Update latest upstream patch #92
Security Report
❌ New vulnerabilities:
| CVE | Severity |  CVSS Score |
Vulnerable Library | Suggested Fix | Issue |
|---|---|---|---|---|---|
CVE-2023-40175Path to dependency file: /src/emailservice/Gemfile.lock Path to vulnerable library: /home/wss-scanner/.gem/ruby/3.2.0/cache/puma-6.3.0.gem Dependency Hierarchy: -> ❌ puma-6.3.0.gem (Vulnerable Library) |
 Critical |
9.8 | puma-6.3.0.gem | Upgrade to version: puma - 5.6.7,6.3.1 | None |
CVE-2023-38704Path to dependency file: /src/paymentservice/package.json Path to vulnerable library: /src/paymentservice/package.json Dependency Hierarchy: -> auto-instrumentations-node-0.38.0.tgz (Root Library) -> instrumentation-0.41.0.tgz -> ❌ import-in-the-middle-1.4.1.tgz (Vulnerable Library) |
Critical |
9.8 | import-in-the-middle-1.4.1.tgz | Upgrade to version: import-in-the-middle - 1.4.2 | None |
CVE-2023-45133Path to dependency file: /src/frontend/package.json Path to vulnerable library: /src/frontend/package.json Dependency Hierarchy: -> styled-components-6.0.7.tgz (Root Library) -> ❌ traverse-7.22.10.tgz (Vulnerable Library) |
 High |
8.8 | traverse-7.22.10.tgz | Upgrade to version: @babel/traverse - 7.23.2 | None |
CVE-2023-43804Path to dependency file: /src/loadgenerator/requirements.txt Path to vulnerable library: /src/loadgenerator/requirements.txt Dependency Hierarchy: -> ❌ urllib3-2.0.4-py3-none-any.whl (Vulnerable Library) |
High |
8.1 | urllib3-2.0.4-py3-none-any.whl | Upgrade to version: urllib3 - 1.26.17,2.0.6 | None |
CVE-2023-44487Path to dependency file: /src/adservice/build.gradle Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.87.Final/72b756ff290d782c9ebb36db7d42ee272270c0b4/netty-codec-http2-4.1.87.Final.jar Dependency Hierarchy: -> grpc-netty-1.56.1.jar (Root Library) -> ❌ netty-codec-http2-4.1.87.Final.jar (Vulnerable Library) |
High |
7.5 | netty-codec-http2-4.1.87.Final.jar | Upgrade to version: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3, v1.57.1, v1.58.3 | None |
CVE-2023-44487Path to dependency file: /src/frauddetectionservice/build.gradle.kts Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http2/4.1.93.Final/f1625b43bde13ec057da0d2fe381ded2547a70e/netty-codec-http2-4.1.93.Final.jar Dependency Hierarchy: -> grpc-netty-1.57.0.jar (Root Library) -> ❌ netty-codec-http2-4.1.93.Final.jar (Vulnerable Library) |
High |
7.5 | netty-codec-http2-4.1.93.Final.jar | Upgrade to version: org.eclipse.jetty.http2:http2-server:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-server:12.0.2, org.eclipse.jetty.http2:http2-common:9.4.53.v20231009,10.0.17,11.0.17, org.eclipse.jetty.http2:jetty-http2-common:12.0.2, nghttp - v1.57.0, swift-nio-http2 - 1.28.0, io.netty:netty-codec-http2:4.1.100.Final, trafficserver - 9.2.3, org.apache.tomcat:tomcat-coyote:8.5.94,9.0.81,10.1.14, org.apache.tomcat.embed:tomcat-embed-core:8.5.94,9.0.81,10.1.14, Microsoft.AspNetCore.App - 6.0.23,7.0.12, contour - v1.26.1, proxygen - v2023.10.16.00, grpc-go - v1.56.3, v1.57.1, v1.58.3 | #58 |
CVE-2023-43810Path to dependency file: /src/recommendationservice/requirements.txt Path to vulnerable library: /src/recommendationservice/requirements.txt,/src/loadgenerator/requirements.txt Dependency Hierarchy: -> ❌ opentelemetry_instrumentation-0.40b0-py3-none-any.whl (Vulnerable Library) |
High |
7.5 | opentelemetry_instrumentation-0.40b0-py3-none-any.whl | Upgrade to version: GHSA-5rv5-6h4r-h22v | None |
CVE-2023-39325Path to dependency file: /src/productcatalogservice/go.mod Path to vulnerable library: /src/productcatalogservice/go.mod Dependency Hierarchy: -> google.golang.org/grpc-v1.56.1 (Root Library) -> ❌ golang.org/x/net-v0.11.0 (Vulnerable Library) |
High |
7.5 | golang.org/x/net-v0.11.0 | Upgrade to version: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0 | None |
CVE-2023-39325Path to dependency file: /src/accountingservice/go.mod Path to vulnerable library: /src/accountingservice/go.mod,/src/checkoutservice/go.mod Dependency Hierarchy: -> google.golang.org/grpc-v1.57.0 (Root Library) -> ❌ golang.org/x/net-v0.14.0 (Vulnerable Library) |
High |
7.5 | golang.org/x/net-v0.14.0 | Upgrade to version: go1.20.10, go1.21.3, golang.org/x/net - v0.17.0 | None |
CVE-2023-4586Path to dependency file: /src/adservice/build.gradle Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.87.Final/2bd97491c22ebea4670c00f1bd5dbf65a8a1cfe7/netty-handler-4.1.87.Final.jar Dependency Hierarchy: -> grpc-netty-1.56.1.jar (Root Library) -> netty-codec-http2-4.1.87.Final.jar -> ❌ netty-handler-4.1.87.Final.jar (Vulnerable Library) |
High |
7.4 | netty-handler-4.1.87.Final.jar | Upgrade to version: org.infinispan:infinispan-client-hotrod:14.0.18.Final, org.infinispan:infinispan-client-hotrod-jakarta:14.0.18.Final | None |
CVE-2023-2976Path to dependency file: /src/adservice/build.gradle Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-jre/60458f877d055d0c9114d9e1a2efb737b4bc282c/guava-31.1-jre.jar Dependency Hierarchy: -> grpc-netty-1.56.1.jar (Root Library) -> ❌ guava-31.1-jre.jar (Vulnerable Library) |
High |
7.1 | guava-31.1-jre.jar | Upgrade to version: com.google.guava:guava:32.0.1-android,32.0.1-jre | None |
CVE-2023-2976Path to dependency file: /src/adservice/build.gradle Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/31.1-android/9222c47cc3ae890f07f7c961bbb3cb69050fe4aa/guava-31.1-android.jar Dependency Hierarchy: -> grpc-stub-1.56.1.jar (Root Library) -> ❌ guava-31.1-android.jar (Vulnerable Library) |
High |
7.1 | guava-31.1-android.jar | Upgrade to version: com.google.guava:guava:32.0.1-android,32.0.1-jre | None |
CVE-2023-34462Path to dependency file: /src/adservice/build.gradle Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.87.Final/2bd97491c22ebea4670c00f1bd5dbf65a8a1cfe7/netty-handler-4.1.87.Final.jar Dependency Hierarchy: -> grpc-netty-1.56.1.jar (Root Library) -> netty-codec-http2-4.1.87.Final.jar -> ❌ netty-handler-4.1.87.Final.jar (Vulnerable Library) |
 Medium |
6.5 | netty-handler-4.1.87.Final.jar | Upgrade to version: io.netty:netty-handler:4.1.94.Final;io.netty:netty-all:4.1.94.Final | None |
CVE-2023-44270Path to dependency file: /src/frontend/package.json Path to vulnerable library: /src/frontend/package.json Dependency Hierarchy: -> next-12.3.4.tgz (Root Library) -> ❌ postcss-8.4.14.tgz (Vulnerable Library) |
Medium |
5.3 | postcss-8.4.14.tgz | Upgrade to version: postcss - 8.4.31 | None |
CVE-2023-44270Path to dependency file: /src/frontend/package.json Path to vulnerable library: /src/frontend/package.json Dependency Hierarchy: -> styled-components-6.0.7.tgz (Root Library) -> ❌ postcss-8.4.28.tgz (Vulnerable Library) |
Medium |
5.3 | postcss-8.4.28.tgz | Upgrade to version: postcss - 8.4.31 | None |
CVE-2023-45803Path to dependency file: /src/loadgenerator/requirements.txt Path to vulnerable library: /src/loadgenerator/requirements.txt Dependency Hierarchy: -> ❌ urllib3-2.0.4-py3-none-any.whl (Vulnerable Library) |
Medium |
4.2 | urllib3-2.0.4-py3-none-any.whl | Upgrade to version: urllib3 - 1.26.18,2.0.7 | None |
✔️ Remediated vulnerabilities:
| CVE | Vulnerable Library |
|---|---|
| CVE-2022-44572 | rack-2.2.3.1.gem |
| CVE-2022-25883 | semver-7.3.7.tgz |
| CVE-2023-36665 | protobufjs-7.1.2.tgz |
| CVE-2022-44571 | rack-2.2.3.1.gem |
| CVE-2022-42975 | phoenix-1.6.9.tar |
| CVE-2023-27539 | rack-2.2.3.1.gem |
| CVE-2022-44570 | rack-2.2.3.1.gem |
| CVE-2023-43804 | urllib3-1.26.15-py2.py3-none-any.whl |
| CVE-2023-45803 | urllib3-1.26.15-py2.py3-none-any.whl |
| CVE-2023-36665 | protobufjs-6.11.3.tgz |
| CVE-2023-36665 | protobufjs-7.2.3.tgz |
| CVE-2022-25883 | semver-7.5.0.tgz |
| CVE-2023-27530 | rack-2.2.3.1.gem |
| CVE-2023-43804 | urllib3-1.26.6-py2.py3-none-any.whl |
| CVE-2022-3171 | google-protobuf-3.21.1.gem |
| CVE-2023-45803 | urllib3-1.26.6-py2.py3-none-any.whl |
| CVE-2023-40175 | puma-5.6.4.gem |
| CVE-2023-32731 | grpcio-1.51.3-cp37-cp37m-manylinux_2_17_x86_64.manylinux2014_x86_64.whl |
| CVE-2023-43810 | opentelemetry_instrumentation-0.38b0-py3-none-any.whl |
| CVE-2023-43810 | opentelemetry_instrumentation-0.36b0-py3-none-any.whl |
| CVE-2022-45442 | sinatra-2.2.0.gem |
| CVE-2023-44270 | postcss-8.4.5.tgz |
Base branch total remaining vulnerabilities: 30
Base branch commit: ac07b100d175ac51ec339403398a005c55c391a0
Total libraries scanned: 1286
Scan token: 1bf0cba0170a4432910d64aef6ee6d19