Title: commons-lang-2.6.jar: 2 vulnerabilities (highest severity is: 9.8) [master] (reachable) · Issue #35 · amaybaum-dev/BenchmarkJava · GitHub
Open Graph Title: commons-lang-2.6.jar: 2 vulnerabilities (highest severity is: 9.8) [master] (reachable) · Issue #35 · amaybaum-dev/BenchmarkJava
X Title: commons-lang-2.6.jar: 2 vulnerabilities (highest severity is: 9.8) [master] (reachable) · Issue #35 · amaybaum-dev/BenchmarkJava
Description: 📂 Vulnerable Library - commons-lang-2.6.jar Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang. Library home page: h...
Open Graph Description: 📂 Vulnerable Library - commons-lang-2.6.jar Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify exis...
X Description: 📂 Vulnerable Library - commons-lang-2.6.jar Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify ...
Opengraph URL: https://github.com/amaybaum-dev/BenchmarkJava/issues/35
X: @github
Domain: github.com
{"@context":"https://schema.org","@type":"DiscussionForumPosting","headline":"commons-lang-2.6.jar: 2 vulnerabilities (highest severity is: 9.8) [master] (reachable)","articleBody":"\u003cdetails\u003e\n \u003csummary\u003e📂 Vulnerable Library - \u003cstrong\u003ecommons-lang-2.6.jar\u003c/strong\u003e\u003c/summary\u003e\n\nCommons Lang, a package of Java utility classes for the\n classes that are in java.lang's hierarchy, or are considered to be so\n standard as to justify existence in java.lang.\n\n**Library home page:** [ http://www.apache.org/ ](http://www.apache.org/)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar\n\n\n\u003c/details\u003e\n\n\n# Findings\n| Finding | Severity | 🎯 CVSS | Exploit Maturity | EPSS | Library | Type | Fixed in | Remediation Available | **Reachability** |\n| ------------- | ------------- | ---- | --- | ----- | ----- | ----- | --- | --- | --- |\n| [ CVE-842749-413332 ](https://www.mend.io/vulnerability-database/CVE-842749-413332) | 🟣 Critical | 9.8 | N/A | N/A | commons-lang-2.6.jar | Direct | N/A | ❌ | |\n| [ CVE-2025-48924 ](https://www.mend.io/vulnerability-database/CVE-2025-48924) | 🟠 Medium | 6.9 | Not Defined | \u003c 1% | commons-lang-2.6.jar | Direct | N/A | ❌ |\u003cimg src='https://whitesource-resources.whitesourcesoftware.com/viaRed.png' width=20 height=22\u003e Reachable |\n\n\n# Details\n\n\n\u003cdetails\u003e\n \u003csummary\u003e\n 🟣CVE-842749-413332\n \u003c/summary\u003e\n\n### Vulnerable Library - **commons-lang-2.6.jar**\n\nCommons Lang, a package of Java utility classes for the\n classes that are in java.lang's hierarchy, or are considered to be so\n standard as to justify existence in java.lang.\n\n**Library home page:** [ http://www.apache.org/ ](http://www.apache.org/)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- ❌ **commons-lang-2.6.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Vulnerability Details\n\nCreated automatically by the test suite\n\n**Publish Date:** Jun 07, 2010 05:12 PM\n\n**URL:** [ CVE-842749-413332 ](https://www.mend.io/vulnerability-database/CVE-842749-413332)\n\n**Threat Assessment**\n\nExploit Maturity:N/A\n\nEPSS:N/A\n\n**Score:** 9.8\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** \n\n**Release Date:** \n\n**Fix Resolution :** \n\n\n\u003c/details\u003e\n\n\u003cdetails\u003e\n \u003csummary\u003e\n 🟠CVE-2025-48924\n \u003c/summary\u003e\n\n### Vulnerable Library - **commons-lang-2.6.jar**\n\nCommons Lang, a package of Java utility classes for the\n classes that are in java.lang's hierarchy, or are considered to be so\n standard as to justify existence in java.lang.\n\n**Library home page:** [ http://www.apache.org/ ](http://www.apache.org/)\n\n**Path to dependency file:** /pom.xml\n\n**Path to vulnerable library:** /home/wss-scanner/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar\n\n\n\n**Dependency Hierarchy:**\n\n\n- ❌ **commons-lang-2.6.jar** (Vulnerable Library)\n\n\n\n\n***\n\n### Reachability Analysis\nThis vulnerability is potentially reachable:\n\n```\n- org.owasp.benchmark.helpers.LDAPServer (Application)\n - org.apache.directory.server.ldap.LdapServer (Extension)\n - org.apache.directory.server.core.security.CoreKeyStoreSpi (Extension)\n - org.apache.commons.lang.ArrayUtils (Extension)\n - org.apache.commons.lang.builder.ToStringStyle (Extension)\n -\u003e ❌ org.apache.commons.lang.ClassUtils (Vulnerable Component)\n```\n***\n\n### Vulnerability Details\n\nUncontrolled Recursion vulnerability in Apache Commons Lang.\nThis issue affects Apache Commons Lang: Starting with commons-lang:commons-lang 2.0 to 2.6, and, from org.apache.commons:commons-lang3 3.0 before 3.18.0.\nThe methods ClassUtils.getClass(...) can throw StackOverflowError on very long inputs. Because an Error is usually not handled by applications and libraries, a\nStackOverflowError could cause an application to stop.\nUsers are recommended to upgrade to version 3.18.0, which fixes the issue.\n Mend Note: The description of this vulnerability differs from MITRE. \n\n**Publish Date:** Jul 11, 2025 02:56 PM\n\n**URL:** [ CVE-2025-48924 ](https://www.mend.io/vulnerability-database/CVE-2025-48924)\n\n**Threat Assessment**\n\nExploit Maturity:Not Defined\n\nEPSS:\u003c 1%\n\n**Score:** 6.9\n\n\n***\n### Suggested Fix\n\n**Type:** Upgrade version\n\n**Origin:** \n\n**Release Date:** \n\n**Fix Resolution :** \n\n\n\u003c/details\u003e\n\n[comment]: \u003c\u003e (\u003cMEND_ISSUE_METADATA\u003e{\"identifier\":\"commons-lang-2.6.jar\",\"repoName\":\"BenchmarkJava\",\"branchName\":\"master\",\"type\":\"SCA_DEP\"}\u003c/MEND_ISSUE_METADATA\u003e)","author":{"url":"https://github.com/mend-developer-platform-dev[bot]","@type":"Person","name":"mend-developer-platform-dev[bot]"},"datePublished":"2025-09-28T05:43:39.000Z","interactionStatistic":{"@type":"InteractionCounter","interactionType":"https://schema.org/CommentAction","userInteractionCount":0},"url":"https://github.com/35/BenchmarkJava/issues/35"}
| route-pattern | /_view_fragments/issues/show/:user_id/:repository/:id/issue_layout(.:format) |
| route-controller | voltron_issues_fragments |
| route-action | issue_layout |
| fetch-nonce | v2:bc5b15a1-ed7c-86fb-1864-d61f1b3057c9 |
| current-catalog-service-hash | 81bb79d38c15960b92d99bca9288a9108c7a47b18f2423d0f6438c5b7bcd2114 |
| request-id | D314:2110F2:2880B6:3625A7:6A5189F2 |
| html-safe-nonce | 28cdde906fba6bdb762692d48866272c5bfbd5028feddfcde4c9912d619cad6a |
| visitor-payload | eyJyZWZlcnJlciI6IiIsInJlcXVlc3RfaWQiOiJEMzE0OjIxMTBGMjoyODgwQjY6MzYyNUE3OjZBNTE4OUYyIiwidmlzaXRvcl9pZCI6IjYyMzI3NTYxNDE0NTcxMDU3OCIsInJlZ2lvbl9lZGdlIjoiaWFkIiwicmVnaW9uX3JlbmRlciI6ImlhZCJ9 |
| visitor-hmac | db12193e128d531daff985c967759cbdff8e85a1de48b340bfc46fd6273f7862 |
| hovercard-subject-tag | issue:3461119521 |
| github-keyboard-shortcuts | repository,issues,copilot |
| google-site-verification | Apib7-x98H0j5cPqHWwSMm6dNU4GmODRoqxLiDzdx9I |
| octolytics-url | https://collector.github.com/github/collect |
| analytics-location | / |
| fb:app_id | 1401488693436528 |
| apple-itunes-app | app-id=1477376905, app-argument=https://github.com/_view_fragments/issues/show/amaybaum-dev/BenchmarkJava/35/issue_layout |
| twitter:image | https://opengraph.githubassets.com/806c1be873d7cef0a056ecf5a8077f8c6292e6326443fb8cc0079586f1420f70/amaybaum-dev/BenchmarkJava/issues/35 |
| twitter:card | summary_large_image |
| og:image | https://opengraph.githubassets.com/806c1be873d7cef0a056ecf5a8077f8c6292e6326443fb8cc0079586f1420f70/amaybaum-dev/BenchmarkJava/issues/35 |
| og:image:alt | 📂 Vulnerable Library - commons-lang-2.6.jar Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify exis... |
| og:image:width | 1200 |
| og:image:height | 600 |
| og:site_name | GitHub |
| og:type | object |
| og:author:username | mend-developer-platform-dev[bot] |
| hostname | github.com |
| expected-hostname | github.com |
| None | b9a586c06a05a7a86fc7e3f4dbd03e42f6869085879aa184aa6369456dbd50fb |
| turbo-cache-control | no-preview |
| go-import | github.com/amaybaum-dev/BenchmarkJava git https://github.com/amaybaum-dev/BenchmarkJava.git |
| octolytics-dimension-user_id | 29013484 |
| octolytics-dimension-user_login | amaybaum-dev |
| octolytics-dimension-repository_id | 619308890 |
| octolytics-dimension-repository_nwo | amaybaum-dev/BenchmarkJava |
| octolytics-dimension-repository_public | true |
| octolytics-dimension-repository_is_fork | true |
| octolytics-dimension-repository_parent_id | 33565372 |
| octolytics-dimension-repository_parent_nwo | OWASP-Benchmark/BenchmarkJava |
| octolytics-dimension-repository_network_root_id | 33565372 |
| octolytics-dimension-repository_network_root_nwo | OWASP-Benchmark/BenchmarkJava |
| turbo-body-classes | logged-out env-production page-responsive |
| disable-turbo | false |
| browser-stats-url | https://api.github.com/_private/browser/stats |
| browser-errors-url | https://api.github.com/_private/browser/errors |
| release | cb77a7b8b06cd86c243be33fd8e7922d70a9d243 |
| ui-target | full |
| theme-color | #1e2327 |
| color-scheme | light dark |
Links:
Viewport: width=device-width