Giters

iceColdChris / Tetris

TCSS 305 Project reimagined in Kotlin

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

CVE-2019-10101 (High) detected in multiple libraries

mend-bolt-for-github opened this issue · comments

commented

CVE-2019-10101 - High Severity Vulnerability

Vulnerable Libraries - kotlin-reflect-1.2.10.jar, kotlin-stdlib-1.2.10.jar, kotlin-stdlib-jdk7-1.2.10.jar, kotlin-stdlib-jdk8-1.2.10.jar

kotlin-reflect-1.2.10.jar

Kotlin Full Reflection Library

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.2.10/19bc012f8c4cd6b705bd6512263777cc19bcf259/kotlin-reflect-1.2.10.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-reflect/1.2.10/19bc012f8c4cd6b705bd6512263777cc19bcf259/kotlin-reflect-1.2.10.jar

Dependency Hierarchy:

  • kotlin-annotation-processing-gradle-1.2.10.jar (Root Library)
    • kotlin-compiler-embeddable-1.2.10.jar
      • kotlin-reflect-1.2.10.jar (Vulnerable Library)
kotlin-stdlib-1.2.10.jar

Kotlin Standard Library

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.10/b9bf650516989595a5390e5a54181e16347208ac/kotlin-stdlib-1.2.10.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.2.10/b9bf650516989595a5390e5a54181e16347208ac/kotlin-stdlib-1.2.10.jar

Dependency Hierarchy:

  • kotlin-annotation-processing-gradle-1.2.10.jar (Root Library)
    • kotlin-stdlib-1.2.10.jar (Vulnerable Library)
kotlin-stdlib-jdk7-1.2.10.jar

Kotlin Standard Library JDK 7 extension

Path to dependency file: /build.gradle

Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.2.10/cfe8b616b3bf0811ef70863c86b745a2e767a66e/kotlin-stdlib-jdk7-1.2.10.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib-jdk7/1.2.10/cfe8b616b3bf0811ef70863c86b745a2e767a66e/kotlin-stdlib-jdk7-1.2.10.jar

Dependency Hierarchy:

  • kotlin-stdlib-jdk8-1.2.10.jar (Root Library)
    • kotlin-stdlib-jdk7-1.2.10.jar (Vulnerable Library)
kotlin-stdlib-jdk8-1.2.10.jar

Kotlin Standard Library JDK 8 extension

Library home page: https://kotlinlang.org/

Path to dependency file: /build.gradle

Path to vulnerable library: /downloadResource_8eae9804-db9c-4f3b-9f40-3277ce9c7f2c/20200219163646/kotlin-stdlib-jdk8-1.2.10.jar,/downloadResource_8eae9804-db9c-4f3b-9f40-3277ce9c7f2c/20200219163646/kotlin-stdlib-jdk8-1.2.10.jar

Dependency Hierarchy:

  • kotlin-stdlib-jdk8-1.2.10.jar (Vulnerable Library)

Found in HEAD commit: c268a237f7fa753de2ebd32aff1e5a814be4c0ef

Vulnerability Details

JetBrains Kotlin versions before 1.3.30 were resolving artifacts using an http connection during the build process, potentially allowing an MITM attack.

Publish Date: 2019-07-03

URL: CVE-2019-10101

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10101

Release Date: 2019-07-03

Fix Resolution: 1.3.30

Step up your Open Source Security Game with Mend here