Skip to content

CVE-2022-45693 (High) detected in jettison-1.3.8.jar, jettison-1.1.jar #395

New issue
New issue
Open
Open
CVE-2022-45693 (High) detected in jettison-1.3.8.jar, jettison-1.1.jar#395
Labels
Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource
@mend-for-github-com

Description

@mend-for-github-com
mend-for-github-com
bot
opened on Dec 14, 2022

CVE-2022-45693 - High Severity Vulnerability

Vulnerable Libraries - jettison-1.3.8.jar, jettison-1.1.jar

jettison-1.3.8.jar

A StAX implementation for JSON.

Library home page: https://github.com/jettison-json/jettison

Path to dependency file: /ranger-hbase-plugin-shim/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.3.8/jettison-1.3.8.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.3.8/jettison-1.3.8.jar

Dependency Hierarchy:

  • hbase-server-2.0.2.jar (Root Library)
    • jettison-1.3.8.jar (Vulnerable Library)
jettison-1.1.jar

A StAX implementation for JSON.

Path to dependency file: /ranger-examples/conditions-enrichers/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/canner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/canner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/canner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/20210323191140_BPZOMN/downloadResource_XCVEKW/20210323194224/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar,/home/wss-scanner/.m2/repository/org/codehaus/jettison/jettison/1.1/jettison-1.1.jar

Dependency Hierarchy:

  • jettison-1.1.jar (Vulnerable Library)

Found in HEAD commit: 3d8c1142c5739a45e8e562215c8c83915a44ee6c

Found in base branch: master

Vulnerability Details

Jettison before v1.5.2 was discovered to contain a stack overflow via the map parameter. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted string.

Publish Date: 2022-12-13

URL: CVE-2022-45693

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-12-13

Fix Resolution (org.codehaus.jettison:jettison): 1.5.2

Direct dependency fix Resolution (org.apache.hbase:hbase-server): 2.0.3

⛑️ Automatic Remediation is available for this issue

Metadata

Metadata

Assignees

No one assigned

    Labels

    Mend: dependency security vulnerabilitySecurity vulnerability detected by WhiteSource

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions