Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

CVE-2023-38493 (High) detected in armeria-1.22.1.jar, armeria-1.15.0.jar #3069

Closed
mend-for-github-com bot opened this issue Jul 26, 2023 · 0 comments · Fixed by #3351
Closed

CVE-2023-38493 (High) detected in armeria-1.22.1.jar, armeria-1.15.0.jar #3069

mend-for-github-com bot opened this issue Jul 26, 2023 · 0 comments · Fixed by #3351
Assignees
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Milestone

Comments

@mend-for-github-com
Copy link
Contributor

mend-for-github-com bot commented Jul 26, 2023

CVE-2023-38493 - High Severity Vulnerability

Vulnerable Libraries - armeria-1.22.1.jar, armeria-1.15.0.jar

armeria-1.22.1.jar

Asynchronous HTTP/2 RPC/REST client/server library built on top of Java 8, Netty, Thrift and gRPC (armeria)

Library home page: https://armeria.dev/

Path to dependency file: /data-prepper-plugins/otel-logs-source/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.22.1/9e34f008f55d4095f01f00ac90edf05e8c9f711a/armeria-1.22.1.jar

Dependency Hierarchy:

  • armeria-1.22.1.jar (Vulnerable Library)
armeria-1.15.0.jar

Asynchronous HTTP/2 RPC/REST client/server library built on top of Java 8, Netty, Thrift and gRPC (armeria)

Library home page: https://armeria.dev/

Path to dependency file: /data-prepper-plugins/otel-logs-source/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.linecorp.armeria/armeria/1.15.0/6c26d009aa047e14edb8b99926772d441ab75cf0/armeria-1.15.0.jar

Dependency Hierarchy:

  • armeria-1.15.0.jar (Vulnerable Library)

Found in HEAD commit: 90bdaa7e7833bdd504c817e49d4434b4d8880f56

Found in base branch: main

Vulnerability Details

Armeria is a microservice framework Spring supports Matrix variables. When Spring integration is used, Armeria calls Spring controllers via TomcatService or JettyService with the path that may contain matrix variables. Prior to version 1.24.3, the Armeria decorators might not invoked because of the matrix variables. If an attacker sends a specially crafted request, the request may bypass the authorizer. Version 1.24.3 contains a patch for this issue.

Publish Date: 2023-07-25

URL: CVE-2023-38493

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

@mend-for-github-com mend-for-github-com bot added the Mend: dependency security vulnerability Security vulnerability detected by WhiteSource label Jul 26, 2023
@dlvenable dlvenable self-assigned this Sep 7, 2023
@dlvenable dlvenable added this to the v2.5 milestone Sep 7, 2023
dlvenable added a commit to dlvenable/data-prepper that referenced this issue Sep 18, 2023
…gies which fix some dependencies to specific versions. Instead, use dependency version requirements which allow for using newer versions. Resolves opensearch-project#3069.

Signed-off-by: David Venable <dlv@amazon.com>
@dlvenable dlvenable mentioned this issue Sep 18, 2023
4 tasks
dlvenable added a commit that referenced this issue Sep 20, 2023
Updates Armeria to 1.25.2. This also removes a Gradle resolution strategy which fixes some dependencies to specific versions. Instead, use a dependency version requirement which allows for using newer versions. Resolves #3069.

Signed-off-by: David Venable <dlv@amazon.com>
@github-project-automation github-project-automation bot moved this from Unplanned to Done in Data Prepper Tracking Board Sep 20, 2023
opensearch-trigger-bot bot pushed a commit that referenced this issue Sep 20, 2023
Updates Armeria to 1.25.2. This also removes a Gradle resolution strategy which fixes some dependencies to specific versions. Instead, use a dependency version requirement which allows for using newer versions. Resolves #3069.

Signed-off-by: David Venable <dlv@amazon.com>
(cherry picked from commit a016b7a)
dlvenable added a commit that referenced this issue Sep 20, 2023
Updates Armeria to 1.25.2. This also removes a Gradle resolution strategy which fixes some dependencies to specific versions. Instead, use a dependency version requirement which allows for using newer versions. Resolves #3069.

Signed-off-by: David Venable <dlv@amazon.com>
(cherry picked from commit a016b7a)

Co-authored-by: David Venable <dlv@amazon.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Mend: dependency security vulnerability Security vulnerability detected by WhiteSource
Projects
Archived in project
Development

Successfully merging a pull request may close this issue.

2 participants