Vulnerabilities in Latest Release of Plugin #1296
Comments
|
Hi @milindbangar79, It's not clear that this represents a real vulnerability in pitest. How would it be exploited? |
|
Hi Henry, We scan all open source software using Synk and if there are issues cant use in the organization, even though it cannot be exploited. So, I am stuck to use the latest version . I tried v1.15.0 , which came up with similar issues. Any help would be greatly appreciated. Thanks in advance |
|
I'll take a look at this when I get chance, or you're welcome to submit a PR. As it doesn't look to be a exploitable security issue it may take a while before I can look at it. If you need a faster response and don't want to submit a PR, JP Morgan might want to consider an arcmutate subscription. In addition to the extensions in functionality, it comes with priority support that includes the open source product. |
|
Hi Henry, Thanks for the response. I will look into it. |
|
#1308 updates the maven vcs dependencies to their latest versions. This may or may not satisfy your vulnerability scanner. |
|
@milindbangar79 did #1308 resolve the issue? |
|
Closing as no response from OP. |
Hi ,
While trying to get the pitest-maven-plugin V1.15.6 , I am seeing the following vulnerabilities, due to which our BOM vulnerability engine is not able to import the dependency/JAR .
Artifact: MAVEN - org.pitest:pitest-maven:1.15.6:jar
Dependencies (114)
Dependency: MAVEN - org.netbeans.lib:cvsclient:20060125:jar
RejectReasons (2)
RejectReason: 968ee164-ce17-4134-8549-de6af5e04ec6
Type: UNAPPROVED_LICENSE
License: Sun Public License
RejectReason: 373a6bdd-2bf8-40e6-9000-053e4351edc3
Type: UNKNOWN_LICENSE_FOUND
License: Sun Public License
Dependency: MAVEN - org.apache.maven.scm:maven-scm-provider-gitexe:1.9.4:jar
RejectReasons (6)
RejectReason: a9fdae4a-0878-43c5-8072-8a2c1cbf9017
Type: VULNERABILITY
Name: CVE-2018-19486
CVSS Score v2: 7.5
Severity: high
Description: Git before 2.19.2 on Linux and UNIX executes commands from the current working directory (as if '.' were at the end of $PATH) in certain cases involving the run_command() API and run-command.c, because there was a dangerous change from execvp to execv during 2017.
RejectReason: 6fc3fd31-072f-4a7d-8d2a-f89335c16fec
Type: VULNERABILITY
Name: CVE-2010-2542
CVSS Score v2: 7.5
Severity: high
Description: Stack-based buffer overflow in the is_git_directory function in setup.c in Git before 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file in a working copy.
RejectReason: 391f5b22-9d0b-4712-a6cd-7610820b345d
Type: VULNERABILITY
Name: CVE-2015-7082
CVSS Score v2: 10
Severity: high
Description: Multiple unspecified vulnerabilities in Git before 2.5.4, as used in Apple Xcode before 7.2, have unknown impact and attack vectors. NOTE: this CVE is associated only with Xcode use cases.
RejectReason: 53a7dec0-cb40-4b74-a5f5-1d38f8cd8548
Type: VULNERABILITY
Name: CVE-2015-7545
CVSS Score v2: 7.5
Severity: high
Description: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
RejectReason: 591542f6-a1d6-4337-9861-da68a4232f8f
Type: VULNERABILITY
Name: CVE-2016-2324
CVSS Score v2: 10
Severity: high
Description: Integer overflow in Git before 2.7.4 allows remote attackers to execute arbitrary code via a (1) long filename or (2) many nested trees, which triggers a heap-based buffer overflow.
RejectReason: 626377e5-c777-45dd-b5e6-c9261d761718
Type: VULNERABILITY
Name: CVE-2017-14867
CVSS Score v2: 9
Severity: high
Description: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
Dependency: MAVEN - commons-lang:commons-lang:2.6:jar (SEAL Component ID: 2079390)
Dependency: MAVEN - org.apache.maven.scm:maven-scm-provider-git-commons:1.9.4:jar
RejectReasons (4)
RejectReason: 1ae05f9a-eba9-4ccc-8b1d-cd629442b24b
Type: VULNERABILITY
Name: CVE-2010-2542
CVSS Score v2: 7.5
Severity: high
Description: Stack-based buffer overflow in the is_git_directory function in setup.c in Git before 1.7.2.1 allows local users to gain privileges via a long gitdir: field in a .git file in a working copy.
RejectReason: 66fc47e8-69cb-4365-90f6-9ecde401927a
Type: VULNERABILITY
Name: CVE-2015-7082
CVSS Score v2: 10
Severity: high
Description: Multiple unspecified vulnerabilities in Git before 2.5.4, as used in Apple Xcode before 7.2, have unknown impact and attack vectors. NOTE: this CVE is associated only with Xcode use cases.
RejectReason: 7c82e905-65b4-4a95-befc-37ffe3935dba
Type: VULNERABILITY
Name: CVE-2015-7545
CVSS Score v2: 7.5
Severity: high
Description: The (1) git-remote-ext and (2) unspecified other remote helper programs in Git before 2.3.10, 2.4.x before 2.4.10, 2.5.x before 2.5.4, and 2.6.x before 2.6.1 do not properly restrict the allowed protocols, which might allow remote attackers to execute arbitrary code via a URL in a (a) .gitmodules file or (b) unknown other sources in a submodule.
RejectReason: 7ebf4f1d-855d-4723-bd6f-e346d0b11b40
Type: VULNERABILITY
Name: CVE-2017-14867
CVSS Score v2: 9
Severity: high
Description: Git before 2.10.5, 2.11.x before 2.11.4, 2.12.x before 2.12.5, 2.13.x before 2.13.6, and 2.14.x before 2.14.2 uses unsafe Perl scripts to support subcommands such as cvsserver, which allows attackers to execute arbitrary OS commands via shell metacharacters in a module name. The vulnerable code is reachable via git-shell even without CVS support.
Dependency: MAVEN - org.apache.maven.scm:maven-scm-provider-svnexe:1.9.4:jar
RejectReasons (1)
RejectReason: 44d50ba2-7f68-476f-8ec3-4cf15a338a75
Type: VULNERABILITY
Name: CVE-2017-9800
CVSS Score v2: 7.5
Severity: high
Description: A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
Dependency: MAVEN - org.apache.maven.scm:maven-scm-provider-svn-commons:1.9.4:jar
RejectReasons (1)
RejectReason: 9120ea25-9b1d-47bc-8abc-bce1f00de9b6
Type: VULNERABILITY
Name: CVE-2017-9800
CVSS Score v2: 7.5
Severity: high
Description: A maliciously constructed svn+ssh:// URL would cause Subversion clients before 1.8.19, 1.9.x before 1.9.7, and 1.10.0.x through 1.10.0-alpha3 to run an arbitrary shell command. Such a URL could be generated by a malicious server, by a malicious user committing to a honest server (to attack another user of that server's repositories), or by a proxy server. The vulnerability affects all clients, including those that use file://, http://, and plain (untunneled) svn://.
As we are moving to JDK 21 for app development, not having the proper dependency becomes a blocker and we really want to use the plugin.
Thanks
The text was updated successfully, but these errors were encountered: