aayant-mend / onboardtraining Goto Github PK

Vulnerable Library - snakeyaml-1.19.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2022-1471

Vulnerable Library - snakeyaml-1.19.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.19.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

CVE-2017-18640

Vulnerable Library - snakeyaml-1.19.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.19.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution: 1.26

In order to enable automatic remediation, please create workflow rules

CVE-2022-25857

Vulnerable Library - snakeyaml-1.19.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.19.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution: 1.31

In order to enable automatic remediation, please create workflow rules

CVE-2022-38749

Vulnerable Library - snakeyaml-1.19.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.19.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution: 1.31

In order to enable automatic remediation, please create workflow rules

CVE-2022-41854

Vulnerable Library - snakeyaml-1.19.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.19.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution: 1.32

In order to enable automatic remediation, please create workflow rules

CVE-2022-38752

Vulnerable Library - snakeyaml-1.19.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.19.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution: 1.32

In order to enable automatic remediation, please create workflow rules

CVE-2022-38751

Vulnerable Library - snakeyaml-1.19.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.19.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution: 1.31

In order to enable automatic remediation, please create workflow rules

CVE-2022-38750

Vulnerable Library - snakeyaml-1.19.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar

Dependency Hierarchy:

• ❌ snakeyaml-1.19.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution: 1.31

In order to enable automatic remediation, please create workflow rules

Vulnerable Library - slack-spring-boot-starter-2.0.0.jar

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2019-14540

Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.9.jar

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1

CVE-2019-17531

Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.9.jar

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.10

CVE-2019-16335

Vulnerable Libraries - jackson-databind-2.9.9.jar, jackson-databind-2.9.8.jar

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-09-15

Fix Resolution: 2.9.10

CVE-2019-17267

Vulnerable Libraries - jackson-databind-2.9.9.jar, jackson-databind-2.9.8.jar

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10

CVE-2019-16942

Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.9.jar

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1

CVE-2020-8840

Vulnerable Libraries - jackson-databind-2.9.9.jar, jackson-databind-2.9.8.jar

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.3

CVE-2019-16943

Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.9.jar

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1

CVE-2019-10202

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://access.redhat.com/errata/RHSA-2019:2938

Release Date: 2019-10-01

Fix Resolution: org.codehaus.jackson:jackson-mapper-asl-7.2.4;com.fasterxml.jackson.core:jackson-databind-2.9.9

CVE-2019-14893

Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.9.jar

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14893

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0

CVE-2019-14892

Vulnerable Libraries - jackson-databind-2.9.9.jar, jackson-databind-2.9.8.jar

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14892

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-04

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10

CVE-2020-9546

Vulnerable Libraries - jackson-databind-2.9.9.jar, jackson-databind-2.9.8.jar

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3

CVE-2019-14379

Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.9.jar

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution: 2.9.9.2

CVE-2020-9547

Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.9.jar

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3

CVE-2020-9548

Vulnerable Libraries - jackson-databind-2.9.8.jar, jackson-databind-2.9.9.jar

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: 2020-03-02

URL: CVE-2020-9548

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.6,2.9.10.4

CVE-2019-20330

Vulnerable Libraries - jackson-databind-2.9.9.jar, jackson-databind-2.9.8.jar

jackson-databind-2.9.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.9.jar
    • ❌ jackson-databind-2.9.9.jar (Vulnerable Library)

jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• slack-spring-boot-starter-2.0.0.jar (Root Library)
  • jackson-module-kotlin-2.9.8.jar
    • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: 2020-01-03

URL: CVE-2019-20330

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-03

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.5,2.9.10.2

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2016-3082

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.

Publish Date: 2016-04-26

URL: CVE-2016-3082

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2016-04-26

Fix Resolution: 2.3.20.3

In order to enable automatic remediation, please create workflow rules

CVE-2021-31805

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Publish Date: 2022-04-12

URL: CVE-2021-31805

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-062

Release Date: 2022-04-12

Fix Resolution: 2.0.14

In order to enable automatic remediation, please create workflow rules

CVE-2019-0230

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Publish Date: 2020-09-14

URL: CVE-2019-0230

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/ww/s2-059

Release Date: 2020-09-14

Fix Resolution: 2.5.22

In order to enable automatic remediation, please create workflow rules

CVE-2013-4316

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.

Publish Date: 2013-09-30

URL: CVE-2013-4316

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-4316

Release Date: 2013-09-30

Fix Resolution: 2.3.15.2

In order to enable automatic remediation, please create workflow rules

CVE-2017-12611

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

Publish Date: 2017-09-20

URL: CVE-2017-12611

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-053

Release Date: 2017-09-20

Fix Resolution: 2.3.34

In order to enable automatic remediation, please create workflow rules

CVE-2020-17530

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Publish Date: 2020-12-11

URL: CVE-2020-17530

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-061

Release Date: 2020-12-11

Fix Resolution: 2.5.26

In order to enable automatic remediation, please create workflow rules

CVE-2016-3081

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.

Publish Date: 2016-04-26

URL: CVE-2016-3081

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2016-04-26

Fix Resolution: 2.3.20.3

In order to enable automatic remediation, please create workflow rules

CVE-2013-2115

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.

Publish Date: 2013-07-10

URL: CVE-2013-2115

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2115

Release Date: 2013-07-10

Fix Resolution: 2.3.14.2

In order to enable automatic remediation, please create workflow rules

CVE-2019-0233

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

Publish Date: 2020-09-14

URL: CVE-2019-0233

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/ww/s2-060

Release Date: 2020-09-14

Fix Resolution: 2.5.22

In order to enable automatic remediation, please create workflow rules

CVE-2015-5209

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.

Publish Date: 2017-08-29

URL: CVE-2015-5209

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5209

Release Date: 2017-08-29

Fix Resolution: 2.3.24.1

In order to enable automatic remediation, please create workflow rules

CVE-2014-0112

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Publish Date: 2014-04-29

URL: CVE-2014-0112

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0112

Release Date: 2014-04-29

Fix Resolution: 2.3.16.2

In order to enable automatic remediation, please create workflow rules

CVE-2014-0113

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.

Publish Date: 2014-04-29

URL: CVE-2014-0113

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0113

Release Date: 2014-04-29

Fix Resolution: 2.3.16.2

In order to enable automatic remediation, please create workflow rules

CVE-2016-4003

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.

Publish Date: 2016-04-12

URL: CVE-2016-4003

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2016-04-12

Fix Resolution: 2.3.28

In order to enable automatic remediation, please create workflow rules

CVE-2015-2992

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.

Publish Date: 2020-02-27

URL: CVE-2015-2992

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2992

Release Date: 2020-02-27

Fix Resolution: 2.3.20.1

In order to enable automatic remediation, please create workflow rules

CVE-2015-5169

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.

Publish Date: 2017-09-25

URL: CVE-2015-5169

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5169

Release Date: 2017-09-25

Fix Resolution: 2.3.20.1

In order to enable automatic remediation, please create workflow rules

CVE-2013-2251

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.

Publish Date: 2013-07-20

URL: CVE-2013-2251

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251

Release Date: 2013-07-20

Fix Resolution: 2.3.15.1

In order to enable automatic remediation, please create workflow rules

CVE-2012-0838

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.

Publish Date: 2012-03-02

URL: CVE-2012-0838

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-0838

Release Date: 2012-03-02

Fix Resolution: 2.2.3.1

In order to enable automatic remediation, please create workflow rules

CVE-2013-2135

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.

Publish Date: 2013-07-16

URL: CVE-2013-2135

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2135

Release Date: 2013-07-16

Fix Resolution: 2.3.14.3

In order to enable automatic remediation, please create workflow rules

CVE-2013-2134

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.

Publish Date: 2013-07-16

URL: CVE-2013-2134

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2134

Release Date: 2013-07-16

Fix Resolution: 2.3.14.3

In order to enable automatic remediation, please create workflow rules

CVE-2013-1965

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.

Publish Date: 2013-07-10

URL: CVE-2013-1965

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-1965

Release Date: 2013-07-10

Fix Resolution: 2.3.14.1

In order to enable automatic remediation, please create workflow rules

CVE-2013-1966

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.

Publish Date: 2013-07-10

URL: CVE-2013-1966

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: GHSA-737w-mh58-cxjp

Release Date: 2013-07-10

Fix Resolution: 2.3.14.2

In order to enable automatic remediation, please create workflow rules

CVE-2012-0392

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.

Publish Date: 2012-01-08

URL: CVE-2012-0392

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-0392

Release Date: 2012-01-08

Fix Resolution: 2.3.1.1

In order to enable automatic remediation, please create workflow rules

CVE-2012-0391

Vulnerable Library - struts2-core-2.0.5.jar

Apache Struts 2

Library home page: http://struts.apache.org/struts2

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar

Dependency Hierarchy:

• ❌ struts2-core-2.0.5.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.

Publish Date: 2012-01-08

URL: CVE-2012-0391

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-0391

Release Date: 2012-01-08

Fix Resolution: 2.3.14.3

In order to enable automatic remediation, please create workflow rules

Vulnerable Library - slack-spring-boot-starter-1.0.0.jar

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.9/a25c1be5ce99d0ce99aa43eb982868c796dd0775/httpclient-4.5.9.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

WS-2019-0379

Vulnerable Library - commons-codec-1.12.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.12/47a28ef1ed31eb182b44e15d49300dee5fadcf6a/commons-codec-1.12.jar

Dependency Hierarchy:

• slack-spring-boot-starter-1.0.0.jar (Root Library)
  • slack-spring-boot-1.0.0.jar
    • ❌ commons-codec-1.12.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

CVE-2020-13956

Vulnerable Library - httpclient-4.5.9.jar

Apache HttpComponents Client

Library home page: http://hc.apache.org/

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.9/a25c1be5ce99d0ce99aa43eb982868c796dd0775/httpclient-4.5.9.jar

Dependency Hierarchy:

• slack-spring-boot-starter-1.0.0.jar (Root Library)
  • slack-spring-boot-1.0.0.jar
    • slack-spring-api-client-1.0.0.jar
      • ❌ httpclient-4.5.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.

Publish Date: 2020-12-02

URL: CVE-2020-13956

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956

Release Date: 2020-12-02

Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3

Vulnerable Library - fuel-2.2.3.jar

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.70/e5d97e25bb5b30dcfc022ec1c8f3959a875257fb/kotlin-stdlib-1.3.70.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2022-24329

Vulnerable Library - kotlin-stdlib-1.3.70.jar

Kotlin Standard Library for JVM

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.70/e5d97e25bb5b30dcfc022ec1c8f3959a875257fb/kotlin-stdlib-1.3.70.jar

Dependency Hierarchy:

• fuel-2.2.3.jar (Root Library)
  • ❌ kotlin-stdlib-1.3.70.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0

Vulnerable Library - plexus-utils-2.0.3.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2017-1000487

Vulnerable Library - plexus-utils-2.0.3.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar

Dependency Hierarchy:

• ❌ plexus-utils-2.0.3.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.

Publish Date: 2018-01-03

URL: CVE-2017-1000487

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487

Release Date: 2018-01-03

Fix Resolution: 3.0.16

In order to enable automatic remediation, please create workflow rules

WS-2016-7057

Vulnerable Library - plexus-utils-2.0.3.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar

Dependency Hierarchy:

• ❌ plexus-utils-2.0.3.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Plexus-utils before 3.0.24 are vulnerable to Directory Traversal

Publish Date: 2016-05-07

URL: WS-2016-7057

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2016-05-07

Fix Resolution: 3.0.24

In order to enable automatic remediation, please create workflow rules

WS-2016-7062

Vulnerable Library - plexus-utils-2.0.3.jar

A collection of various utility classes to ease working with strings, files, command lines, XML and more.

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar

Dependency Hierarchy:

• ❌ plexus-utils-2.0.3.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.

Publish Date: 2016-05-07

URL: WS-2016-7062

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2016-05-07

Fix Resolution: 3.0.24

In order to enable automatic remediation, please create workflow rules

Vulnerable Library - requests-2.20.0-py2.py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2021-33503

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Dependency Hierarchy:

• requests-2.20.0-py2.py3-none-any.whl (Root Library)
  • ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

CVE-2020-26137

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Dependency Hierarchy:

• requests-2.20.0-py2.py3-none-any.whl (Root Library)
  • ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Vulnerable Library - github.com/mholt/archiver-v3.5.0

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2021-29482

Vulnerable Library - github.com/ulikunitz/xz-v0.5.7

Pure golang package for reading and writing xz-compressed files

Dependency Hierarchy:

• github.com/mholt/archiver-v3.5.0 (Root Library)
  • ❌ github.com/ulikunitz/xz-v0.5.7 (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.

Publish Date: 2021-04-28

URL: CVE-2021-29482

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-25xm-hr59-7c27

Release Date: 2021-04-28

Fix Resolution: v0.5.8

Step up your Open Source Security Game with Mend here

CVE-2020-16845

Vulnerable Library - github.com/ulikunitz/xz-v0.5.7

Pure golang package for reading and writing xz-compressed files

Dependency Hierarchy:

• github.com/mholt/archiver-v3.5.0 (Root Library)
  • ❌ github.com/ulikunitz/xz-v0.5.7 (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.

Publish Date: 2020-08-06

URL: CVE-2020-16845

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q6gq-997w-f55g

Release Date: 2020-08-06

Fix Resolution: go1.13.15,go1.14.7,github.com/ulikunitz/xz - v0.5.8

Step up your Open Source Security Game with Mend here

Vulnerable Library - Pygments-2.2.0-py2.py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2021-27291

Vulnerable Library - Pygments-2.2.0-py2.py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Dependency Hierarchy:

• ❌ Pygments-2.2.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.

Publish Date: 2021-03-17

URL: CVE-2021-27291

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-03-17

Fix Resolution: Pygments - 2.7.4

In order to enable automatic remediation, please create workflow rules

CVE-2021-20270

Vulnerable Library - Pygments-2.2.0-py2.py3-none-any.whl

Pygments is a syntax highlighting package written in Python.

Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Dependency Hierarchy:

• ❌ Pygments-2.2.0-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.

Publish Date: 2021-03-23

URL: CVE-2021-20270

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w8r-397f-prfh

Release Date: 2021-03-23

Fix Resolution: Pygments - 20.12.3

In order to enable automatic remediation, please create workflow rules

Vulnerable Library - commons-codec-1.8.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.8/af3be3f74d25fc5163b54f56a0d394b462dafafd/commons-codec-1.8.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

WS-2019-0379

Vulnerable Library - commons-codec-1.8.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.8/af3be3f74d25fc5163b54f56a0d394b462dafafd/commons-codec-1.8.jar

Dependency Hierarchy:

• ❌ commons-codec-1.8.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: 1.13

In order to enable automatic remediation, please create workflow rules

Vulnerable Library - kotlin-reflect-1.3.41.jar

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.70/e5d97e25bb5b30dcfc022ec1c8f3959a875257fb/kotlin-stdlib-1.3.70.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2022-24329

Vulnerable Libraries - kotlin-stdlib-1.3.41.jar, kotlin-stdlib-1.3.70.jar

kotlin-stdlib-1.3.41.jar

Kotlin Standard Library for JVM

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.41/e24bd38de28a326cce8b1f0d61e809e9a92dad6a/kotlin-stdlib-1.3.41.jar

Dependency Hierarchy:

• kotlin-reflect-1.3.41.jar (Root Library)
  • ❌ kotlin-stdlib-1.3.41.jar (Vulnerable Library)

kotlin-stdlib-1.3.70.jar

Kotlin Standard Library for JVM

Library home page: https://kotlinlang.org/

Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.70/e5d97e25bb5b30dcfc022ec1c8f3959a875257fb/kotlin-stdlib-1.3.70.jar

Dependency Hierarchy:

• kotlin-reflect-1.3.41.jar (Root Library)
  • ❌ kotlin-stdlib-1.3.70.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.

Publish Date: 2022-02-25

URL: CVE-2022-24329

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qp4-g3q3-f92w

Release Date: 2022-02-25

Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1

Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-reflect): 1.6.0

Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1

Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-reflect): 1.6.0

In order to enable automatic remediation, please create workflow rules

Vulnerable Library - django_filter-2.2.0-py3-none-any.whl

Django-filter is a reusable Django application for allowing users to filter querysets dynamically.

Library home page: https://files.pythonhosted.org/packages/0a/c9/acc63b687002afae8b5137afd6230d88c99411aa2daedf07fed3f0913516/django_filter-2.2.0-py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2020-15225

Vulnerable Library - django_filter-2.2.0-py3-none-any.whl

Django-filter is a reusable Django application for allowing users to filter querysets dynamically.

Library home page: https://files.pythonhosted.org/packages/0a/c9/acc63b687002afae8b5137afd6230d88c99411aa2daedf07fed3f0913516/django_filter-2.2.0-py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Dependency Hierarchy:

• ❌ django_filter-2.2.0-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated NumberFilter instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a MaxValueValidator with a a default limit_value of 1e50 to the form field used by NumberFilter instances. In addition, NumberFilter implements the new get_max_validator() which should return a configured validator instance to customise the limit, or else None to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.

Publish Date: 2021-04-29

URL: CVE-2020-15225

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2021-04-29

Fix Resolution: 2.4.0

In order to enable automatic remediation, please create workflow rules

Vulnerable Library - threadfix_api-1.1.1-py3-none-any.whl

Path to vulnerable library: /Python/Pip/requirements.txt

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2021-33503

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Dependency Hierarchy:

• threadfix_api-1.1.1-py3-none-any.whl (Root Library)
  • requests-2.20.0-py2.py3-none-any.whl
    • ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.

Publish Date: 2021-06-29

URL: CVE-2021-33503

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-q2q7-5pp4-w6pg

Release Date: 2021-06-29

Fix Resolution: urllib3 - 1.26.5

CVE-2020-26137

Vulnerable Library - urllib3-1.24.3-py2.py3-none-any.whl

HTTP library with thread-safe connection pooling, file post, and more.

Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Dependency Hierarchy:

• threadfix_api-1.1.1-py3-none-any.whl (Root Library)
  • requests-2.20.0-py2.py3-none-any.whl
    • ❌ urllib3-1.24.3-py2.py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.

Publish Date: 2020-09-30

URL: CVE-2020-26137

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137

Release Date: 2020-09-30

Fix Resolution: 1.25.9

Vulnerable Library - djangorestframework-3.10.1-py3-none-any.whl

Web APIs for Django, made easy.

Library home page: https://files.pythonhosted.org/packages/54/11/a600772feee08f145b3d77ca9cd913d66f17963915aaf239d66ceacf4b7e/djangorestframework-3.10.1-py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2020-25626

Vulnerable Library - djangorestframework-3.10.1-py3-none-any.whl

Web APIs for Django, made easy.

Library home page: https://files.pythonhosted.org/packages/54/11/a600772feee08f145b3d77ca9cd913d66f17963915aaf239d66ceacf4b7e/djangorestframework-3.10.1-py3-none-any.whl

Path to dependency file: /Python/Pip/requirements.txt

Path to vulnerable library: /Python/Pip/requirements.txt

Dependency Hierarchy:

• ❌ djangorestframework-3.10.1-py3-none-any.whl (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.

Publish Date: 2020-09-30

URL: CVE-2020-25626

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://pypi.org/project/djangorestframework/3.12.1/

Release Date: 2020-09-30

Fix Resolution: 3.12.1

In order to enable automatic remediation, please create workflow rules

Vulnerable Library - junit-vintage-engine-5.5.2.jar

Path to dependency file: /Java/Gradle/simple-build-2/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2020-15250

Vulnerable Library - junit-4.12.jar

JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

Library home page: http://junit.org

Path to dependency file: /Java/Gradle/simple-build-2/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar

Dependency Hierarchy:

• junit-vintage-engine-5.5.2.jar (Root Library)
  • ❌ junit-4.12.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution (junit:junit): 4.13.1

Direct dependency fix Resolution (org.junit.vintage:junit-vintage-engine): 5.8.0

In order to enable automatic remediation, please create workflow rules

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

CVE-2018-14721

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.7.9.5

In order to enable automatic remediation, please create workflow rules

CVE-2019-14540

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution: 2.8.0.rc1

In order to enable automatic remediation, please create workflow rules

CVE-2019-17531

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.9.10.1

In order to enable automatic remediation, please create workflow rules

CVE-2017-15095

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095

Release Date: 2018-02-06

Fix Resolution: 2.7.9.4

In order to enable automatic remediation, please create workflow rules

CVE-2017-7525

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: 2018-02-06

URL: CVE-2017-7525

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525

Release Date: 2018-02-06

Fix Resolution: 2.7.9.1

In order to enable automatic remediation, please create workflow rules

CVE-2018-14720

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.7.9.5

In order to enable automatic remediation, please create workflow rules

CVE-2019-16335

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-09-15

Fix Resolution: 2.7.9.6

In order to enable automatic remediation, please create workflow rules

CVE-2019-17267

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-07

Fix Resolution: 2.8.0.rc1

In order to enable automatic remediation, please create workflow rules

CVE-2018-11307

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Publish Date: 2019-07-09

URL: CVE-2018-11307

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-09

Fix Resolution: 2.7.9.4

In order to enable automatic remediation, please create workflow rules

CVE-2019-16942

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution: 2.7.9.7

In order to enable automatic remediation, please create workflow rules

CVE-2020-8840

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution: 2.7.9.7

In order to enable automatic remediation, please create workflow rules

CVE-2019-16943

Vulnerable Library - jackson-databind-2.7.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Java/Gradle/simple-build-1/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar

Dependency Hierarchy:

• ❌ jackson-databind-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e

Found in base branch: main

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution: 2.7.9.7

In order to enable automatic remediation, please create workflow rules

CVE-2018-19362

Vulnerable Library - jackson-databind-2.7.9.jar