jgrapht-core-1.5.2.jar: 3 vulnerabilities (highest severity is: 9.8)

[mend-bolt-for-github]

Vulnerable Library - jgrapht-core-1.5.2.jar

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apfloat/apfloat/1.10.1/a32c54f97317c72c9377bb4f2cdecd52fe6329a/apfloat-1.10.1.jar

Found in HEAD commit: 128fd449925b98c946919a9dbb251a56811b22ad

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jgrapht-core version)	Remediation Possible**
CVE-2024-23086	Critical	9.8	apfloat-1.10.1.jar	Transitive	N/A*	❌
CVE-2024-23085	High	7.5	apfloat-1.10.1.jar	Transitive	N/A*	❌
CVE-2024-23084	High	7.5	apfloat-1.10.1.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-23086

Vulnerable Library - apfloat-1.10.1.jar

High performance arbitrary precision arithmetic library

Library home page: http://www.apfloat.org

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apfloat/apfloat/1.10.1/a32c54f97317c72c9377bb4f2cdecd52fe6329a/apfloat-1.10.1.jar

Dependency Hierarchy:

• jgrapht-core-1.5.2.jar (Root Library)
  • ❌ apfloat-1.10.1.jar (Vulnerable Library)

Found in HEAD commit: 128fd449925b98c946919a9dbb251a56811b22ad

Found in base branch: develop

Vulnerability Details

Apfloat v1.10.1 was discovered to contain a stack overflow via the component org.apfloat.internal.DoubleModMath::modPow(double. NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.

Publish Date: 2024-04-08

URL: CVE-2024-23086

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2024-23085

Vulnerable Library - apfloat-1.10.1.jar

High performance arbitrary precision arithmetic library

Library home page: http://www.apfloat.org

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apfloat/apfloat/1.10.1/a32c54f97317c72c9377bb4f2cdecd52fe6329a/apfloat-1.10.1.jar

Dependency Hierarchy:

• jgrapht-core-1.5.2.jar (Root Library)
  • ❌ apfloat-1.10.1.jar (Vulnerable Library)

Found in HEAD commit: 128fd449925b98c946919a9dbb251a56811b22ad

Found in base branch: develop

Vulnerability Details

Apfloat v1.10.1 was discovered to contain a NullPointerException via the component org.apfloat.internal.DoubleScramble::scramble(double[], int, int[]). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.

Publish Date: 2024-04-08

URL: CVE-2024-23085

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

CVE-2024-23084

Vulnerable Library - apfloat-1.10.1.jar

High performance arbitrary precision arithmetic library

Library home page: http://www.apfloat.org

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apfloat/apfloat/1.10.1/a32c54f97317c72c9377bb4f2cdecd52fe6329a/apfloat-1.10.1.jar

Dependency Hierarchy:

• jgrapht-core-1.5.2.jar (Root Library)
  • ❌ apfloat-1.10.1.jar (Vulnerable Library)

Found in HEAD commit: 128fd449925b98c946919a9dbb251a56811b22ad

Found in base branch: develop

Vulnerability Details

Apfloat v1.10.1 was discovered to contain an ArrayIndexOutOfBoundsException via the component org.apfloat.internal.DoubleCRTMath::add(double[], double[]). NOTE: this is disputed by multiple third parties who believe there was not reasonable evidence to determine the existence of a vulnerability. The submission may have been based on a tool that is not sufficiently robust for vulnerability identification.

Publish Date: 2024-04-08

URL: CVE-2024-23084

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Step up your Open Source Security Game with Mend here

[krusche]

We should remove the use of jgrapht in the Artemis server code. It's not really necessary, because the union of sets can be done with java.util.Set

[krusche]

Fixed in 17adae1 by using the lastest version of apfloat