CVE-2015-0292 #89
Comments
|
not sure what kind of checking this sonarqube does, but the quote references "crypto/evp/encode.c" - there is no C-code in jopenssl.jar. parts of jopenssl is a re-implementation of openssl in java, others parts use bouncy castle libraries. how does sonarqube thinks the jar is openssl ? |
|
maybe they're just checking our emulated JRuby-OpenSSL should not be subject to any of those issues. |
|
@mkristian, @kares : thanks your reply. I have confirmed with guys of sonarqube, the rule "Using Components with Known Vulnerabilities." is not from sonarqube plugin, is from a third-party plugin, I will post this issue to the provider of this plugin. |
I used the latest version 0.9.16-java of jruby-openssl gem in my project, but when I use sonarqube to scan my code, it reports many ""Using Components with Known Vulnerabilities.". issues caused by jruby-openssl, for example CVE-2015-0292, I want to ask if jruby-openssl 0.9.16-java version subject to the CVE-2015-0292, CVE-2014-3567,.. vulnerability? which open-ssl version does our jruby-openssl 0.9.16 map to?
Filename: jopenssl.jar | Reference: CVE-2015-0292 | CVSS Score: 7.5 | Category: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer | Integer underflow in the EVP_DecodeUpdate function in crypto/evp/encode.c in the base64-decoding implementation in OpenSSL before 0.9.8za, 1.0.0 before 1.0.0m, and 1.0.1 before 1.0.1h allows remote attackers to cause a denial of service (memory corruption) or possibly have unspecified other impact via crafted base64 data that triggers a buffer overflow.The text was updated successfully, but these errors were encountered: