spotbugs-4.7.3.jar: 1 vulnerabilities (highest severity is: 9.8) unreachable #5
Description
Vulnerable Library - spotbugs-4.7.3.jar
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.bcel/bcel/6.5.0/79b1975ec0c7a6c1a15e19fb3a58cc4041b4aaea/bcel-6.5.0.jar
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (spotbugs version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2022-42920 | Critical | 9.8 | bcel-6.5.0.jar | Transitive | 4.8.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2022-42920
Vulnerable Library - bcel-6.5.0.jar
Apache Commons Bytecode Engineering Library
Library home page: http://www.apache.org/
Path to dependency file: /workflow-bot-app/build.gradle
Path to vulnerable library: /tmp/containerbase/cache/.gradle/caches/modules-2/files-2.1/org.apache.bcel/bcel/6.5.0/79b1975ec0c7a6c1a15e19fb3a58cc4041b4aaea/bcel-6.5.0.jar
Dependency Hierarchy:
- spotbugs-4.7.3.jar (Root Library)
- ❌ bcel-6.5.0.jar (Vulnerable Library)
Found in base branch: master
Reachability Analysis
The vulnerable code is unreachable
Vulnerability Details
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
Publish Date: 2022-11-07
URL: CVE-2022-42920
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
Release Date: 2022-11-07
Fix Resolution (org.apache.bcel:bcel): 6.6.0
Direct dependency fix Resolution (com.github.spotbugs:spotbugs): 4.8.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.