You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
While performing OWASP maven dependency checks on one of our projects that use jDiameter's Ro Client and Server APIs, we have identified the following security vulnerabilities both in jdiameter-api and jdiameter-impl transitive dependencies:
File Path: /org/beanshell/bsh/2.0b4/bsh-2.0b4.jar Vulnerability Type: OSSINDEX CVE-2016-2510 Severity: High Description: BeanShell (bsh) before 2.0b6, when included on the classpath by an
application that uses Java serialization or XStream, allows remote attackers
to execute arbitrary code via crafted serialized data, related to
XThis.Handler.
File Path: /io/netty/netty-all/4.0.36.Final/netty-all-4.0.36.Final.jar Vulnerability Type: NVD CVE-2016-4970 Severity: High Description: handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and
4.1.x before 4.1.1.Final allows remote attackers to cause a denial of
service (infinite loop). CWE-835: Loop with Unreachable Exit Condition
('Infinite Loop')
File Path: /io/netty/netty-all/4.0.36.Final/netty-all-4.0.36.Final.jar Vulnerability Type: NVD CVE-2019-16869 Severity: Medium Description: Netty before 4.1.42.Final mishandles whitespace before the colon in
HTTP headers (such as a "Transfer-Encoding : chunked" line), which
leads to HTTP request smuggling.
@deruelle@ammendonca I am registering this issue as this could impact Production services in the telecoms industry that use the jdiameter-api and jdiameter-impl libraries. I guess it may simply be a matter of updating the above dependencies to a newer and more secure version?
The text was updated successfully, but these errors were encountered:
While performing OWASP maven dependency checks on one of our projects that use jDiameter's Ro Client and Server APIs, we have identified the following security vulnerabilities both in jdiameter-api and jdiameter-impl transitive dependencies:
File Path: /org/beanshell/bsh/2.0b4/bsh-2.0b4.jar
Vulnerability Type: OSSINDEX CVE-2016-2510
Severity: High
Description: BeanShell (bsh) before 2.0b6, when included on the classpath by an
application that uses Java serialization or XStream, allows remote attackers
to execute arbitrary code via crafted serialized data, related to
XThis.Handler.
File Path: /io/netty/netty-all/4.0.36.Final/netty-all-4.0.36.Final.jar
Vulnerability Type: NVD CVE-2016-4970
Severity: High
Description: handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and
4.1.x before 4.1.1.Final allows remote attackers to cause a denial of
service (infinite loop). CWE-835: Loop with Unreachable Exit Condition
('Infinite Loop')
File Path: /io/netty/netty-all/4.0.36.Final/netty-all-4.0.36.Final.jar
Vulnerability Type: NVD CVE-2019-16869
Severity: Medium
Description: Netty before 4.1.42.Final mishandles whitespace before the colon in
HTTP headers (such as a "Transfer-Encoding : chunked" line), which
leads to HTTP request smuggling.
@deruelle @ammendonca I am registering this issue as this could impact Production services in the telecoms industry that use the jdiameter-api and jdiameter-impl libraries. I guess it may simply be a matter of updating the above dependencies to a newer and more secure version?
The text was updated successfully, but these errors were encountered: