Information Exposure Affecting commons-codec:commons-codec package, versions [,1.14)
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-COMMONSCODEC-561518
- published 3 Mar 2012
- disclosed 30 Mar 2020
- credit Hanson Char
How to fix?
Upgrade commons-codec:commons-codec to version 1.14 or higher.
Overview
commons-codec:commons-codec is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.
Affected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.