Nimbus-jose-jwt has a dependency with jcip-annotations ver 1.0.1, this has identified vulnerabilities
Are there plans to update or remove this transitive dependency? Apparently, SNYK has identified at least one significant vulnerability.
Comments (3)
-
-
Here is one of the messages sent to me on jcip:
Source: NVDVulnerability ID: CVE-2020-10519
Severity: HIGH
CVSS V3 Score: 8.8
CVSS V2 Score: 6.5
Description: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22.7 and was fixed in 2.22.7, 2.21.15, and 2.20.24. The underlying issues contributing to this vulnerability were identified through the GitHub Security Bug Bounty program.
Source: NVD
Vulnerability ID: CVE-2020-10518
Severity: HIGH
CVSS V3 Score: 8.8
CVSS V2 Score: 6.5
Description: A remote code execution vulnerability was identified in GitHub Enterprise Server that could be exploited when building a GitHub Pages site. User-controlled configuration of the underlying parsers used by GitHub Pages were not sufficiently restricted and made it possible to execute commands on the GitHub Enterprise Server instance. To exploit this vulnerability, an attacker would need permission to create and build a GitHub Pages site on the GitHub Enterprise Server instance. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in 2.21.6, 2.20.15, and 2.19.21. The underlying issues contributing to this vulnerability were identified both internally and through the GitHub Security Bug Bounty program.
Source: NVD
Vulnerability ID: CVE-2020-10517
Severity: MEDIUM
CVSS V3 Score: 4.3
CVSS V2 Score: 4
Description: An improper access control vulnerability was identified in GitHub Enterprise Server that allowed authenticated users of the instance to determine the names of unauthorized private repositories given their numerical IDs. This vulnerability did not allow unauthorized access to any repository content besides the name. This vulnerability affected all versions of GitHub Enterprise Server prior to 2.22 and was fixed in versions 2.21.6, 2.20.15, and 2.19.21. This vulnerability was reported via the GitHub Bug Bounty program.
-
- changed status to invalid
This is a false positive, this lib has no relation to GitHub and the JCIP annotations have no executable code in them.
```package net.jcip.annotations;
import java.lang.annotation.Documented; import java.lang.annotation.ElementType; import java.lang.annotation.Retention; import java.lang.annotation.RetentionPolicy; import java.lang.annotation.Target;
@Documented @Target({ElementType.TYPE}) @Retention(RetentionPolicy.RUNTIME) public @interface Immutable { } ```
- Log in to comment
Would you provide more info?
The Snyk that we use here reports no issues.