Skip to content

Update dependencies to remove security vulnerabilities #25

New issue
New issue
Open
Open
Update dependencies to remove security vulnerabilities#25
@itkhanz

Description

@itkhanz
itkhanz
opened on Apr 15, 2025

2 vulnerabilities found in dependency of the mitmproxy-java 2.0.2:

Dependency maven:org.apache.commons:commons-collections4:4.0 is vulnerable

Upgrade to 4.1

GHSA-fjq5-5j5f-mvxh, Score: 9.8

It was found that the Apache commons-collections library permitted code execution when deserializing objects involving a specially constructed chain of classes. A remote attacker could use this flaw to execute arbitrary code with the permissions of the application using the commons-collections library.

Read More: https://osv.dev/vulnerability/GHSA-fjq5-5j5f-mvxh

GHSA-6hgm-866r-3cjv, Score: 8

Serialized-object interfaces in Java applications using the Apache Commons Collections (ACC) library may allow remote attackers to execute arbitrary commands via a crafted serialized Java object.

Read More: https://osv.dev/vulnerability/GHSA-6hgm-866r-3cjv

Results powered by Checkmarx ©

Dependency maven:org.java-websocket:Java-WebSocket:1.4.0 is vulnerable

Upgrade to 1.5.0

GHSA-gw55-jm4h-x339, Score: 9

The Java-WebSocket Client does not perform hostname verification.

  • This means that SSL certificates of other hosts are accepted as long as they are trusted. To exploit this vulnerability an attacker has to perform a man-in-the-middle (MITM) attack between a Java application using the Java-WebSocket Client and an WebSocket server it's connecting to.
  • TLS normally protects users and systems against MITM attacks, it cannot if certificates from other trusted hosts are accepted by the client.
    For more information see: CWE-297: Improper Validation of Certificate with Host Mismatch - https://cwe.mitre.org/data/definitions/297.html
    Important note
    The OWASP Dependency-Check (https://jeremylong.github.io/DependencyCheck/index.html) may report that a dependency of your project is affected by this security vulnerability, but you don't use this lib.
    This is caused by the fuzzy search in the OWASP implementation.
    Check out this issue (Security Issue wrongly set up at NIST TooTallNate/Java-WebSocket#1019 (comment)) for more information and a way to suppress the warning.

Read More: https://osv.dev/vulnerability/GHSA-gw55-jm4h-x339

Results powered by Checkmarx ©

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions