laokou-common-mybatis-plus-3.4.1.jar: 2 vulnerabilities (highest severity is: 6.6) #3178
Description
Vulnerable Library - laokou-common-mybatis-plus-3.4.1.jar
Path to vulnerable library: /laokou-service/laokou-admin/laokou-admin-adapter/pom.xml,/laokou-common/laokou-common-log/pom.xml,/laokou-common/laokou-common-mongodb/pom.xml,/laokou-common/laokou-common-mail/pom.xml,/laokou-service/laokou-generator/laokou-generator-infrastructure/pom.xml,/laokou-service/laokou-admin/laokou-admin-infrastructure/pom.xml,/laokou-service/laokou-admin/laokou-admin-app/pom.xml,/laokou-common/laokou-common-snail-job/pom.xml,/laokou-common/laokou-common-domain/pom.xml,/laokou-common/laokou-common-rocketmq/pom.xml,/laokou-cloud/laokou-snail-job/pom.xml,/laokou-common/laokou-common-security/pom.xml,/laokou-cola/laokou-cola-infrastructure/pom.xml
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in (laokou-common-mybatis-plus version) | Remediation Possible** |
|---|---|---|---|---|---|---|
| CVE-2024-12798 |  Medium |
6.6 | detected in multiple dependencies | Transitive | N/A* | ❌ |
| CVE-2024-12801 | Medium |
4.4 | logback-core-1.5.12.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2024-12798
Vulnerable Libraries - logback-core-1.5.12.jar, logback-classic-1.5.12.jar
logback-core-1.5.12.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /laokou-common/laokou-common-rocketmq/pom.xml
Path to vulnerable library: /laokou-common/laokou-common-rocketmq/pom.xml,/laokou-service/laokou-admin/laokou-admin-app/pom.xml,/laokou-service/laokou-admin/laokou-admin-infrastructure/pom.xml,/laokou-common/laokou-common-security/pom.xml,/laokou-common/laokou-common-domain/pom.xml,/laokou-cloud/laokou-snail-job/pom.xml,/laokou-common/laokou-common-mail/pom.xml,/laokou-service/laokou-generator/laokou-generator-infrastructure/pom.xml,/laokou-common/laokou-common-mongodb/pom.xml,/laokou-common/laokou-common-snail-job/pom.xml,/laokou-service/laokou-admin/laokou-admin-adapter/pom.xml,/laokou-common/laokou-common-log/pom.xml,/laokou-cola/laokou-cola-infrastructure/pom.xml
Dependency Hierarchy:
- laokou-common-mybatis-plus-3.4.1.jar (Root Library)
- laokou-common-core-3.4.1.jar
- spring-boot-starter-freemarker-3.4.1.jar
- spring-boot-starter-3.4.1.jar
- spring-boot-starter-logging-3.4.1.jar
- logback-classic-1.5.12.jar
- ❌ logback-core-1.5.12.jar (Vulnerable Library)
- logback-classic-1.5.12.jar
- spring-boot-starter-logging-3.4.1.jar
- spring-boot-starter-3.4.1.jar
- spring-boot-starter-freemarker-3.4.1.jar
- laokou-common-core-3.4.1.jar
logback-classic-1.5.12.jar
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /laokou-service/laokou-admin/laokou-admin-adapter/pom.xml
Path to vulnerable library: /laokou-service/laokou-admin/laokou-admin-adapter/pom.xml,/laokou-common/laokou-common-log/pom.xml,/laokou-common/laokou-common-mongodb/pom.xml,/laokou-common/laokou-common-mail/pom.xml,/laokou-service/laokou-generator/laokou-generator-infrastructure/pom.xml,/laokou-service/laokou-admin/laokou-admin-infrastructure/pom.xml,/laokou-service/laokou-admin/laokou-admin-app/pom.xml,/laokou-common/laokou-common-snail-job/pom.xml,/laokou-common/laokou-common-domain/pom.xml,/laokou-common/laokou-common-rocketmq/pom.xml,/laokou-cloud/laokou-snail-job/pom.xml,/laokou-common/laokou-common-security/pom.xml,/laokou-cola/laokou-cola-infrastructure/pom.xml
Dependency Hierarchy:
- laokou-common-mybatis-plus-3.4.1.jar (Root Library)
- laokou-common-core-3.4.1.jar
- spring-boot-starter-freemarker-3.4.1.jar
- spring-boot-starter-3.4.1.jar
- spring-boot-starter-logging-3.4.1.jar
- ❌ logback-classic-1.5.12.jar (Vulnerable Library)
- spring-boot-starter-logging-3.4.1.jar
- spring-boot-starter-3.4.1.jar
- spring-boot-starter-freemarker-3.4.1.jar
- laokou-common-core-3.4.1.jar
Found in base branch: master
Vulnerability Details
ACE vulnerability in JaninoEventEvaluator by QOS.CH logback-core
upto including version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 in Java applications allows
attacker to execute arbitrary code by compromising an existing
logback configuration file or by injecting an environment variable
before program execution.
Malicious logback configuration files can allow the attacker to execute
arbitrary code using the JaninoEventEvaluator extension.
A successful attack requires the user to have write access to a
configuration file. Alternatively, the attacker could inject a malicious
environment variable pointing to a malicious configuration file. In both
cases, the attack requires existing privilege.
Publish Date: 2024-12-19
URL: CVE-2024-12798
CVSS 3 Score Details (6.6)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-pr98-23f8-jwxv
Release Date: 2024-12-19
Fix Resolution: ch.qos.logback:logback-core:1.5.13, ch.qos.logback:logback-classic:1.5.13
Step up your Open Source Security Game with Mend here
CVE-2024-12801
Vulnerable Library - logback-core-1.5.12.jar
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /laokou-common/laokou-common-rocketmq/pom.xml
Path to vulnerable library: /laokou-common/laokou-common-rocketmq/pom.xml,/laokou-service/laokou-admin/laokou-admin-app/pom.xml,/laokou-service/laokou-admin/laokou-admin-infrastructure/pom.xml,/laokou-common/laokou-common-security/pom.xml,/laokou-common/laokou-common-domain/pom.xml,/laokou-cloud/laokou-snail-job/pom.xml,/laokou-common/laokou-common-mail/pom.xml,/laokou-service/laokou-generator/laokou-generator-infrastructure/pom.xml,/laokou-common/laokou-common-mongodb/pom.xml,/laokou-common/laokou-common-snail-job/pom.xml,/laokou-service/laokou-admin/laokou-admin-adapter/pom.xml,/laokou-common/laokou-common-log/pom.xml,/laokou-cola/laokou-cola-infrastructure/pom.xml
Dependency Hierarchy:
- laokou-common-mybatis-plus-3.4.1.jar (Root Library)
- laokou-common-core-3.4.1.jar
- spring-boot-starter-freemarker-3.4.1.jar
- spring-boot-starter-3.4.1.jar
- spring-boot-starter-logging-3.4.1.jar
- logback-classic-1.5.12.jar
- ❌ logback-core-1.5.12.jar (Vulnerable Library)
- logback-classic-1.5.12.jar
- spring-boot-starter-logging-3.4.1.jar
- spring-boot-starter-3.4.1.jar
- spring-boot-starter-freemarker-3.4.1.jar
- laokou-common-core-3.4.1.jar
Found in base branch: master
Vulnerability Details
Server-Side Request Forgery (SSRF) in SaxEventRecorder by QOS.CH logback version 0.1 to 1.3.14 and 1.4.0 to 1.5.12 on the Java platform, allows an attacker to
forge requests by compromising logback configuration files in XML.
The attacks involves the modification of DOCTYPE declaration in XML configuration files.
Publish Date: 2024-12-19
URL: CVE-2024-12801
CVSS 3 Score Details (4.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: GHSA-6v67-2wr5-gvf4
Release Date: 2024-12-19
Fix Resolution: ch.qos.logback:logback-core:1.5.13
Step up your Open Source Security Game with Mend here