You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@tomee.apache.org by "Richard Zowalla (Jira)" <ji...@apache.org> on 2022/10/19 06:32:00 UTC

[jira] [Updated] (TOMEE-2908) TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability

     [ https://issues.apache.org/jira/browse/TOMEE-2908?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Richard Zowalla updated TOMEE-2908:
-----------------------------------
    Affects Version/s: 7.0.9

> TomEE plus is affected by CVE-2020-7226 (BDSA-2020-2333) vulnerability
> ----------------------------------------------------------------------
>
>                 Key: TOMEE-2908
>                 URL: https://issues.apache.org/jira/browse/TOMEE-2908
>             Project: TomEE
>          Issue Type: Dependency upgrade
>    Affects Versions: 7.0.9
>            Reporter: Pardeep Kumar
>            Assignee: Jonathan Gallimore
>            Priority: Major
>
> TomEE plus version is using the *cryptacular-1.0.jar* which is affected by vulnerability CVE-2020-7226 (BDSA-2020-2333) with a CVSS score of 6.5 which causes denial-of-service (DoS) due to the mismanagement of system memory resources.
> *Issue:* _CiphertextHeader.java_ in Cryptacular 1.2.3, as used in Apereo CAS and other products, allows attackers to trigger excessive memory allocation during a decode operation, because the nonce array length associated with "new byte" may depend on untrusted input within the header of encoded data.
>  
> Please confirm if this vulnerability impacts version 7.0.7, 7.0.8, 7.1.2, and 7.1.3?



--
This message was sent by Atlassian Jira
(v8.20.10#820010)