Update known vulnerabilities

piotr-yuxuan · piotr-yuxuan · commit 59108b45a8ee · 2024-03-12T19:04:31.000Z
diff --git a/doc/known-vulnerabilities.csv b/doc/known-vulnerabilities.csv
@@ -1,5 +1,5 @@
 DependencyName,DependencyPath,Description,License,Md5,Sha1,Identifiers,CPE,CVE,CWE,Vulnerability,Source,CVSSv2_Severity,CVSSv2_Score,CVSSv2,CVSSv3_BaseSeverity,CVSSv3_BaseScore,CVSSv3,CPE Confidence,Evidence Count,VendorProject,Product,Name,DateAdded,ShortDescription,RequiredAction,DueDate,Notes
-clojure-1.12.0-alpha4.jar,/home/runner/.m2/repository/org/clojure/clojure/1.12.0-alpha4/clojure-1.12.0-alpha4.jar,Clojure core environment and runtime library.,Eclipse Public License 1.0: http://opensource.org/licenses/eclipse-1.0.php,456be51c630bef4d8743caa1d53362ae,4af7e3b51909eaaab4b7ab8a2220af09ed8bd52d,pkg:maven/org.clojure/clojure@1.12.0-alpha4,cpe:2.3:a:clojure:clojure:1.12.0:pha4:*:*:*:*:*:*,CVE-2024-22871,CWE-400 Uncontrolled Resource Consumption,An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function.,OSSINDEX,,,,HIGH,7.5,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,HIGH,20,,,,,,,,
+clojure-1.12.0-alpha4.jar,/home/runner/.m2/repository/org/clojure/clojure/1.12.0-alpha4/clojure-1.12.0-alpha4.jar,Clojure core environment and runtime library.,Eclipse Public License 1.0: http://opensource.org/licenses/eclipse-1.0.php,456be51c630bef4d8743caa1d53362ae,4af7e3b51909eaaab4b7ab8a2220af09ed8bd52d,pkg:maven/org.clojure/clojure@1.12.0-alpha4,cpe:2.3:a:clojure:clojure:1.12.0:pha4:*:*:*:*:*:*,CVE-2024-22871,CWE-674 Uncontrolled Recursion,An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function.  Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-22871 for details,OSSINDEX,,,,HIGH,7.5,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,HIGH,20,,,,,,,,
 commons-compress-1.22.jar,/home/runner/.m2/repository/org/apache/commons/commons-compress/1.22/commons-compress-1.22.jar,"Apache Commons Compress software defines an API for working with compression and archive formats.  These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.",https://www.apache.org/licenses/LICENSE-2.0.txt,f1e4db16fee4291212d91409313a8086,691a8b4e6cf4248c3bc72c8b719337d5cb7359fa,pkg:maven/org.apache.commons/commons-compress@1.22,cpe:2.3:a:apache:commons_compress:1.22:*:*:*:*:*:*:*,CVE-2023-42503,"CWE-400 Uncontrolled Resource Consumption, CWE-20 Improper Input Validation, NVD-CWE-noinfo","Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress:��from 1.22 before 1.24.0.  Users are recommended to upgrade to version 1.24.0, which fixes the issue.  A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.  In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example ���1647221103.5998539���). The impacted fields are ���atime���, ���ctime���, ���mtime��� and ���LIBARCHIVE.creationtime���. No input validation is performed prior to the parsing of header values.  Parsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as ���9e9999999���) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].  [1]:  https://issues.apache.org/jira/browse/COMPRESS-612  [2]:  https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05  [3]:  https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html  [4]:  https://bugs.openjdk.org/browse/JDK-6560193  [5]:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098   Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.",NVD,,,,MEDIUM,5.5,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A,HIGH,106,,,,,,,,
 commons-compress-1.22.jar,/home/runner/.m2/repository/org/apache/commons/commons-compress/1.22/commons-compress-1.22.jar,"Apache Commons Compress software defines an API for working with compression and archive formats.  These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.",https://www.apache.org/licenses/LICENSE-2.0.txt,f1e4db16fee4291212d91409313a8086,691a8b4e6cf4248c3bc72c8b719337d5cb7359fa,pkg:maven/org.apache.commons/commons-compress@1.22,cpe:2.3:a:apache:commons_compress:1.22:*:*:*:*:*:*:*,CVE-2024-25710,CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop'),Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.  Users are recommended to upgrade to version 1.26.0 which fixes the issue.,NVD,,,,MEDIUM,5.5,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A,HIGH,106,,,,,,,,
 commons-compress-1.22.jar,/home/runner/.m2/repository/org/apache/commons/commons-compress/1.22/commons-compress-1.22.jar,"Apache Commons Compress software defines an API for working with compression and archive formats.  These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.",https://www.apache.org/licenses/LICENSE-2.0.txt,f1e4db16fee4291212d91409313a8086,691a8b4e6cf4248c3bc72c8b719337d5cb7359fa,pkg:maven/org.apache.commons/commons-compress@1.22,cpe:2.3:a:apache:commons_compress:1.22:*:*:*:*:*:*:*,CVE-2024-26308,CWE-770 Allocation of Resources Without Limits or Throttling,"Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.  Users are recommended to upgrade to version 1.26, which fixes the issue.",NVD,,,,MEDIUM,5.5,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A,HIGH,106,,,,,,,,

-Original file line number
+Diff line change
@@ @@ -1,5 +1,5 @@ @@
 DependencyName,DependencyPath,Description,License,Md5,Sha1,Identifiers,CPE,CVE,CWE,Vulnerability,Source,CVSSv2_Severity,CVSSv2_Score,CVSSv2,CVSSv3_BaseSeverity,CVSSv3_BaseScore,CVSSv3,CPE Confidence,Evidence Count,VendorProject,Product,Name,DateAdded,ShortDescription,RequiredAction,DueDate,Notes
 -clojure-1.12.0-alpha4.jar,/home/runner/.m2/repository/org/clojure/clojure/1.12.0-alpha4/clojure-1.12.0-alpha4.jar,Clojure core environment and runtime library.,Eclipse Public License 1.0: http://opensource.org/licenses/eclipse-1.0.php,456be51c630bef4d8743caa1d53362ae,4af7e3b51909eaaab4b7ab8a2220af09ed8bd52d,pkg:maven/org.clojure/[email protected],cpe:2.3:a:clojure:clojure:1.12.0:pha4:*:*:*:*:*:*,CVE-2024-22871,CWE-400 Uncontrolled Resource Consumption,An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function.,OSSINDEX,,,,HIGH,7.5,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,HIGH,20,,,,,,,,
 +clojure-1.12.0-alpha4.jar,/home/runner/.m2/repository/org/clojure/clojure/1.12.0-alpha4/clojure-1.12.0-alpha4.jar,Clojure core environment and runtime library.,Eclipse Public License 1.0: http://opensource.org/licenses/eclipse-1.0.php,456be51c630bef4d8743caa1d53362ae,4af7e3b51909eaaab4b7ab8a2220af09ed8bd52d,pkg:maven/org.clojure/[email protected],cpe:2.3:a:clojure:clojure:1.12.0:pha4:*:*:*:*:*:*,CVE-2024-22871,CWE-674 Uncontrolled Recursion,An issue in Clojure versions 1.20 to 1.12.0-alpha5 allows an attacker to cause a denial of service (DoS) via the clojure.core$partial$fn__5920 function.  Sonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2024-22871 for details,OSSINDEX,,,,HIGH,7.5,CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H,HIGH,20,,,,,,,,
 commons-compress-1.22.jar,/home/runner/.m2/repository/org/apache/commons/commons-compress/1.22/commons-compress-1.22.jar,"Apache Commons Compress software defines an API for working with compression and archive formats.  These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.",https://www.apache.org/licenses/LICENSE-2.0.txt,f1e4db16fee4291212d91409313a8086,691a8b4e6cf4248c3bc72c8b719337d5cb7359fa,pkg:maven/org.apache.commons/[email protected],cpe:2.3:a:apache:commons_compress:1.22:*:*:*:*:*:*:*,CVE-2023-42503,"CWE-400 Uncontrolled Resource Consumption, CWE-20 Improper Input Validation, NVD-CWE-noinfo","Improper Input Validation, Uncontrolled Resource Consumption vulnerability in Apache Commons Compress in TAR parsing.This issue affects Apache Commons Compress:��from 1.22 before 1.24.0.  Users are recommended to upgrade to version 1.24.0, which fixes the issue.  A third party can create a malformed TAR file by manipulating file modification times headers, which when parsed with Apache Commons Compress, will cause a denial of service issue via CPU consumption.  In version 1.22 of Apache Commons Compress, support was added for file modification times with higher precision (issue # COMPRESS-612 [1]). The format for the PAX extended headers carrying this data consists of two numbers separated by a period [2], indicating seconds and subsecond precision (for example ���1647221103.5998539���). The impacted fields are ���atime���, ���ctime���, ���mtime��� and ���LIBARCHIVE.creationtime���. No input validation is performed prior to the parsing of header values.  Parsing of these numbers uses the BigDecimal [3] class from the JDK which has a publicly known algorithmic complexity issue when doing operations on large numbers, causing denial of service (see issue # JDK-6560193 [4]). A third party can manipulate file time headers in a TAR file by placing a number with a very long fraction (300,000 digits) or a number with exponent notation (such as ���9e9999999���) within a file modification time header, and the parsing of files with these headers will take hours instead of seconds, leading to a denial of service via exhaustion of CPU resources. This issue is similar to CVE-2012-2098 [5].  [1]:  https://issues.apache.org/jira/browse/COMPRESS-612  [2]:  https://pubs.opengroup.org/onlinepubs/9699919799/utilities/pax.html#tag_20_92_13_05  [3]:  https://docs.oracle.com/javase/8/docs/api/java/math/BigDecimal.html  [4]:  https://bugs.openjdk.org/browse/JDK-6560193  [5]:  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098   Only applications using CompressorStreamFactory class (with auto-detection of file types), TarArchiveInputStream and TarFile classes to parse TAR files are impacted. Since this code was introduced in v1.22, only that version and later versions are impacted.",NVD,,,,MEDIUM,5.5,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A,HIGH,106,,,,,,,,
 commons-compress-1.22.jar,/home/runner/.m2/repository/org/apache/commons/commons-compress/1.22/commons-compress-1.22.jar,"Apache Commons Compress software defines an API for working with compression and archive formats.  These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.",https://www.apache.org/licenses/LICENSE-2.0.txt,f1e4db16fee4291212d91409313a8086,691a8b4e6cf4248c3bc72c8b719337d5cb7359fa,pkg:maven/org.apache.commons/[email protected],cpe:2.3:a:apache:commons_compress:1.22:*:*:*:*:*:*:*,CVE-2024-25710,CWE-835 Loop with Unreachable Exit Condition ('Infinite Loop'),Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.  Users are recommended to upgrade to version 1.26.0 which fixes the issue.,NVD,,,,MEDIUM,5.5,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A,HIGH,106,,,,,,,,
 commons-compress-1.22.jar,/home/runner/.m2/repository/org/apache/commons/commons-compress/1.22/commons-compress-1.22.jar,"Apache Commons Compress software defines an API for working with compression and archive formats.  These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.",https://www.apache.org/licenses/LICENSE-2.0.txt,f1e4db16fee4291212d91409313a8086,691a8b4e6cf4248c3bc72c8b719337d5cb7359fa,pkg:maven/org.apache.commons/[email protected],cpe:2.3:a:apache:commons_compress:1.22:*:*:*:*:*:*:*,CVE-2024-26308,CWE-770 Allocation of Resources Without Limits or Throttling,"Allocation of Resources Without Limits or Throttling vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.21 before 1.26.  Users are recommended to upgrade to version 1.26, which fixes the issue.",NVD,,,,MEDIUM,5.5,CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:1.8/RC:R/MAV:A,HIGH,106,,,,,,,,