logback-classic-1.1.3.jar: 1 vulnerabilities (highest severity is: 9.8) unreachable

[dev-mend-for-github-com]

Vulnerable Library - logback-classic-1.1.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (logback-classic version)	Remediation Possible**	Reachability
CVE-2017-5929	Critical	9.8	logback-classic-1.1.3.jar	Direct	1.2.0	✅	Unreachable

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-5929

Vulnerable Library - logback-classic-1.1.3.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.3/logback-classic-1.1.3.jar

Dependency Hierarchy:

• ❌ logback-classic-1.1.3.jar (Vulnerable Library)

Found in base branch: vp-rem

Reachability Analysis

The vulnerable code is unreachable

Vulnerability Details

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Publish Date: 2017-03-13

URL: CVE-2017-5929

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929

Release Date: 2017-03-13

Fix Resolution: 1.2.0

⛑️ Automatic Remediation will be attempted for this issue.

---

⛑️Automatic Remediation will be attempted for this issue.