created the base of the azure devops build collector

[davidpolaniaac]

This component collects the information from the azure devops pipeline builds to be displayed on the hygieia dashboard

[CLAassistant]

All committers have signed the CLA.

[davidpolaniaac]

@rvema

[sonatype-lift]

Critical OSS Vulnerability:

pkg:maven/com.capitalone.dashboard/[email protected]

17 Critical, 16 Severe, 1 Moderate, 0 Unknown vulnerabilities have been found across 19 dependencies

Components

pkg:maven/org.springframework/[email protected]

SEVERE Vulnerabilities (1)




[CVE-2022-22950] CWE-770: Allocation of Resources Without Limits or Throttling

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-770

pkg:maven/org.apache.tomcat.embed/[email protected]

CRITICAL Vulnerabilities (1)




[CVE-2022-25762] CWE-404: Improper Resource Shutdown or Release

If a web application sends a WebSocket message concurrently with the WebSocket connection closing when running on Apache Tomcat 8.5.0 to 8.5.75 or Apache Tomcat 9.0.0.M1 to 9.0.20, it is possible that the application will continue to use the socket after it has been closed. The error handling triggered in this case could cause the a pooled object to be placed in the pool twice. This could result in subsequent connections using the same object concurrently which could result in data being returned to the wrong use and/or other errors.

CVSS Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:L

CWE: CWE-404

pkg:maven/commons-codec/[email protected]

SEVERE Vulnerabilities (1)




[sonatype-2012-0050] CWE-20: Improper Input Validation

commons-codec - Base32 would decode some invalid Base32 encoded string into arbitrary value

The product does not validate or incorrectly validates input that can affect the control flow or data flow of a program.

CVSS Score: 5.3

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-20

pkg:maven/org.mongodb/[email protected]

SEVERE Vulnerabilities (1)




[CVE-2021-20328] CWE-295: Improper Certificate Validation

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server�s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don�t use Field Level Encryption.

CVSS Score: 6.8

CVSS Vector: CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N

CWE: CWE-295

pkg:maven/org.springframework/[email protected]

SEVERE Vulnerabilities (1)




[CVE-2022-22968] CWE-178: Improper Handling of Case Sensitivity

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-178

pkg:maven/org.apache.httpcomponents/[email protected]

SEVERE Vulnerabilities (1)




[CVE-2020-13956] CWE-20: Improper Input Validation

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-20

pkg:maven/com.google.guava/[email protected]

SEVERE Vulnerabilities (1)




[sonatype-2020-0926] CWE-379: Creation of Temporary File in Directory with Incorrect Permissions

guava - Creation of Temporary File in Directory with Insecure Permissions [CVE-2020-8908]

The software creates a temporary file in a directory whose permissions allow unintended actors to determine the file's existence or otherwise access that file.

CVSS Score: 6.2

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-379

pkg:maven/ch.qos.logback/[email protected]

CRITICAL Vulnerabilities (1)




[sonatype-2021-1175] CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

logback-core - XML External Entity (XXE)

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVSS Score: 8.6

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:H

CWE: CWE-611

SEVERE Vulnerabilities (2)




sonatype-2021-4517

[sonatype-2021-4517] CWE-502: Deserialization of Untrusted Data

logback-classic - Deserialization of Untrusted Data [CVE-2021-42550]

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVSS Score: 6.6

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

sonatype-2021-1446

[sonatype-2021-1446] CWE-297: Improper Validation of Certificate with Host Mismatch

logback-core - Improper Validation of Certificate with Host Mismatch

The software communicates with a host that provides a certificate, but the software does not properly ensure that the certificate is actually associated with that host.

CVSS Score: 5.9

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-297

pkg:maven/org.springframework/[email protected]

CRITICAL Vulnerabilities (1)




[CVE-2016-1000027] CWE-502: Deserialization of Untrusted Data

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

SEVERE Vulnerabilities (1)




[CVE-2020-5421] CWE-20: Improper Input Validation

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

CVSS Score: 6.5

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:H/A:N

CWE: CWE-20

pkg:maven/org.springframework.security/[email protected]

CRITICAL Vulnerabilities (2)




CVE-2022-22978

[CVE-2022-22978] CWE-863: Incorrect Authorization

In Spring Security versions 5.5.6 and 5.6.3 and older unsupported versions, RegexRequestMatcher can easily be misconfigured to be bypassed on some servlet containers. Applications using RegexRequestMatcher with . in the regular expression are possibly vulnerable to an authorization bypass

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-863

CVE-2021-22112

[CVE-2021-22112] CWE-285: Improper Authorization

Spring Security 5.4.x prior to 5.4.4, 5.3.x prior to 5.3.8.RELEASE, 5.2.x prior to 5.2.9.RELEASE, and older unsupported versions can fail to save the SecurityContext if it is changed more than once in a single request.A malicious user cannot cause the bug to happen (it must be programmed in). However, if the application's intent is to only allow the user to run with elevated privileges in a small portion of the application, the bug can be leveraged to extend those privileges to the rest of the application.

CVSS Score: 8.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-285

SEVERE Vulnerabilities (2)




sonatype-2020-1270

[sonatype-2020-1270] CWE-208: Information Exposure Through Timing Discrepancy

spring-security-web - Timing Attack

Two separate operations in a product require different amounts of time to complete, in a way that is observable to an actor and reveals security-relevant information about the state of the product, such as whether a particular operation was successful or not.

CVSS Score: 5.9

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N

CWE: CWE-208

sonatype-2017-0507

[sonatype-2017-0507] CWE-352: Cross-Site Request Forgery (CSRF)

spring-security-web - Cross-Site Request Forgery

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

CVSS Score: 5

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

CWE: CWE-352

MODERATE Vulnerabilities (1)




[sonatype-2019-0341] CWE-327: Use of a Broken or Risky Cryptographic Algorithm

Spring Security - CSRF tokens vulnerable to BREACH attack

The use of a broken or risky cryptographic algorithm is an unnecessary risk that may result in the exposure of sensitive information.

CVSS Score: 3.7

CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-327

pkg:maven/ch.qos.logback/[email protected]

CRITICAL Vulnerabilities (1)




[CVE-2017-5929] CWE-502: Deserialization of Untrusted Data

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

SEVERE Vulnerabilities (1)




[sonatype-2021-4517] CWE-502: Deserialization of Untrusted Data

logback-classic - Deserialization of Untrusted Data [CVE-2021-42550]

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVSS Score: 6.6

CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

pkg:maven/com.fasterxml.jackson.core/[email protected]

CRITICAL Vulnerabilities (5)




CVE-2018-19360

[CVE-2018-19360] CWE-502: Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

CVSS Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

CVE-2018-19361

[CVE-2018-19361] CWE-502: Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

CVSS Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

CVE-2018-19362

[CVE-2018-19362] CWE-502: Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

CVSS Score: 9.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-502

CVE-2020-25649

[CVE-2020-25649] CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N

CWE: CWE-611

CVE-2020-36518

[CVE-2020-36518] CWE-787: Out-of-bounds Write

jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-787

pkg:maven/org.mozilla/[email protected]

CRITICAL Vulnerabilities (1)




[sonatype-2018-0590] CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

org.mozilla:rhino - XML External Entity Reference(XXE)

The software processes an XML document that can contain XML entities with URIs that resolve to documents outside of the intended sphere of control, causing the product to embed incorrect documents into its output.

CVSS Score: 8.8

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H

CWE: CWE-611

pkg:maven/org.springframework/[email protected]

CRITICAL Vulnerabilities (2)




CVE-2022-22965

[CVE-2022-22965] CWE-94: Improper Control of Generation of Code ('Code Injection')

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-94

sonatype-2022-1764

[sonatype-2022-1764] CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection')

Spring-Beans- Remote Code Execution (RCE) [CVE-2022-22965]

The application uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

CVSS Score: 9.8

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-470

pkg:maven/org.springframework/[email protected]

SEVERE Vulnerabilities (2)




CVE-2020-5397

[CVE-2020-5397] CWE-352: Cross-Site Request Forgery (CSRF)

Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not include credentials and therefore requests should fail authentication. However a notable exception to this are Chrome based browsers when using client certificates for authentication since Chrome sends TLS client certificates in CORS preflight requests in violation of spec requirements. No HTTP body can be sent or received as a result of this attack.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-352

CVE-2021-22060

[CVE-2021-22060] CWE-117: Improper Output Neutralization for Logs

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

CVSS Score: 4.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-117

pkg:maven/commons-beanutils/[email protected]

CRITICAL Vulnerabilities (1)




[CVE-2014-0114] CWE-20: Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

CVSS Score: 7.5

CVSS Vector: AV:N/AC:L/Au:N/C:P/I:P/A:P

CWE: CWE-20

pkg:maven/org.hibernate/[email protected]

SEVERE Vulnerabilities (2)




CVE-2019-10219

[CVE-2019-10219] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

A vulnerability was found in Hibernate-Validator. The SafeHtml validator annotation fails to properly sanitize payloads consisting of potentially malicious code in HTML comments and instructions. This vulnerability can result in an XSS attack.

CVSS Score: 6.1

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

CWE: CWE-79

CVE-2020-10693

[CVE-2020-10693] CWE-20: Improper Input Validation

A flaw was found in Hibernate Validator version 6.1.2.Final. A bug in the message interpolation processor enables invalid EL expressions to be evaluated as if they were valid. This flaw allows attackers to bypass input sanitation (escaping, stripping) controls that developers may have put in place when handling user-controlled data in error messages.

CVSS Score: 5.3

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N

CWE: CWE-20

pkg:maven/com.google.code.gson/[email protected]

CRITICAL Vulnerabilities (1)




[sonatype-2021-1694] CWE-502: Deserialization of Untrusted Data

gson - Deserialization of Untrusted Data

The application deserializes untrusted data without sufficiently verifying that the resulting data will be valid.

CVSS Score: 7.5

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-502

pkg:maven/org.springframework.boot/[email protected]

CRITICAL Vulnerabilities (1)




[CVE-2022-27772] CWE-668: Exposure of Resource to Wrong Sphere

** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.

CVSS Score: 7.8

CVSS Vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-668

Reply with "@sonatype-lift help" for more info.
Reply with "@sonatype-lift ignore" to tell Liftbot to leave out the above finding from this PR.
Reply with "@sonatype-lift ignoreall" to tell Liftbot to leave out all the findings from this PR and from the status bar in Github.

When talking to Liftbot, you need to refresh the page to see its response. Click here to get to know more about Liftbot commands.

---

Was this a good recommendation?
[ 🙁 Not relevant ] - [ 😕 Won't fix ] - [ 😑 Not critical, will fix ] - [ 🙂 Critical, will fix ] - [ 😊 Critical, fixing now ]