CVE-2022-42920 (Critical) detected in bcel-6.5.0.jar #291
Description
CVE-2022-42920 - Critical Severity Vulnerability
Vulnerable Library - bcel-6.5.0.jar
Apache Commons Bytecode Engineering Library
Library home page: https://commons.apache.org/proper/commons-bcel
Path to dependency file: /codecheck/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.bcel/bcel/6.5.0/79b1975ec0c7a6c1a15e19fb3a58cc4041b4aaea/bcel-6.5.0.jar
Dependency Hierarchy:
- spotbugs-4.2.1.jar (Root Library)
- ❌ bcel-6.5.0.jar (Vulnerable Library)
Found in HEAD commit: 55283f5f632ddb821a93b2b2c9c84db18dbec4cb
Found in base branch: master
Vulnerability Details
Apache Commons BCEL has a number of APIs that would normally only allow changing specific class characteristics. However, due to an out-of-bounds writing issue, these APIs can be used to produce arbitrary bytecode. This could be abused in applications that pass attacker-controllable data to those APIs, giving the attacker more control over the resulting bytecode than otherwise expected. Update to Apache Commons BCEL 6.6.0.
Publish Date: 2022-11-07
URL: CVE-2022-42920
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://lists.apache.org/thread/lfxk7q8qmnh5bt9jm6nmjlv5hsxjhrz4
Release Date: 2022-11-07
Fix Resolution (org.apache.bcel:bcel): 6.6.0
Direct dependency fix Resolution (com.github.spotbugs:spotbugs): 4.8.0
Step up your Open Source Security Game with Mend here