spotbugs-4.7.3.jar: 1 vulnerabilities (highest severity is: 9.8)

[mend-for-github-com]

Vulnerable Library - spotbugs-4.7.3.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.bcel/bcel/6.5.0/79b1975ec0c7a6c1a15e19fb3a58cc4041b4aaea/bcel-6.5.0.jar

Found in HEAD commit: b1d425f7f670e9accfabbe00c0be1cb2af0300f9

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spotbugs version)	Remediation Available
CVE-2022-42920	Critical	9.8	bcel-6.5.0.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

Details

CVE-2022-42920

Vulnerable Library - bcel-6.5.0.jar

Apache Commons Bytecode Engineering Library

Library home page: https://commons.apache.org/proper/commons-bcel

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.bcel/bcel/6.5.0/79b1975ec0c7a6c1a15e19fb3a58cc4041b4aaea/bcel-6.5.0.jar

Dependency Hierarchy:

• spotbugs-4.7.3.jar (Root Library)
  • ❌ bcel-6.5.0.jar (Vulnerable Library)

Found in HEAD commit: b1d425f7f670e9accfabbe00c0be1cb2af0300f9

Found in base branch: master

Vulnerability Details

Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.

Publish Date: 2022-11-07

URL: CVE-2022-42920

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4

Release Date: 2022-11-07

Fix Resolution: org.apache.bcel:bcel:6.6.0

[mend-for-github-com]

✔️ This issue was automatically closed by Mend because the vulnerable library in the specific branch(es) was either marked as ignored or it is no longer part of the Mend inventory.

[mend-for-github-com]

ℹ️ This issue was automatically re-opened by Mend because the vulnerable library in the specific branch(es) has been detected in the Mend inventory.