[🐸 Frogbot] Update Maven dependencies

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
High	Missing Context	mysql:mysql-connector-java:6.0.6	mysql:mysql-connector-java 6.0.6	[8.0.13]	CVE-2018-3258
Critical	Missing Context	org.hsqldb:hsqldb:2.3.2	org.hsqldb:hsqldb 2.3.2	[2.7.1]	CVE-2022-41853

🔬 Research Details

[ CVE-2018-3258 ] mysql:mysql-connector-java 6.0.6

Description:
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

[ CVE-2022-41853 ] org.hsqldb:hsqldb 2.3.2

Description:
Those using java.sql.Statement or java.sql.PreparedStatement in hsqldb (HyperSQL DataBase) to process untrusted input may be vulnerable to a remote code execution attack. By default it is allowed to call any static method of any Java class in the classpath resulting in code execution. The issue can be prevented by updating to 2.7.1 or by setting the system property "hsqldb.method_class_names" to classes which are allowed to be called. For example, System.setProperty("hsqldb.method_class_names", "abc") or Java argument -Dhsqldb.method_class_names="abc" can be used. From version 2.7.1 all classes by default are not accessible except those in java.lang.Math and need to be manually enabled.

---

🐸 JFrog Frogbot

[hitachivantarasonarqube]

Quality Gate passed

Issues
0 New issues
0 Fixed issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
0.0% Duplication on New Code

See analysis details on SonarQube

[buildguy]

📦 Vulnerable Dependencies

✍️ Summary

SEVERITY	CONTEXTUAL ANALYSIS	DIRECT DEPENDENCIES	IMPACTED DEPENDENCY	FIXED VERSIONS	CVES
Critical	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2021-3711
High	Undetermined	mysql:mysql-connector-java:8.0.13	com.google.protobuf:protobuf-java 3.6.1	[3.25.5] [4.27.5] [4.28.2]	CVE-2024-7254
High	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2019-2435
High	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2021-3449
High	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2020-1967
High	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2021-3712
High	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2021-3450
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	[8.0.27]	CVE-2021-2471
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	[8.0.28]	CVE-2022-21363
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	com.google.protobuf:protobuf-java 3.6.1	[3.15.0]	CVE-2021-22570
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	[5.1.49] [8.0.15]	CVE-2020-2875
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	[8.0.16]	CVE-2019-2692
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	com.google.protobuf:protobuf-java 3.6.1	[3.16.1] [3.18.2] [3.19.2]	CVE-2021-22569
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	[5.1.49] [8.0.21]	CVE-2020-2934
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2021-44531
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2021-44532
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2023-21971
Medium	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2021-44533
Low	Undetermined	mysql:mysql-connector-java:8.0.13	mysql:mysql-connector-java 8.0.13	-	CVE-2022-21824
High	Not Applicable	mysql:mysql-connector-java:8.0.13	com.google.protobuf:protobuf-java 3.6.1	[3.16.3] [3.19.6] [3.20.3] [3.21.7]	CVE-2022-3509
High	Not Applicable	mysql:mysql-connector-java:8.0.13	com.google.protobuf:protobuf-java 3.6.1	[3.16.3] [3.19.6] [3.20.3] [3.21.7]	CVE-2022-3171
High	Not Applicable	mysql:mysql-connector-java:8.0.13	com.google.protobuf:protobuf-java 3.6.1	[3.16.3] [3.19.6] [3.20.3] [3.21.7]	CVE-2022-3510

🔬 Research Details

[ CVE-2021-3711 ] mysql:mysql-connector-java 8.0.13

Description:
In order to decrypt SM2 encrypted data an application is expected to call the API function EVP_PKEY_decrypt(). Typically an application will call this function twice. The first time, on entry, the "out" parameter can be NULL and, on exit, the "outlen" parameter is populated with the buffer size required to hold the decrypted plaintext. The application can then allocate a sufficiently sized buffer and call EVP_PKEY_decrypt() again, but this time passing a non-NULL value for the "out" parameter. A bug in the implementation of the SM2 decryption code means that the calculation of the buffer size required to hold the plaintext returned by the first call to EVP_PKEY_decrypt() can be smaller than the actual size required by the second call. This can lead to a buffer overflow when EVP_PKEY_decrypt() is called by the application a second time with a buffer that is too small. A malicious attacker who is able present SM2 content for decryption to an application could cause attacker chosen data to overflow the buffer by up to a maximum of 62 bytes altering the contents of other data held after the buffer, possibly changing application behaviour or causing the application to crash. The location of the buffer is application dependent but is typically heap allocated. Fixed in OpenSSL 1.1.1l (Affected 1.1.1-1.1.1k).

[ CVE-2024-7254 ] com.google.protobuf:protobuf-java 3.6.1

Description:
Any project that parses untrusted Protocol Buffers data containing an arbitrary number of nested groups / series of SGROUP tags can corrupted by exceeding the stack limit i.e. StackOverflow. Parsing nested groups as unknown fields with DiscardUnknownFieldsParser or Java Protobuf Lite parser, or against Protobuf map fields, creates unbounded recursions that can be abused by an attacker.

[ CVE-2019-2435 ] mysql:mysql-connector-java 8.0.13

Description:
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/Python). Supported versions that are affected are 8.0.13 and prior and 2.1.8 and prior. Easily exploitable vulnerability allows unauthenticated attacker with network access via TLS to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all MySQL Connectors accessible data as well as unauthorized access to critical data or complete access to all MySQL Connectors accessible data. CVSS 3.0 Base Score 8.1 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N).

[ CVE-2021-3449 ] mysql:mysql-connector-java 8.0.13

Description:
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

[ CVE-2020-1967 ] mysql:mysql-connector-java 8.0.13

Description:
OpenSSL is a software library for applications that secure communications over computer networks against eavesdropping or need to identify the party at the other end. It is widely used by Internet servers, including the majority of HTTPS websites.

OpenSSL's SSL_check_chain() function is used to check whether a certificate, a private key and certificate chain are suitable for use with the current session. A NULL pointer dereference vulnerability exists in this function due to incorrect handling of the signature_algorithms_cert TLS extension. When an invalid or unrecognized signature algorithm is received by an attacker, a crash occurs, leading to denial of service.

Remediation:

Development mitigations

SSL_check_chain is vulnerable to non existent signature algorithm names. If this function is used in such a way that an untrusted party is able to craft the signatures that should be used in a handshake, it is recommended to remove use of this function. As a result, that handshake would fail at a later stage.

[ CVE-2021-3712 ] mysql:mysql-connector-java 8.0.13

Description:
ASN.1 strings are represented internally within OpenSSL as an ASN1_STRING structure which contains a buffer holding the string data and a field holding the buffer length. This contrasts with normal C strings which are repesented as a buffer for the string data which is terminated with a NUL (0) byte. Although not a strict requirement, ASN.1 strings that are parsed using OpenSSL's own "d2i" functions (and other similar parsing functions) as well as any string whose value has been set with the ASN1_STRING_set() function will additionally NUL terminate the byte array in the ASN1_STRING structure. However, it is possible for applications to directly construct valid ASN1_STRING structures which do not NUL terminate the byte array by directly setting the "data" and "length" fields in the ASN1_STRING array. This can also happen by using the ASN1_STRING_set0() function. Numerous OpenSSL functions that print ASN.1 data have been found to assume that the ASN1_STRING byte array will be NUL terminated, even though this is not guaranteed for strings that have been directly constructed. Where an application requests an ASN.1 structure to be printed, and where that ASN.1 structure contains ASN1_STRINGs that have been directly constructed by the application without NUL terminating the "data" field, then a read buffer overrun can occur. The same thing can also occur during name constraints processing of certificates (for example if a certificate has been directly constructed by the application instead of loading it via the OpenSSL parsing functions, and the certificate contains non NUL terminated ASN1_STRING structures). It can also occur in the X509_get1_email(), X509_REQ_get1_email() and X509_get1_ocsp() functions. If a malicious actor can cause an application to directly construct an ASN1_STRING and then process it through one of the affected OpenSSL functions then this issue could be hit. This might result in a crash (causing a Denial of Service attack). It could also result in the disclosure of private memory content...

[ CVE-2021-3450 ] mysql:mysql-connector-java 8.0.13

Description:
This is a vulnerability in OpenSSL which may be exploited through Node.js. You can read more about it in https://www.openssl.org/news/secadv/20210325.txt

[ CVE-2021-2471 ] mysql:mysql-connector-java 8.0.13

Description:
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.26 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized access to critical data or complete access to all MySQL Connectors accessible data and unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors. CVSS 3.1 Base Score 5.9 (Confidentiality and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:H).

[ CVE-2022-21363 ] mysql:mysql-connector-java 8.0.13

Description:
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

[ CVE-2021-22570 ] com.google.protobuf:protobuf-java 3.6.1

Description:
Nullptr dereference when a null char is present in a proto symbol. The symbol is parsed incorrectly, leading to an unchecked call into the proto file's name during generation of the resulting error message. Since the symbol is incorrectly parsed, the file is nullptr. We recommend upgrading to version 3.15.0 or greater.

[ CVE-2020-2875 ] mysql:mysql-connector-java 8.0.13

Description:
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

[ CVE-2019-2692 ] mysql:mysql-connector-java 8.0.13

Description:
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

[ CVE-2021-22569 ] com.google.protobuf:protobuf-java 3.6.1

Description:
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.

[ CVE-2020-2934 ] mysql:mysql-connector-java 8.0.13

Description:
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

[ CVE-2021-44531 ] mysql:mysql-connector-java 8.0.13

Description:
Accepting arbitrary Subject Alternative Name (SAN) types, unless a PKI is specifically defined to use a particular SAN type, can result in bypassing name-constrained intermediates. Node.js was accepting URI SAN types, which PKIs are often not defined to use. Additionally, when a protocol allows URI SANs, Node.js did not match the URI correctly. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44531 for more details.

[ CVE-2021-44532 ] mysql:mysql-connector-java 8.0.13

Description:
Node.js converts SANs (Subject Alternative Names) to a string format. It uses this string to check peer certificates against hostnames when validating connections. The string format was subject to an injection vulnerability when name constraints were used within a certificate chain, allowing the bypass of these name constraints. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44532 for more details.

[ CVE-2023-21971 ] mysql:mysql-connector-java 8.0.13

Description:
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.32 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized ability to cause a hang or frequently repeatable crash (complete DOS) of MySQL Connectors as well as unauthorized update, insert or delete access to some of MySQL Connectors accessible data and unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.1 Base Score 5.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:H).

[ CVE-2021-44533 ] mysql:mysql-connector-java 8.0.13

Description:
Node.js did not handle multi-value Relative Distinguished Names correctly. Attackers could craft certificate subjects containing a single-value Relative Distinguished Name that would be interpreted as a multi-value Relative Distinguished Name, for example, in order to inject a Common Name that would allow bypassing the certificate subject verification. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44533 for more details.

[ CVE-2022-21824 ] mysql:mysql-connector-java 8.0.13

Description:
Due to the formatting logic of the console.table() function it was not safe to allow user controlled input to be passed to the properties parameter while simultaneously passing a plain object with at least one property as the first parameter, which could be proto. The prototype pollution has very limited control, in that it only allows an empty string to be assigned to numerical keys of the object prototype. See https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21824 for more details.

[ CVE-2022-3509 ] com.google.protobuf:protobuf-java 3.6.1

Description:
Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Protocol Buffers is encoding and decoding the protocol buffer's own format called the wire format.
It was discovered that due to a design problem in the parsing procedure for text data, a denial of service can occur, due to unknown fields causing objects to be converted constantly between mutable and immutable forms, which may exhaust the CPU.

The issue only occurs when parsing a text Protobuf message buffer (using the TextFormat parser), which is uncommon.

Moreover, an attacker must be able to send a crafted Protobuf message to the victim client/server.

[ CVE-2022-3171 ] com.google.protobuf:protobuf-java 3.6.1

Description:
Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Protocol Buffers is encoding and decoding the protocol buffer's own format called the wire format.

It was discovered that due to a design problem in the parsing procedure for binary data, a denial of service can occur, due to unknown fields causing objects to be converted constantly between mutable and immutable forms.

The issue only occurs when a SubMessage-typed variable (from the example below) is required or optional, but not if it is repeated.
The example is vulnerable even if SubMessage is defined out of the Complex message.

An example of a vulnerable protobuf message:

    message Complex {
        message SubMessage {
          required int32 str = 1;
        }
        required SubMessage required_msg  = 3;
      };

The attacker must be able to send a protobuf message with the SubMessage-typed variable to the victim client/server

[ CVE-2022-3510 ] com.google.protobuf:protobuf-java 3.6.1

Description:
Protocol Buffers (a.k.a., protobuf) are Google's language-neutral, platform-neutral, extensible mechanism for serializing structured data.

Protocol Buffers is encoding and decoding the protocol buffer's own format called the wire format.

It was discovered that due to a design problem in the parsing procedure for binary data, a denial of service can occur, due to unknown fields causing objects to be converted constantly between mutable and immutable forms, which may exhaust the CPU.

The issue only occurs when a SubMessage-typed variable (see example below) is optional, but not if it is repeated.

An example of a vulnerable protobuf message:

message SubMessage {
    required int32 str = 1;
  }

message Simple {
    extensions 3 to 199;
};

extend Simple {
  optional SubMessage bar = 3;
}

The attacker must be able to send a protobuf message with the SubMessage-typed variable to the victim client/server.

---

🐸 JFrog Frogbot

[buildguy]

❌ Build failed in 6m 19s

Build command:

mvn clean verify -B -e -Daudit -Djs.no.sandbox -pl \
pentaho-aggdesigner-core,pentaho-aggdesigner-ui

---

👌 All tests passed!

Tests run: 68, Failures: 0, Skipped: 0    Test Results

---

ℹ️ This is an automatic message