e05d0cb67220937c32d7b4e5a47f967605376f63/logback-core-1.1.9.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.1.9/e05d0cb67220937c32d7b4e5a47f967605376f63/logback-core-1.1.9.jar
Dependency Hierarchy:
logback-core-1.0.0.jar
Logback: the generic, reliable, fast and flexible logging library for Java.
Library home page: http://logback.qos.ch
Path to dependency file: /dd-smoke-tests/log-injection/log-injection.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.0.0/b2893bbe71342232031f97faa1cf7bb4d99faced/logback-core-1.0.0.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.0.0/b2893bbe71342232031f97faa1cf7bb4d99faced/logback-core-1.0.0.jar
Dependency Hierarchy:
logback-core-1.1.1.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /dd-java-agent/instrumentation/dropwizard/dropwizard-views/dropwizard-views.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.1.1/6d9866eb3f38b66530d7b1d41526228df3e9d963/logback-core-1.1.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.1.1/6d9866eb3f38b66530d7b1d41526228df3e9d963/logback-core-1.1.1.jar
Dependency Hierarchy:
logback-core-1.1.11.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /dd-smoke-tests/springboot/springboot.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.1.11/88b8df40340eed549fb07e2613879bf6b006704d/logback-core-1.1.11.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.1.11/88b8df40340eed549fb07e2613879bf6b006704d/logback-core-1.1.11.jar
Dependency Hierarchy:
logback-classic-1.0.0.jar
Logback: the reliable, generic, fast and flexible logging library for Java.
Library home page: http://logback.qos.ch
Path to dependency file: /dd-smoke-tests/log-injection/log-injection.gradle
Path to vulnerable library: /caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.0.0/2577f6b69bbab34bb55634a4500b1b877aeffb7c/logback-classic-1.0.0.jar,/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.0.0/2577f6b69bbab34bb55634a4500b1b877aeffb7c/logback-classic-1.0.0.jar
Dependency Hierarchy:
logback-classic-1.1.3.jar
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /dd-smoke-tests/play-2.4/play-2.4.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.3/d90276fff414f06cb375f2057f6778cd63c6082f/logback-classic-1.1.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.1.3/d90276fff414f06cb375f2057f6778cd63c6082f/logback-classic-1.1.3.jar
Dependency Hierarchy:
Found in HEAD commit: 2819174635979a19573ec0ce8e3e2b63a3848079
Found in base branch: master
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Publish Date: 2017-03-13
URL: CVE-2017-5929
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
Release Date: 2017-03-13
Fix Resolution (ch.qos.logback:logback-classic): 1.2.0
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
Fix Resolution (ch.qos.logback:logback-classic): 1.2.0
Direct dependency fix Resolution (io.dropwizard:dropwizard-views): 1.3.0
Fix Resolution (ch.qos.logback:logback-core): 1.1.6
Direct dependency fix Resolution (com.typesafe.play:play_2.11): 2.5.0
Fix Resolution (ch.qos.logback:logback-core): 1.0.3
Direct dependency fix Resolution (ch.qos.logback:logback-classic): 1.0.3
Fix Resolution (ch.qos.logback:logback-core): 1.1.2
Direct dependency fix Resolution (io.dropwizard:dropwizard-views): 0.7.1
Fix Resolution (ch.qos.logback:logback-classic): 1.2.0
Direct dependency fix Resolution (com.typesafe.play:play_2.11): 2.5.0
⛑️ Automatic Remediation is available for this issue
The text was updated successfully, but these errors were encountered: