Detections
Analytics

SCA: security update for org.eclipse.californium:scandium (GHSA-p72g-cgh9-ghjg)

high Tenable Self-Hosted Container Security Plugin ID 417354

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

 - Eclipse Californium is a Java implementation of RFC7252 - Constrained Application Protocol for IoT Cloud
 services. In versions prior to 3.7.0, and 2.7.4, Californium is vulnerable to a Denial of Service. Failing
 handshakes don't cleanup counters for throttling, causing the threshold to be reached without being
 released again. This results in permanently dropping records. The issue was reported for certificate based
 handshakes, but may also affect PSK based handshakes. It generally affects client and server as well. This
 issue is patched in version 3.7.0 and 2.7.4. There are no known workarounds. main: commit
 726bac57659410da463dcf404b3e79a7312ac0b9 2.7.x: commit 5648a0c27c2c2667c98419254557a14bac2b1f3f
 (CVE-2022-39368)

See Also

https://github.com/advisories/GHSA-p72g-cgh9-ghjg

Plugin Details

Severity: High

ID: 417354

Version: Revision 1.6

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Risk Information

VPR

Risk Factor: Medium

Score: 4.2

Vendor

Vendor Severity: High

CVSS v2

Risk Factor: High

Base Score: 8.5

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:C

CVSS Score Source: CVE-2022-39368

CVSS v3

Risk Factor: High

Base Score: 8.2

Temporal Score: 7.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:H

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 11/9/2022

Vulnerability Publication Date: 11/9/2022

Reference Information

CVE: CVE-2022-39368

cwe: CWE-404