aayant-mend / onboardtraining Goto Github PK
View Code? Open in Web Editor NEWThis project forked from samjcs/onboarding-training
This project forked from samjcs/onboarding-training
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.6/815893df5f31da2ece4040fe0a12fd44b577afaf/commons-io-2.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.6/815893df5f31da2ece4040fe0a12fd44b577afaf/commons-io-2.6.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (struts2-core version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-29425 | Medium | 4.8 | commons-io-2.6.jar | Transitive | 6.0.0 | ✅ |
The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/proper/commons-io/
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.6/815893df5f31da2ece4040fe0a12fd44b577afaf/commons-io-2.6.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-io/commons-io/2.6/815893df5f31da2ece4040fe0a12fd44b577afaf/commons-io-2.6.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution (commons-io:commons-io): 2.7
Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.0.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (slack-spring-boot-starter version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-14540 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-17531 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-16335 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-17267 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-16942 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-8840 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-16943 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-10202 | High | 9.8 | jackson-databind-2.9.8.jar | Transitive | N/A* | ❌ |
CVE-2019-14893 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-14892 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-9546 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-14379 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-9547 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-9548 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-20330 | High | 9.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-10968 | High | 8.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-10969 | High | 8.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-11111 | High | 8.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-11113 | High | 8.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-11112 | High | 8.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-10672 | High | 8.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-10673 | High | 8.8 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-11619 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-35728 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36189 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36188 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-11620 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-10650 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36181 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36180 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36183 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-35490 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36182 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36185 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-35491 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36184 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36187 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36186 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2021-20190 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36179 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-24616 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-14060 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-14061 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-14062 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-24750 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-14195 | High | 8.1 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2022-27772 | High | 7.8 | spring-boot-2.1.3.RELEASE.jar | Transitive | N/A* | ❌ |
CVE-2019-12086 | High | 7.5 | jackson-databind-2.9.8.jar | Transitive | N/A* | ❌ |
CVE-2020-25649 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-14439 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2022-42004 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2022-42003 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2020-36518 | High | 7.5 | detected in multiple dependencies | Transitive | N/A* | ❌ |
WS-2019-0379 | Medium | 6.5 | commons-codec-1.12.jar | Transitive | N/A* | ❌ |
CVE-2019-12814 | Medium | 5.9 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2019-12384 | Medium | 5.9 | detected in multiple dependencies | Transitive | N/A* | ❌ |
CVE-2022-22970 | Medium | 5.3 | spring-core-5.1.5.RELEASE.jar | Transitive | N/A* | ❌ |
CVE-2020-13956 | Medium | 5.3 | httpclient-4.5.9.jar | Transitive | N/A* | ❌ |
CVE-2021-29425 | Medium | 4.8 | commons-io-2.6.jar | Transitive | N/A* | ❌ |
CVE-2021-22096 | Medium | 4.3 | spring-core-5.1.5.RELEASE.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Partial details (15 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution: 2.10
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-09-15
Fix Resolution: 2.9.10
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-10-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16942
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-02-10
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.3
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
Base Score Metrics:
Type: Upgrade version
Origin: https://access.redhat.com/errata/RHSA-2019:2938
Release Date: 2019-10-01
Fix Resolution: org.codehaus.jackson:jackson-mapper-asl-7.2.4;com.fasterxml.jackson.core:jackson-databind-2.9.9
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping()
or when @JsonTypeInfo is using Id.CLASS
or Id.MINIMAL_CLASS
or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Publish Date: 2020-03-02
URL: CVE-2019-14893
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893
Release Date: 2020-03-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
Publish Date: 2020-03-02
URL: CVE-2019-14892
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-09-04
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
Publish Date: 2020-03-02
URL: CVE-2020-9546
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546
Release Date: 2020-03-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
Publish Date: 2019-07-29
URL: CVE-2019-14379
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
Release Date: 2019-07-29
Fix Resolution: 2.9.9.2
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
Publish Date: 2020-03-02
URL: CVE-2020-9547
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547
Release Date: 2020-03-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Publish Date: 2020-03-02
URL: CVE-2020-9548
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548
Release Date: 2020-03-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.6,2.9.10.4
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.9/d6eb9817d9c7289a91f043ac5ee02a6b3cc86238/jackson-databind-2.9.9.jar
Dependency Hierarchy:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.9.8/11283f21cc480aa86c4df7a0a3243ec508372ed2/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Publish Date: 2020-01-03
URL: CVE-2019-20330
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-01-03
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.7,2.8.11.5,2.9.10.2
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/28.2-jre/guava-28.2-jre.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (camel-zookeeper version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-42004 | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | 3.11.0 | ✅ |
CVE-2022-42003 | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | 3.11.0 | ✅ |
CVE-2020-25649 | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | 3.11.0 | ✅ |
CVE-2020-11612 | High | 7.5 | netty-codec-4.1.45.Final.jar | Transitive | 3.11.0 | ✅ |
CVE-2020-36518 | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | 3.11.0 | ✅ |
CVE-2021-37136 | High | 7.5 | netty-codec-4.1.45.Final.jar | Transitive | 3.11.0 | ✅ |
CVE-2021-37137 | High | 7.5 | netty-codec-4.1.45.Final.jar | Transitive | 3.11.0 | ✅ |
WS-2020-0408 | High | 7.4 | netty-handler-4.1.45.Final.jar | Transitive | 3.11.0 | ✅ |
CVE-2022-24823 | Medium | 5.5 | netty-common-4.1.45.Final.jar | Transitive | N/A* | ❌ |
CVE-2021-21290 | Medium | 5.5 | netty-handler-4.1.45.Final.jar | Transitive | 3.11.0 | ✅ |
CVE-2020-8908 | Low | 3.3 | guava-28.2-jre.jar | Transitive | 3.11.0 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Publish Date: 2022-10-02
URL: CVE-2022-42004
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.13.4
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Publish Date: 2022-10-02
URL: CVE-2022-42003
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.13.0-rc1
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Publish Date: 2020-12-03
URL: CVE-2020-25649
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-12-03
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.10.5.1
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.45.Final/netty-codec-4.1.45.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Publish Date: 2020-04-07
URL: CVE-2020-11612
Base Score Metrics:
Type: Upgrade version
Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html
Release Date: 2020-04-07
Fix Resolution (io.netty:netty-codec): 4.1.46.Final
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: 2022-03-11
URL: CVE-2020-36518
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-03-11
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.12.6.1
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.45.Final/netty-codec-4.1.45.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.45.Final/netty-codec-4.1.45.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.45.Final/netty-handler-4.1.45.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.
Publish Date: 2020-06-22
URL: WS-2020-0408
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408
Release Date: 2020-06-22
Fix Resolution (io.netty:netty-handler): 4.1.69.Final
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.45.Final/netty-common-4.1.45.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http
prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir
when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
Publish Date: 2022-05-06
URL: CVE-2022-24823
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823
Release Date: 2022-05-06
Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.45.Final/netty-handler-4.1.45.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
Publish Date: 2021-02-08
URL: CVE-2021-21290
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5mcr-gq6c-3hq2
Release Date: 2021-02-08
Fix Resolution (io.netty:netty-handler): 4.1.59.Final
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/28.2-jre/guava-28.2-jre.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution (com.google.guava:guava): 30.0-android
Direct dependency fix Resolution (org.apache.camel:camel-zookeeper): 3.11.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-29482 | High | 7.5 | github.com/ulikunitz/xz-v0.5.7 | Transitive | N/A | ❌ |
CVE-2020-16845 | High | 7.5 | github.com/ulikunitz/xz-v0.5.7 | Transitive | N/A | ❌ |
Pure golang package for reading and writing xz-compressed files
Library home page: https://proxy.golang.org/github.com/ulikunitz/xz/@v/v0.5.7.zip
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
Publish Date: 2021-04-28
URL: CVE-2021-29482
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-25xm-hr59-7c27
Release Date: 2021-04-28
Fix Resolution: v0.5.8
Pure golang package for reading and writing xz-compressed files
Library home page: https://proxy.golang.org/github.com/ulikunitz/xz/@v/v0.5.7.zip
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Publish Date: 2020-08-06
URL: CVE-2020-16845
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q6gq-997w-f55g
Release Date: 2020-08-06
Fix Resolution: go1.13.15,go1.14.7,github.com/ulikunitz/xz - v0.5.8
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (github.com/Mholt/archiver/v3-v3.5.0 version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-29482 | High | 7.5 | github.com/ulikunitz/xz-v0.5.7 | Transitive | N/A* | ❌ |
CVE-2020-16845 | High | 7.5 | github.com/ulikunitz/xz-v0.5.7 | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Pure golang package for reading and writing xz-compressed files
Library home page: https://proxy.golang.org/github.com/ulikunitz/xz/@v/v0.5.7.zip
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
Publish Date: 2021-04-28
URL: CVE-2021-29482
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-25xm-hr59-7c27
Release Date: 2021-04-28
Fix Resolution: v0.5.8
Pure golang package for reading and writing xz-compressed files
Library home page: https://proxy.golang.org/github.com/ulikunitz/xz/@v/v0.5.7.zip
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Publish Date: 2020-08-06
URL: CVE-2020-16845
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q6gq-997w-f55g
Release Date: 2020-08-06
Fix Resolution: go1.13.15,go1.14.7,github.com/ulikunitz/xz - v0.5.8
Pygments is a syntax highlighting package written in Python.
Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (Pygments version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-27291 | High | 7.5 | Pygments-2.2.0-py2.py3-none-any.whl | Direct | Pygments - 2.7.4 | ✅ |
CVE-2021-20270 | High | 7.5 | Pygments-2.2.0-py2.py3-none-any.whl | Direct | Pygments - 20.12.3 | ✅ |
Pygments is a syntax highlighting package written in Python.
Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In pygments 1.1+, fixed in 2.7.4, the lexers used to parse programming languages rely heavily on regular expressions. Some of the regular expressions have exponential or cubic worst-case complexity and are vulnerable to ReDoS. By crafting malicious input, an attacker can cause a denial of service.
Publish Date: 2021-03-17
URL: CVE-2021-27291
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-03-17
Fix Resolution: Pygments - 2.7.4
In order to enable automatic remediation, please create workflow rules
Pygments is a syntax highlighting package written in Python.
Library home page: https://files.pythonhosted.org/packages/02/ee/b6e02dc6529e82b75bb06823ff7d005b141037cb1416b10c6f00fc419dca/Pygments-2.2.0-py2.py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An infinite loop in SMLLexer in Pygments versions 1.5 to 2.7.3 may lead to denial of service when performing syntax highlighting of a Standard ML (SML) source file, as demonstrated by input that only contains the "exception" keyword.
Publish Date: 2021-03-23
URL: CVE-2021-20270
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9w8r-397f-prfh
Release Date: 2021-03-23
Fix Resolution: Pygments - 20.12.3
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error: expecting end of expression or separator near "lock
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.hibernate.validator/hibernate-validator/6.0.14.Final/c424524aa7718c564d9199ac5892b05901cabae6/hibernate-validator-6.0.14.Final.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (spring-boot-starter-web version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2016-1000027 | High | 9.8 | spring-web-5.1.5.RELEASE.jar | Transitive | 2.1.15.RELEASE | ✅ |
CVE-2022-1471 | High | 9.8 | snakeyaml-1.23.jar | Transitive | N/A* | ❌ |
CVE-2019-0232 | High | 8.1 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.5.RELEASE | ✅ |
CVE-2017-18640 | High | 7.5 | snakeyaml-1.23.jar | Transitive | 2.3.0.RELEASE | ✅ |
CVE-2022-25857 | High | 7.5 | snakeyaml-1.23.jar | Transitive | 2.6.9 | ✅ |
CVE-2020-5398 | High | 7.5 | spring-web-5.1.5.RELEASE.jar | Transitive | 2.1.12.RELEASE | ✅ |
CVE-2019-10072 | High | 7.5 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.6.RELEASE | ✅ |
CVE-2019-17563 | High | 7.5 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.12.RELEASE | ✅ |
CVE-2020-11996 | High | 7.5 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.15.RELEASE | ✅ |
CVE-2020-13934 | High | 7.5 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.16.RELEASE | ✅ |
CVE-2020-13935 | High | 7.5 | tomcat-embed-websocket-9.0.16.jar | Transitive | 2.1.16.RELEASE | ✅ |
CVE-2021-25122 | High | 7.5 | tomcat-embed-core-9.0.16.jar | Transitive | 2.3.9.RELEASE | ✅ |
CVE-2021-41079 | High | 7.5 | tomcat-embed-core-9.0.16.jar | Transitive | 2.3.10.RELEASE | ✅ |
CVE-2022-42252 | High | 7.5 | tomcat-embed-core-9.0.16.jar | Transitive | N/A* | ❌ |
CVE-2021-25329 | High | 7.0 | tomcat-embed-core-9.0.16.jar | Transitive | 2.3.9.RELEASE | ✅ |
CVE-2019-12418 | High | 7.0 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.11.RELEASE | ✅ |
CVE-2020-9484 | High | 7.0 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.15.RELEASE | ✅ |
CVE-2022-38752 | Medium | 6.5 | snakeyaml-1.23.jar | Transitive | 2.6.9 | ✅ |
CVE-2022-38751 | Medium | 6.5 | snakeyaml-1.23.jar | Transitive | 2.6.9 | ✅ |
CVE-2022-38749 | Medium | 6.5 | snakeyaml-1.23.jar | Transitive | 2.6.9 | ✅ |
CVE-2022-41854 | Medium | 6.5 | snakeyaml-1.23.jar | Transitive | 2.6.9 | ✅ |
CVE-2020-5421 | Medium | 6.5 | spring-web-5.1.5.RELEASE.jar | Transitive | 2.1.17.RELEASE | ✅ |
CVE-2019-0221 | Medium | 6.1 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.5.RELEASE | ✅ |
CVE-2019-10219 | Medium | 6.1 | hibernate-validator-6.0.14.Final.jar | Transitive | 2.1.10.RELEASE | ✅ |
CVE-2021-24122 | Medium | 5.9 | tomcat-embed-core-9.0.16.jar | Transitive | 2.2.12.RELEASE | ✅ |
CVE-2022-38750 | Medium | 5.5 | snakeyaml-1.23.jar | Transitive | 2.6.9 | ✅ |
CVE-2021-33037 | Medium | 5.3 | tomcat-embed-core-9.0.16.jar | Transitive | 2.4.8 | ✅ |
CVE-2020-10693 | Medium | 5.3 | hibernate-validator-6.0.14.Final.jar | Transitive | 2.1.15.RELEASE | ✅ |
CVE-2020-1935 | Medium | 4.8 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.13.RELEASE | ✅ |
CVE-2020-13943 | Medium | 4.3 | tomcat-embed-core-9.0.16.jar | Transitive | 2.1.17.RELEASE | ✅ |
CVE-2021-22096 | Medium | 4.3 | detected in multiple dependencies | Transitive | 2.4.0 | ✅ |
CVE-2021-43980 | Low | 3.7 | tomcat-embed-core-9.0.16.jar | Transitive | 2.5.13 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Partial details (20 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.1.5.RELEASE/c37c4363be4ad6c5f67e3f9f020497e2d599e325/spring-web-5.1.5.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-01-02
Fix Resolution (org.springframework:spring-web): 5.1.16.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.15.RELEASE
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Publish Date: 2022-12-01
URL: CVE-2022-1471
Base Score Metrics:
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).
Publish Date: 2019-04-15
URL: CVE-2019-0232
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232
Release Date: 2019-04-15
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.19
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.5.RELEASE
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution (org.yaml:snakeyaml): 1.26
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.3.0.RELEASE
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.9
In order to enable automatic remediation, please create workflow rules
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-web/5.1.5.RELEASE/c37c4363be4ad6c5f67e3f9f020497e2d599e325/spring-web-5.1.5.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.
Publish Date: 2020-01-17
URL: CVE-2020-5398
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2020-5398
Release Date: 2020-01-17
Fix Resolution (org.springframework:spring-web): 5.1.13.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.12.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The fix for CVE-2019-0199 was incomplete and did not address HTTP/2 connection window exhaustion on write in Apache Tomcat versions 9.0.0.M1 to 9.0.19 and 8.5.0 to 8.5.40 . By not sending WINDOW_UPDATE messages for the connection window (stream 0) clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Publish Date: 2019-06-21
URL: CVE-2019-10072
Base Score Metrics:
Type: Upgrade version
Origin: http://tomcat.apache.org/security-8.html#Fixed_in_Apache_Tomcat_8.5.41
Release Date: 2019-06-21
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.20
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.6.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When using FORM authentication with Apache Tomcat 9.0.0.M1 to 9.0.29, 8.5.0 to 8.5.49 and 7.0.0 to 7.0.98 there was a narrow window where an attacker could perform a session fixation attack. The window was considered too narrow for an exploit to be practical but, erring on the side of caution, this issue has been treated as a security vulnerability.
Publish Date: 2019-12-23
URL: CVE-2019-17563
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17563
Release Date: 2019-12-23
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.30
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.12.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A specially crafted sequence of HTTP/2 requests sent to Apache Tomcat 10.0.0-M1 to 10.0.0-M5, 9.0.0.M1 to 9.0.35 and 8.5.0 to 8.5.55 could trigger high CPU usage for several seconds. If a sufficient number of such requests were made on concurrent HTTP/2 connections, the server could become unresponsive.
Publish Date: 2020-06-26
URL: CVE-2020-11996
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-06-26
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.36
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.15.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An h2c direct connection to Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M5 to 9.0.36 and 8.5.1 to 8.5.56 did not release the HTTP/1.1 processor after the upgrade to HTTP/2. If a sufficient number of such requests were made, an OutOfMemoryException could occur leading to a denial of service.
Publish Date: 2020-07-14
URL: CVE-2020-13934
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.37
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.16.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Library home page: https://tomcat.apache.org/
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-websocket/9.0.16/f5eac487823c68f5d20742a99df1d94350c24d21/tomcat-embed-websocket-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The payload length in a WebSocket frame was not correctly validated in Apache Tomcat 10.0.0-M1 to 10.0.0-M6, 9.0.0.M1 to 9.0.36, 8.5.0 to 8.5.56 and 7.0.27 to 7.0.104. Invalid payload lengths could trigger an infinite loop. Multiple requests with invalid payload lengths could lead to a denial of service.
Publish Date: 2020-07-14
URL: CVE-2020-13935
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-07-14
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-websocket): 9.0.37
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.16.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When responding to new h2c connection requests, Apache Tomcat versions 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41 and 8.5.0 to 8.5.61 could duplicate request headers and a limited amount of request body from one request to another meaning user A and user B could both see the results of user A's request.
Publish Date: 2021-03-01
URL: CVE-2021-25122
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-03-01
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.43
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.3.9.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Tomcat 8.5.0 to 8.5.63, 9.0.0-M1 to 9.0.43 and 10.0.0-M1 to 10.0.2 did not properly validate incoming TLS packets. When Tomcat was configured to use NIO+OpenSSL or NIO2+OpenSSL for TLS, a specially crafted packet could be used to trigger an infinite loop resulting in a denial of service.
Publish Date: 2021-09-16
URL: CVE-2021-41079
Base Score Metrics:
Type: Upgrade version
Origin: https://tomcat.apache.org/security-10.html
Release Date: 2021-09-16
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.44
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.3.10.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
If Apache Tomcat 8.5.0 to 8.5.82, 9.0.0-M1 to 9.0.67, 10.0.0-M1 to 10.0.26 or 10.1.0-M1 to 10.1.0 was configured to ignore invalid HTTP headers via setting rejectIllegalHeader to false (the default for 8.5.x only), Tomcat did not reject a request containing an invalid Content-Length header making a request smuggling attack possible if Tomcat was located behind a reverse proxy that also failed to reject the request with the invalid header.
Publish Date: 2022-11-01
URL: CVE-2022-42252
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p22x-g9px-3945
Release Date: 2022-11-01
Fix Resolution: org.apache.tomcat:tomcat:8.5.83,9.0.68,10.0.27,10.1.1
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The fix for CVE-2020-9484 was incomplete. When using Apache Tomcat 10.0.0-M1 to 10.0.0, 9.0.0.M1 to 9.0.41, 8.5.0 to 8.5.61 or 7.0.0. to 7.0.107 with a configuration edge case that was highly unlikely to be used, the Tomcat instance was still vulnerable to CVE-2020-9494. Note that both the previously published prerequisites for CVE-2020-9484 and the previously published mitigations for CVE-2020-9484 also apply to this issue.
Publish Date: 2021-03-01
URL: CVE-2021-25329
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-03-01
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.43
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.3.9.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When Apache Tomcat 9.0.0.M1 to 9.0.28, 8.5.0 to 8.5.47, 7.0.0 and 7.0.97 is configured with the JMX Remote Lifecycle Listener, a local attacker without access to the Tomcat process or configuration files is able to manipulate the RMI registry to perform a man-in-the-middle attack to capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and gain complete control over the Tomcat instance.
Publish Date: 2019-12-23
URL: CVE-2019-12418
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12418
Release Date: 2019-12-23
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.29
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.11.RELEASE
In order to enable automatic remediation, please create workflow rules
Core Tomcat implementation
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.tomcat.embed/tomcat-embed-core/9.0.16/d7069e3d0f760035b26b68b7b6af5eaa0c1862f/tomcat-embed-core-9.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
Publish Date: 2020-05-20
URL: CVE-2020-9484
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
Release Date: 2020-05-20
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 9.0.35
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.15.RELEASE
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.9
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.9
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.6.9
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-29482 | High | 7.5 | github.com/ulikunitz/xz-v0.5.7 | Transitive | N/A | ❌ |
CVE-2020-16845 | High | 7.5 | github.com/ulikunitz/xz-v0.5.7 | Transitive | N/A | ❌ |
Pure golang package for reading and writing xz-compressed files
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
xz is a compression and decompression library focusing on the xz format completely written in Go. The function readUvarint used to read the xz container format may not terminate a loop provide malicous input. The problem has been fixed in release v0.5.8. As a workaround users can limit the size of the compressed file input to a reasonable size for their use case. The standard library had recently the same issue and got the CVE-2020-16845 allocated.
Publish Date: 2021-04-28
URL: CVE-2021-29482
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-25xm-hr59-7c27
Release Date: 2021-04-28
Fix Resolution: v0.5.8
Step up your Open Source Security Game with Mend here
Pure golang package for reading and writing xz-compressed files
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Publish Date: 2020-08-06
URL: CVE-2020-16845
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q6gq-997w-f55g
Release Date: 2020-08-06
Fix Resolution: go1.13.15,go1.14.7,github.com/ulikunitz/xz - v0.5.8
Step up your Open Source Security Game with Mend here
JSON API documentation for spring based applications
Library home page: https://github.com/springfox/springfox
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.springfox/springfox-swagger-ui/2.9.2/d542382a88ff3ea8d4032c28b2b0325797fada7d/springfox-swagger-ui-2.9.2.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (springfox-swagger-ui version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-17495 | High | 9.8 | springfox-swagger-ui-2.9.2.jar | Direct | 3.23.11 | ✅ |
CVE-2018-10237 | Medium | 5.9 | guava-20.0.jar | Transitive | 2.10.0 | ✅ |
CVE-2018-25031 | Medium | 4.3 | springfox-swagger-ui-2.9.2.jar | Direct | swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3 | ✅ |
CVE-2020-8908 | Low | 3.3 | guava-20.0.jar | Transitive | 2.10.0 | ✅ |
JSON API documentation for spring based applications
Library home page: https://github.com/springfox/springfox
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.springfox/springfox-swagger-ui/2.9.2/d542382a88ff3ea8d4032c28b2b0325797fada7d/springfox-swagger-ui-2.9.2.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Cascading Style Sheets (CSS) injection vulnerability in Swagger UI before 3.23.11 allows attackers to use the Relative Path Overwrite (RPO) technique to perform CSS-based input field value exfiltration, such as exfiltration of a CSRF token value. In other words, this product intentionally allows the embedding of untrusted JSON data from remote servers, but it was not previously known that <style>@import within the JSON data was a functional attack method.
Publish Date: 2019-10-10
URL: CVE-2019-17495
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17495
Release Date: 2019-10-10
Fix Resolution: 3.23.11
In order to enable automatic remediation, please create workflow rules
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: https://github.com/google/guava
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/20.0/89507701249388e1ed5ddcf8c41f4ce1be7831ef/guava-20.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution (com.google.guava:guava): 24.1.1-android
Direct dependency fix Resolution (io.springfox:springfox-swagger-ui): 2.10.0
In order to enable automatic remediation, please create workflow rules
JSON API documentation for spring based applications
Library home page: https://github.com/springfox/springfox
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.springfox/springfox-swagger-ui/2.9.2/d542382a88ff3ea8d4032c28b2b0325797fada7d/springfox-swagger-ui-2.9.2.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Swagger UI before 4.1.3 could allow a remote attacker to conduct spoofing attacks. By persuading a victim to open a crafted URL, an attacker could exploit this vulnerability to display remote OpenAPI definitions.
Publish Date: 2022-03-11
URL: CVE-2018-25031
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qrmm-w75w-3wpx
Release Date: 2022-03-11
Fix Resolution: swagger-ui - 4.1.3;swagger-ui-dist - 4.1.3
In order to enable automatic remediation, please create workflow rules
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: https://github.com/google/guava
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.google.guava/guava/20.0/89507701249388e1ed5ddcf8c41f4ce1be7831ef/guava-20.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution (com.google.guava:guava): 30.0-android
Direct dependency fix Resolution (io.springfox:springfox-swagger-ui): 2.10.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.11/f43ce4c878078cbcfbb061353aa672a4c8e81443/commons-compress-1.11.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (commons-compress version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-36090 | High | 7.5 | commons-compress-1.11.jar | Direct | 1.21 | ✅ |
CVE-2021-35517 | High | 7.5 | commons-compress-1.11.jar | Direct | 1.21 | ✅ |
CVE-2021-35516 | High | 7.5 | commons-compress-1.11.jar | Direct | 1.21 | ✅ |
CVE-2021-35515 | High | 7.5 | commons-compress-1.11.jar | Direct | 1.21 | ✅ |
CVE-2018-11771 | Medium | 5.5 | commons-compress-1.11.jar | Direct | 1.18 | ✅ |
CVE-2018-1324 | Medium | 5.5 | commons-compress-1.11.jar | Direct | 1.16 | ✅ |
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.11/f43ce4c878078cbcfbb061353aa672a4c8e81443/commons-compress-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2021-07-13
URL: CVE-2021-36090
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: 1.21
In order to enable automatic remediation, please create workflow rules
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.11/f43ce4c878078cbcfbb061353aa672a4c8e81443/commons-compress-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Publish Date: 2021-07-13
URL: CVE-2021-35517
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: 1.21
In order to enable automatic remediation, please create workflow rules
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.11/f43ce4c878078cbcfbb061353aa672a4c8e81443/commons-compress-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35516
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: 1.21
In order to enable automatic remediation, please create workflow rules
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.11/f43ce4c878078cbcfbb061353aa672a4c8e81443/commons-compress-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35515
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: 1.21
In order to enable automatic remediation, please create workflow rules
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.11/f43ce4c878078cbcfbb061353aa672a4c8e81443/commons-compress-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2018-08-16
URL: CVE-2018-11771
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771
Release Date: 2018-08-16
Fix Resolution: 1.18
In order to enable automatic remediation, please create workflow rules
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.11/f43ce4c878078cbcfbb061353aa672a4c8e81443/commons-compress-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2018-03-16
URL: CVE-2018-1324
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324
Release Date: 2018-03-16
Fix Resolution: 1.16
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.70/e5d97e25bb5b30dcfc022ec1c8f3959a875257fb/kotlin-stdlib-1.3.70.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (kotlin-reflect version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-24329 | Medium | 5.3 | detected in multiple dependencies | Transitive | 1.6.0 | ✅ |
Kotlin Standard Library for JVM
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.41/e24bd38de28a326cce8b1f0d61e809e9a92dad6a/kotlin-stdlib-1.3.41.jar
Dependency Hierarchy:
Kotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.70/e5d97e25bb5b30dcfc022ec1c8f3959a875257fb/kotlin-stdlib-1.3.70.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-reflect): 1.6.0
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-reflect): 1.6.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (snakeyaml version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-1471 | High | 9.8 | snakeyaml-1.19.jar | Direct | N/A | ❌ |
CVE-2017-18640 | High | 7.5 | snakeyaml-1.19.jar | Direct | 1.26 | ✅ |
CVE-2022-25857 | High | 7.5 | snakeyaml-1.19.jar | Direct | 1.31 | ✅ |
CVE-2022-38749 | Medium | 6.5 | snakeyaml-1.19.jar | Direct | 1.31 | ✅ |
CVE-2022-41854 | Medium | 6.5 | snakeyaml-1.19.jar | Direct | 1.32 | ✅ |
CVE-2022-38752 | Medium | 6.5 | snakeyaml-1.19.jar | Direct | 1.32 | ✅ |
CVE-2022-38751 | Medium | 6.5 | snakeyaml-1.19.jar | Direct | 1.31 | ✅ |
CVE-2022-38750 | Medium | 5.5 | snakeyaml-1.19.jar | Direct | 1.31 | ✅ |
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Publish Date: 2022-12-01
URL: CVE-2022-1471
Base Score Metrics:
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution: 1.26
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution: 1.31
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution: 1.31
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Publish Date: 2022-11-11
URL: CVE-2022-41854
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/
Release Date: 2022-11-11
Fix Resolution: 1.32
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution: 1.32
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution: 1.31
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.19/2d998d3d674b172a588e54ab619854d073f555b5/snakeyaml-1.19.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38750
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
Release Date: 2022-09-05
Fix Resolution: 1.31
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (requests version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33503 | High | 7.5 | urllib3-1.24.3-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
CVE-2020-26137 | Medium | 6.5 | urllib3-1.24.3-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.1.5.RELEASE/58b10c61f6bf2362909d884813c4049b657735f5/spring-beans-5.1.5.RELEASE.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (springfox-swagger2 version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-22965 | High | 9.8 | spring-beans-5.1.5.RELEASE.jar | Transitive | N/A* | ❌ |
CVE-2022-22950 | Medium | 6.5 | spring-expression-5.1.5.RELEASE.jar | Transitive | N/A* | ❌ |
CVE-2022-22970 | Medium | 5.3 | spring-beans-5.1.5.RELEASE.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.1.5.RELEASE/58b10c61f6bf2362909d884813c4049b657735f5/spring-beans-5.1.5.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Publish Date: 2022-04-01
URL: CVE-2022-22965
Base Score Metrics:
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.1.5.RELEASE/b728a06924560ee69307a52d100e6b156d9a4a80/spring-expression-5.1.5.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Publish Date: 2022-04-01
URL: CVE-2022-22950
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22950
Release Date: 2022-04-01
Fix Resolution: org.springframework:spring-expression:5.2.20,5.3.17
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.1.5.RELEASE/58b10c61f6bf2362909d884813c4049b657735f5/spring-beans-5.1.5.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution: org.springframework:spring-beans:5.2.22,5.3.20;org.springframework:spring-core:5.2.22,5.3.20
Web APIs for Django, made easy.
Library home page: https://files.pythonhosted.org/packages/54/11/a600772feee08f145b3d77ca9cd913d66f17963915aaf239d66ceacf4b7e/djangorestframework-3.10.1-py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (djangorestframework version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-25626 | Medium | 6.1 | djangorestframework-3.10.1-py3-none-any.whl | Direct | 3.12.1 | ✅ |
Web APIs for Django, made easy.
Library home page: https://files.pythonhosted.org/packages/54/11/a600772feee08f145b3d77ca9cd913d66f17963915aaf239d66ceacf4b7e/djangorestframework-3.10.1-py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A flaw was found in Django REST Framework versions before 3.12.0 and before 3.11.2. When using the browseable API viewer, Django REST Framework fails to properly escape certain strings that can come from user input. This allows a user who can control those strings to inject malicious <script> tags, leading to a cross-site-scripting (XSS) vulnerability.
Publish Date: 2020-09-30
URL: CVE-2020-25626
Base Score Metrics:
Type: Upgrade version
Origin: https://pypi.org/project/djangorestframework/3.12.1/
Release Date: 2020-09-30
Fix Resolution: 3.12.1
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (struts2-core version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2016-3082 | High | 9.8 | struts2-core-2.0.5.jar | Direct | 2.3.20.3 | ✅ |
CVE-2021-31805 | High | 9.8 | struts2-core-2.0.5.jar | Direct | 2.0.14 | ✅ |
CVE-2019-0230 | High | 9.8 | struts2-core-2.0.5.jar | Direct | 2.5.22 | ✅ |
CVE-2013-4316 | High | 9.8 | struts2-core-2.0.5.jar | Direct | 2.3.15.2 | ✅ |
CVE-2017-12611 | High | 9.8 | struts2-core-2.0.5.jar | Direct | 2.3.34 | ✅ |
CVE-2020-17530 | High | 9.8 | struts2-core-2.0.5.jar | Direct | 2.5.26 | ✅ |
CVE-2016-3081 | High | 8.1 | struts2-core-2.0.5.jar | Direct | 2.3.20.3 | ✅ |
CVE-2013-2115 | High | 8.1 | struts2-core-2.0.5.jar | Direct | 2.3.14.2 | ✅ |
CVE-2019-0233 | High | 7.5 | struts2-core-2.0.5.jar | Direct | 2.5.22 | ✅ |
CVE-2015-5209 | High | 7.5 | struts2-core-2.0.5.jar | Direct | 2.3.24.1 | ✅ |
CVE-2014-0112 | High | 7.3 | struts2-core-2.0.5.jar | Direct | 2.3.16.2 | ✅ |
CVE-2014-0113 | High | 7.3 | struts2-core-2.0.5.jar | Direct | 2.3.16.2 | ✅ |
CVE-2016-4003 | Medium | 6.1 | struts2-core-2.0.5.jar | Direct | 2.3.28 | ✅ |
CVE-2015-2992 | Medium | 6.1 | struts2-core-2.0.5.jar | Direct | 2.3.20.1 | ✅ |
CVE-2015-5169 | Medium | 6.1 | struts2-core-2.0.5.jar | Direct | 2.3.20.1 | ✅ |
CVE-2013-2251 | Medium | 5.6 | struts2-core-2.0.5.jar | Direct | 2.3.15.1 | ✅ |
CVE-2012-0838 | Medium | 5.6 | struts2-core-2.0.5.jar | Direct | 2.2.3.1 | ✅ |
CVE-2013-2135 | Medium | 5.6 | struts2-core-2.0.5.jar | Direct | 2.3.14.3 | ✅ |
CVE-2013-2134 | Medium | 5.6 | struts2-core-2.0.5.jar | Direct | 2.3.14.3 | ✅ |
CVE-2013-1965 | Medium | 5.6 | struts2-core-2.0.5.jar | Direct | 2.3.14.1 | ✅ |
CVE-2013-1966 | Medium | 5.6 | struts2-core-2.0.5.jar | Direct | 2.3.14.2 | ✅ |
CVE-2012-0392 | Medium | 5.6 | struts2-core-2.0.5.jar | Direct | 2.3.1.1 | ✅ |
CVE-2012-0391 | Medium | 5.6 | struts2-core-2.0.5.jar | Direct | 2.3.14.3 | ✅ |
CVE-2013-2248 | Medium | 5.6 | struts2-core-2.0.5.jar | Direct | 2.3.15.1 | ✅ |
CVE-2012-0394 | Medium | 5.6 | xwork-2.0.0.jar | Transitive | N/A* | ❌ |
CVE-2012-4387 | Medium | 5.3 | struts2-core-2.0.5.jar | Direct | 2.3.4.1 | ✅ |
CVE-2014-7809 | Medium | 5.3 | struts2-core-2.0.5.jar | Direct | 2.3.20 | ✅ |
CVE-2014-0116 | Medium | 5.3 | struts2-core-2.0.5.jar | Direct | 2.3.16.3 | ✅ |
CVE-2014-0094 | Medium | 5.3 | struts2-core-2.0.5.jar | Direct | 2.3.16.1 | ✅ |
CVE-2016-3093 | Medium | 5.3 | detected in multiple dependencies | Transitive | 2.0.6 | ✅ |
CVE-2008-6504 | Medium | 5.3 | detected in multiple dependencies | Transitive | 2.0.6 | ✅ |
CVE-2010-1870 | Medium | 5.3 | struts2-core-2.0.5.jar | Direct | 2.2.1 | ✅ |
CVE-2008-6505 | Medium | 5.3 | struts2-core-2.0.5.jar | Direct | 2.0.12 | ✅ |
CVE-2012-0393 | Medium | 5.3 | struts2-core-2.0.5.jar | Direct | 2.3.1.1 | ✅ |
CVE-2013-4310 | Medium | 4.8 | struts2-core-2.0.5.jar | Direct | 2.3.15.2 | ✅ |
CVE-2012-4386 | Low | 3.7 | struts2-core-2.0.5.jar | Direct | 2.3.4.1 | ✅ |
CVE-2011-5057 | Low | 3.7 | struts2-core-2.0.5.jar | Direct | 2.3.1.2 | ✅ |
CVE-2011-1772 | Low | 3.7 | detected in multiple dependencies | Transitive | N/A* | ✅ |
CVE-2008-6682 | Low | 3.7 | struts2-core-2.0.5.jar | Direct | 2.0.11.1 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Partial details (23 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
Publish Date: 2016-04-26
URL: CVE-2016-3082
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-04-26
Fix Resolution: 2.3.20.3
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Publish Date: 2022-04-12
URL: CVE-2021-31805
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-062
Release Date: 2022-04-12
Fix Resolution: 2.0.14
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Publish Date: 2020-09-14
URL: CVE-2019-0230
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-059
Release Date: 2020-09-14
Fix Resolution: 2.5.22
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
Publish Date: 2013-09-30
URL: CVE-2013-4316
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-4316
Release Date: 2013-09-30
Fix Resolution: 2.3.15.2
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Publish Date: 2017-09-20
URL: CVE-2017-12611
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-053
Release Date: 2017-09-20
Fix Resolution: 2.3.34
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Publish Date: 2020-12-11
URL: CVE-2020-17530
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-061
Release Date: 2020-12-11
Fix Resolution: 2.5.26
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Publish Date: 2016-04-26
URL: CVE-2016-3081
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-04-26
Fix Resolution: 2.3.20.3
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag. NOTE: this issue is due to an incomplete fix for CVE-2013-1966.
Publish Date: 2013-07-10
URL: CVE-2013-2115
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2115
Release Date: 2013-07-10
Fix Resolution: 2.3.14.2
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
Publish Date: 2020-09-14
URL: CVE-2019-0233
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-060
Release Date: 2020-09-14
Fix Resolution: 2.5.22
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2.x before 2.3.24.1 allows remote attackers to manipulate Struts internals, alter user sessions, or affect container settings via vectors involving a top object.
Publish Date: 2017-08-29
URL: CVE-2015-5209
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5209
Release Date: 2017-08-29
Fix Resolution: 2.3.24.1
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Publish Date: 2014-04-29
URL: CVE-2014-0112
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0112
Release Date: 2014-04-29
Fix Resolution: 2.3.16.2
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Publish Date: 2014-04-29
URL: CVE-2014-0113
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0113
Release Date: 2014-04-29
Fix Resolution: 2.3.16.2
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Cross-site scripting (XSS) vulnerability in the URLDecoder function in JRE before 1.8, as used in Apache Struts 2.x before 2.3.28, when using a single byte page encoding, allows remote attackers to inject arbitrary web script or HTML via multi-byte characters in a url-encoded parameter.
Publish Date: 2016-04-12
URL: CVE-2016-4003
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-04-12
Fix Resolution: 2.3.28
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts before 2.3.20 has a cross-site scripting (XSS) vulnerability.
Publish Date: 2020-02-27
URL: CVE-2015-2992
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-2992
Release Date: 2020-02-27
Fix Resolution: 2.3.20.1
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Cross-site scripting (XSS) vulnerability in Apache Struts before 2.3.20.
Publish Date: 2017-09-25
URL: CVE-2015-5169
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5169
Release Date: 2017-09-25
Fix Resolution: 2.3.20.1
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Publish Date: 2013-07-20
URL: CVE-2013-2251
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251
Release Date: 2013-07-20
Fix Resolution: 2.3.15.1
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2 before 2.2.3.1 evaluates a string as an OGNL expression during the handling of a conversion error, which allows remote attackers to modify run-time data values, and consequently execute arbitrary code, via invalid input to a field.
Publish Date: 2012-03-02
URL: CVE-2012-0838
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-0838
Release Date: 2012-03-02
Fix Resolution: 2.2.3.1
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
Publish Date: 2013-07-16
URL: CVE-2013-2135
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2135
Release Date: 2013-07-16
Fix Resolution: 2.3.14.3
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Publish Date: 2013-07-16
URL: CVE-2013-2134
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2134
Release Date: 2013-07-16
Fix Resolution: 2.3.14.3
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts Showcase App 2.0.0 through 2.3.13, as used in Struts 2 before 2.3.14.3, allows remote attackers to execute arbitrary OGNL code via a crafted parameter name that is not properly handled when invoking a redirect.
Publish Date: 2013-07-10
URL: CVE-2013-1965
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-1965
Release Date: 2013-07-10
Fix Resolution: 2.3.14.1
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache Struts 2 before 2.3.14.2 allows remote attackers to execute arbitrary OGNL code via a crafted request that is not properly handled when using the includeParams attribute in the (1) URL or (2) A tag.
Publish Date: 2013-07-10
URL: CVE-2013-1966
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-737w-mh58-cxjp
Release Date: 2013-07-10
Fix Resolution: 2.3.14.2
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The CookieInterceptor component in Apache Struts before 2.3.1.1 does not use the parameter-name whitelist, which allows remote attackers to execute arbitrary commands via a crafted HTTP Cookie header that triggers Java code execution through a static method.
Publish Date: 2012-01-08
URL: CVE-2012-0392
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-0392
Release Date: 2012-01-08
Fix Resolution: 2.3.1.1
In order to enable automatic remediation, please create workflow rules
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during certain exception handling for mismatched data types of properties, which allows remote attackers to execute arbitrary Java code via a crafted parameter.
Publish Date: 2012-01-08
URL: CVE-2012-0391
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-0391
Release Date: 2012-01-08
Fix Resolution: 2.3.14.3
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs
Library home page: https://github.com/FasterXML/woodstox
Path to dependency file: /Java/Maven/simple-pom-3/pom.xml
Path to vulnerable library: /tmp/ws-ua_20230110155056_BIGSSE/downloadResource_ADDORW/20230110155453/woodstox-core-5.0.2.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (woodstox-core version) | Remediation Available |
---|---|---|---|---|---|---|
WS-2018-0629 | High | 9.1 | woodstox-core-5.0.2.jar | Direct | 5.2.1 | ✅ |
CVE-2022-40153 | High | 7.5 | woodstox-core-5.0.2.jar | Direct | 5.4.0 | ✅ |
CVE-2022-40152 | High | 7.5 | woodstox-core-5.0.2.jar | Direct | 5.4.0 | ✅ |
Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs
Library home page: https://github.com/FasterXML/woodstox
Path to dependency file: /Java/Maven/simple-pom-3/pom.xml
Path to vulnerable library: /tmp/ws-ua_20230110155056_BIGSSE/downloadResource_ADDORW/20230110155453/woodstox-core-5.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The woodstox-core package is vulnerable to improper restriction of XXE reference.
Publish Date: 2018-08-23
URL: WS-2018-0629
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-08-23
Fix Resolution: 5.2.1
In order to enable automatic remediation, please create workflow rules
Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs
Library home page: https://github.com/FasterXML/woodstox
Path to dependency file: /Java/Maven/simple-pom-3/pom.xml
Path to vulnerable library: /tmp/ws-ua_20230110155056_BIGSSE/downloadResource_ADDORW/20230110155453/woodstox-core-5.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Those using Xstream to seralize XML data may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Publish Date: 2022-09-16
URL: CVE-2022-40153
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-09-16
Fix Resolution: 5.4.0
In order to enable automatic remediation, please create workflow rules
Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs
Library home page: https://github.com/FasterXML/woodstox
Path to dependency file: /Java/Maven/simple-pom-3/pom.xml
Path to vulnerable library: /tmp/ws-ua_20230110155056_BIGSSE/downloadResource_ADDORW/20230110155453/woodstox-core-5.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.
Publish Date: 2022-09-16
URL: CVE-2022-40152
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-09-16
Fix Resolution: 5.4.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.39.Final/732d06961162e27fa3ae5989541c4460853745d3/netty-codec-http-4.1.39.Final.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (netty-codec-http version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-20445 | High | 9.1 | netty-codec-http-4.1.39.Final.jar | Direct | 4.1.44.Final | ✅ |
CVE-2019-20444 | High | 9.1 | netty-codec-http-4.1.39.Final.jar | Direct | 4.1.44.Final | ✅ |
CVE-2020-11612 | High | 7.5 | netty-codec-4.1.39.Final.jar | Transitive | 4.1.46.Final | ✅ |
CVE-2021-37136 | High | 7.5 | netty-codec-4.1.39.Final.jar | Transitive | 4.1.68.Final | ✅ |
CVE-2021-37137 | High | 7.5 | netty-codec-4.1.39.Final.jar | Transitive | 4.1.68.Final | ✅ |
CVE-2019-16869 | High | 7.5 | netty-codec-http-4.1.39.Final.jar | Direct | 4.1.42.Final | ✅ |
CVE-2020-7238 | High | 7.5 | netty-codec-http-4.1.39.Final.jar | Direct | 4.1.44.Final | ✅ |
WS-2020-0408 | High | 7.4 | netty-handler-4.1.39.Final.jar | Transitive | 4.1.69.Final | ✅ |
CVE-2022-41915 | Medium | 6.5 | netty-codec-http-4.1.39.Final.jar | Direct | 4.1.86.Final | ✅ |
CVE-2021-43797 | Medium | 6.5 | netty-codec-http-4.1.39.Final.jar | Direct | 4.1.71.Final | ✅ |
CVE-2021-21295 | Medium | 5.9 | netty-codec-http-4.1.39.Final.jar | Direct | 4.1.60.Final | ✅ |
CVE-2022-24823 | Medium | 5.5 | netty-common-4.1.39.Final.jar | Transitive | N/A* | ❌ |
CVE-2021-21290 | Medium | 5.5 | detected in multiple dependencies | Transitive | 4.1.59.Final | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.39.Final/732d06961162e27fa3ae5989541c4460853745d3/netty-codec-http-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Publish Date: 2020-01-29
URL: CVE-2019-20445
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
Release Date: 2020-01-29
Fix Resolution: 4.1.44.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.39.Final/732d06961162e27fa3ae5989541c4460853745d3/netty-codec-http-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: 4.1.44.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.39.Final/38b9d79e31f6b00bd680f88c0289a2522d30d05b/netty-codec-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Publish Date: 2020-04-07
URL: CVE-2020-11612
Base Score Metrics:
Type: Upgrade version
Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html
Release Date: 2020-04-07
Fix Resolution (io.netty:netty-codec): 4.1.46.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.46.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.39.Final/38b9d79e31f6b00bd680f88c0289a2522d30d05b/netty-codec-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.68.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.39.Final/38b9d79e31f6b00bd680f88c0289a2522d30d05b/netty-codec-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution (io.netty:netty-codec): 4.1.68.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.68.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.39.Final/732d06961162e27fa3ae5989541c4460853745d3/netty-codec-http-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
Publish Date: 2019-09-26
URL: CVE-2019-16869
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
Release Date: 2019-09-26
Fix Resolution: 4.1.42.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.39.Final/732d06961162e27fa3ae5989541c4460853745d3/netty-codec-http-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
Publish Date: 2020-01-27
URL: CVE-2020-7238
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-01-27
Fix Resolution: 4.1.44.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.39.Final/4a63b56de071c1b10a56b5d90095e4201ea4098f/netty-handler-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.
Publish Date: 2020-06-22
URL: WS-2020-0408
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408
Release Date: 2020-06-22
Fix Resolution (io.netty:netty-handler): 4.1.69.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.69.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.39.Final/732d06961162e27fa3ae5989541c4460853745d3/netty-codec-http-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty project is an event-driven asynchronous network application framework. In versions prior to 4.1.86.Final, when calling DefaultHttpHeadesr.set
with an iterator of values, header value validation was not performed, allowing malicious header values in the iterator to perform HTTP Response Splitting. This issue has been patched in version 4.1.86.Final. Integrators can work around the issue by changing the DefaultHttpHeaders.set(CharSequence, Iterator<?>)
call, into a remove()
call, and call add()
in a loop over the iterator of values.
Publish Date: 2022-12-13
URL: CVE-2022-41915
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-12-13
Fix Resolution: 4.1.86.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.39.Final/732d06961162e27fa3ae5989541c4460853745d3/netty-codec-http-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
Mend Note: After conducting further research, Mend has determined that all versions of netty up to version 4.1.71.Final are vulnerable to CVE-2021-43797.
Publish Date: 2021-12-09
URL: CVE-2021-43797
Base Score Metrics:
Type: Upgrade version
Origin: CVE-2021-43797
Release Date: 2021-12-09
Fix Resolution: 4.1.71.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.39.Final/732d06961162e27fa3ae5989541c4460853745d3/netty-codec-http-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler
as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest
, HttpContent
, etc.) via Http2StreamFrameToHttpObjectCodec
and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec
or Http2FrameCodec
is used, Http2StreamFrameToHttpObjectCodec
is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler
that is put in the ChannelPipeline
behind Http2StreamFrameToHttpObjectCodec
.
Publish Date: 2021-03-09
URL: CVE-2021-21295
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wm47-8v5p-wjpj
Release Date: 2021-03-09
Fix Resolution: 4.1.60.Final
In order to enable automatic remediation, please create workflow rules
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-common/4.1.39.Final/9c8c6d0dd43ee26ec8052a42d3ee1113dc6c08ed/netty-common-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http
prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir
when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
Publish Date: 2022-05-06
URL: CVE-2022-24823
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823
Release Date: 2022-05-06
Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.39.Final/4a63b56de071c1b10a56b5d90095e4201ea4098f/netty-handler-4.1.39.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.39.Final/732d06961162e27fa3ae5989541c4460853745d3/netty-codec-http-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
Publish Date: 2021-02-08
URL: CVE-2021-21290
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5mcr-gq6c-3hq2
Release Date: 2021-02-08
Fix Resolution (io.netty:netty-handler): 4.1.59.Final
Direct dependency fix Resolution (io.netty:netty-codec-http): 4.1.59.Final
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.9/a25c1be5ce99d0ce99aa43eb982868c796dd0775/httpclient-4.5.9.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (slack-spring-boot-starter version) | Remediation Available |
---|---|---|---|---|---|---|
WS-2019-0379 | Medium | 6.5 | commons-codec-1.12.jar | Transitive | N/A* | ❌ |
CVE-2020-13956 | Medium | 5.3 | httpclient-4.5.9.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/proper/commons-codec/
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.12/47a28ef1ed31eb182b44e15d49300dee5fadcf6a/commons-codec-1.12.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Apache HttpComponents Client
Library home page: http://hc.apache.org/
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.9/a25c1be5ce99d0ce99aa43eb982868c796dd0775/httpclient-4.5.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Publish Date: 2020-12-02
URL: CVE-2020-13956
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
Release Date: 2020-12-02
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (jackson-databind version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2018-14721 | High | 10.0 | jackson-databind-2.7.9.jar | Direct | 2.7.9.5 | ✅ |
CVE-2019-14540 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2019-17531 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.9.10.1 | ✅ |
CVE-2017-15095 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.4 | ✅ |
CVE-2017-7525 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.1 | ✅ |
CVE-2018-14720 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.5 | ✅ |
CVE-2019-16335 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.6 | ✅ |
CVE-2019-17267 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2018-11307 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.4 | ✅ |
CVE-2019-16942 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.7 | ✅ |
CVE-2020-8840 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.7 | ✅ |
CVE-2019-16943 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.7 | ✅ |
CVE-2018-19362 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.5 | ✅ |
CVE-2018-19361 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.5 | ✅ |
CVE-2018-19360 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.5 | ✅ |
CVE-2019-10202 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2019-14893 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.8.11.5 | ✅ |
CVE-2019-14892 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.7 | ✅ |
CVE-2020-9546 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.7 | ✅ |
CVE-2017-17485 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.8.11 | ✅ |
CVE-2019-14379 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.6 | ✅ |
CVE-2020-9547 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.9.10.4 | ✅ |
CVE-2020-9548 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.7 | ✅ |
CVE-2019-20330 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.7 | ✅ |
CVE-2018-14719 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.5 | ✅ |
CVE-2018-14718 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.5 | ✅ |
CVE-2018-7489 | High | 9.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.3 | ✅ |
CVE-2020-10968 | High | 8.8 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2020-10969 | High | 8.8 | jackson-databind-2.7.9.jar | Direct | 2.9.10.4 | ✅ |
CVE-2020-11111 | High | 8.8 | jackson-databind-2.7.9.jar | Direct | 2.9.10.4 | ✅ |
CVE-2020-11113 | High | 8.8 | jackson-databind-2.7.9.jar | Direct | 2.9.10.4 | ✅ |
CVE-2020-11112 | High | 8.8 | jackson-databind-2.7.9.jar | Direct | 2.9.10.4 | ✅ |
CVE-2020-10672 | High | 8.8 | jackson-databind-2.7.9.jar | Direct | 2.9.10.4 | ✅ |
CVE-2020-10673 | High | 8.8 | jackson-databind-2.7.9.jar | Direct | 2.7.9.7 | ✅ |
CVE-2020-11619 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2020-36189 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2020-36188 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2020-11620 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.4 | ✅ |
CVE-2020-10650 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.4 | ✅ |
CVE-2020-36181 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2020-36180 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2020-36183 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2020-36182 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2020-36185 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2018-5968 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.7.9.5 | ✅ |
CVE-2020-36184 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2020-36187 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2020-36186 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2021-20190 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.7 | ✅ |
CVE-2020-36179 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.9.10.8 | ✅ |
CVE-2020-24616 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2020-14060 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2020-14061 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2020-14062 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2020-24750 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2020-14195 | High | 8.1 | jackson-databind-2.7.9.jar | Direct | 2.8.0.rc1 | ✅ |
CVE-2019-12086 | High | 7.5 | jackson-databind-2.7.9.jar | Direct | 2.7.9.6 | ✅ |
CVE-2018-12022 | High | 7.5 | jackson-databind-2.7.9.jar | Direct | 2.7.9.4 | ✅ |
CVE-2018-12023 | High | 7.5 | jackson-databind-2.7.9.jar | Direct | 2.7.9.4 | ✅ |
CVE-2019-14439 | High | 7.5 | jackson-databind-2.7.9.jar | Direct | 2.7.9.7 | ✅ |
CVE-2022-42004 | High | 7.5 | jackson-databind-2.7.9.jar | Direct | 2.13.4 | ✅ |
CVE-2022-42003 | High | 7.5 | jackson-databind-2.7.9.jar | Direct | 2.13.0-rc1 | ✅ |
CVE-2020-36518 | High | 7.5 | jackson-databind-2.7.9.jar | Direct | 2.12.6.1 | ✅ |
CVE-2019-12814 | Medium | 5.9 | jackson-databind-2.7.9.jar | Direct | 2.7.9.6 | ✅ |
CVE-2019-12384 | Medium | 5.9 | jackson-databind-2.7.9.jar | Direct | 2.7.9.6 | ✅ |
WS-2018-0124 | Medium | 5.3 | jackson-core-2.7.9.jar | Transitive | 2.8.6 | ✅ |
Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution: 2.7.9.5
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution: 2.8.0.rc1
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution: 2.9.10.1
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Publish Date: 2018-02-06
URL: CVE-2017-15095
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095
Release Date: 2018-02-06
Fix Resolution: 2.7.9.4
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Publish Date: 2018-02-06
URL: CVE-2017-7525
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
Release Date: 2018-02-06
Fix Resolution: 2.7.9.1
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution: 2.7.9.5
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-09-15
Fix Resolution: 2.7.9.6
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-10-07
Fix Resolution: 2.8.0.rc1
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Publish Date: 2019-07-09
URL: CVE-2018-11307
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-07-09
Fix Resolution: 2.7.9.4
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16942
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
Release Date: 2019-10-01
Fix Resolution: 2.7.9.7
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-02-10
Fix Resolution: 2.7.9.7
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
Release Date: 2019-10-01
Fix Resolution: 2.7.9.7
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19362
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
Release Date: 2019-01-02
Fix Resolution: 2.7.9.5
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19361
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361
Release Date: 2019-01-02
Fix Resolution: 2.7.9.5
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19360
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360
Release Date: 2019-01-02
Fix Resolution: 2.7.9.5
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
Base Score Metrics:
Type: Upgrade version
Origin: https://access.redhat.com/errata/RHSA-2019:2938
Release Date: 2019-10-01
Fix Resolution: 2.8.0.rc1
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping()
or when @JsonTypeInfo is using Id.CLASS
or Id.MINIMAL_CLASS
or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Publish Date: 2020-03-02
URL: CVE-2019-14893
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893
Release Date: 2020-03-02
Fix Resolution: 2.8.11.5
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.
Publish Date: 2020-03-02
URL: CVE-2019-14892
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-09-04
Fix Resolution: 2.7.9.7
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
Publish Date: 2020-03-02
URL: CVE-2020-9546
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546
Release Date: 2020-03-02
Fix Resolution: 2.7.9.7
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (camel-zookeeper version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-42004 | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | N/A* | ❌ |
CVE-2022-42003 | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | N/A* | ❌ |
CVE-2020-25649 | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | N/A* | ❌ |
CVE-2020-36518 | High | 7.5 | jackson-databind-2.10.0.jar | Transitive | N/A* | ❌ |
CVE-2021-37136 | High | 7.5 | netty-codec-4.1.50.Final.jar | Transitive | N/A* | ❌ |
CVE-2021-37137 | High | 7.5 | netty-codec-4.1.50.Final.jar | Transitive | N/A* | ❌ |
WS-2020-0408 | High | 7.4 | netty-handler-4.1.50.Final.jar | Transitive | N/A* | ❌ |
CVE-2022-24823 | Medium | 5.5 | netty-common-4.1.50.Final.jar | Transitive | N/A* | ❌ |
CVE-2021-21290 | Medium | 5.5 | netty-handler-4.1.50.Final.jar | Transitive | N/A* | ❌ |
CVE-2020-8908 | Low | 3.3 | guava-28.2-jre.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Publish Date: 2022-10-02
URL: CVE-2022-42004
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.13.4
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Publish Date: 2022-10-02
URL: CVE-2022-42003
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-10-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.7.1,2.13.4.1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Publish Date: 2020-12-03
URL: CVE-2020-25649
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-12-03
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.4,2.9.10.7,2.10.5.1,2.11.0.rc1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.10.0/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: 2022-03-11
URL: CVE-2020-36518
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-03-11
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.12.6.1,2.13.2.1
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.50.Final/netty-codec-4.1.50.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all::4.1.68.Final
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.50.Final/netty-codec-4.1.50.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all:4.1.68.Final
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.50.Final/netty-handler-4.1.50.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesn’t intend for him. This is an issue because the certificate is not matched with the host.
Publish Date: 2020-06-22
URL: WS-2020-0408
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408
Release Date: 2020-06-22
Fix Resolution: io.netty:netty-all - 4.1.68.Final-redhat-00001,4.0.0.Final,4.1.67.Final-redhat-00002;io.netty:netty-handler - 4.1.68.Final-redhat-00001,4.1.67.Final-redhat-00001
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-common/4.1.50.Final/netty-common-4.1.50.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty is an open-source, asynchronous event-driven network application framework. The package io.netty:netty-codec-http
prior to version 4.1.77.Final contains an insufficient fix for CVE-2021-21290. When Netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. This only impacts applications running on Java version 6 and lower. Additionally, this vulnerability impacts code running on Unix-like systems, and very old versions of Mac OSX and Windows as they all share the system temporary directory between all users. Version 4.1.77.Final contains a patch for this vulnerability. As a workaround, specify one's own java.io.tmpdir
when starting the JVM or use DefaultHttpDataFactory.setBaseDir(...) to set the directory to something that is only readable by the current user.
Publish Date: 2022-05-06
URL: CVE-2022-24823
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24823
Release Date: 2022-05-06
Fix Resolution: io.netty:netty-all;io.netty:netty-common - 4.1.77.Final
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.50.Final/netty-handler-4.1.50.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
Publish Date: 2021-02-08
URL: CVE-2021-21290
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5mcr-gq6c-3hq2
Release Date: 2021-02-08
Fix Resolution: io.netty:netty-codec-http:4.1.59.Final
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /Java/Maven/simple-pom-2/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/28.2-jre/guava-28.2-jre.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: v30.0
Path to vulnerable library: /Python/Pip/requirements.txt
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (threadfix_api version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33503 | High | 7.5 | urllib3-1.24.3-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
CVE-2020-26137 | Medium | 6.5 | urllib3-1.24.3-py2.py3-none-any.whl | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/01/11/525b02e4acc0c747de8b6ccdab376331597c569c42ea66ab0a1dbd36eca2/urllib3-1.24.3-py2.py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
This repository currently has no open or pending branches.
None detected
Django-filter is a reusable Django application for allowing users to filter querysets dynamically.
Library home page: https://files.pythonhosted.org/packages/0a/c9/acc63b687002afae8b5137afd6230d88c99411aa2daedf07fed3f0913516/django_filter-2.2.0-py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (django_filter version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-15225 | Medium | 6.5 | django_filter-2.2.0-py3-none-any.whl | Direct | 2.4.0 | ✅ |
Django-filter is a reusable Django application for allowing users to filter querysets dynamically.
Library home page: https://files.pythonhosted.org/packages/0a/c9/acc63b687002afae8b5137afd6230d88c99411aa2daedf07fed3f0913516/django_filter-2.2.0-py3-none-any.whl
Path to dependency file: /Python/Pip/requirements.txt
Path to vulnerable library: /Python/Pip/requirements.txt
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
django-filter is a generic system for filtering Django QuerySets based on user selections. In django-filter before version 2.4.0, automatically generated NumberFilter
instances, whose value was later converted to an integer, were subject to potential DoS from maliciously input using exponential format with sufficiently large exponents. Version 2.4.0+ applies a MaxValueValidator
with a a default limit_value
of 1e50 to the form field used by NumberFilter
instances. In addition, NumberFilter
implements the new get_max_validator()
which should return a configured validator instance to customise the limit, or else None
to disable the additional validation. Users may manually apply an equivalent validator if they are not able to upgrade.
Publish Date: 2021-04-29
URL: CVE-2020-15225
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-04-29
Fix Resolution: 2.4.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.41/e24bd38de28a326cce8b1f0d61e809e9a92dad6a/kotlin-stdlib-1.3.41.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-24329 | Medium | 5.3 | multiple | Transitive | 1.3.50 | ❌ |
Kotlin Standard Library for JVM
Library home page: https://kotlinlang.org/
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.70/e5d97e25bb5b30dcfc022ec1c8f3959a875257fb/kotlin-stdlib-1.3.70.jar
Dependency Hierarchy:
Kotlin Standard Library for JVM
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.41/e24bd38de28a326cce8b1f0d61e809e9a92dad6a/kotlin-stdlib-1.3.41.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-stdlib-jdk8): 1.3.50
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-stdlib-jdk8): 1.3.50
Step up your Open Source Security Game with Mend here
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (junit-vintage-engine version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-15250 | Medium | 5.5 | junit-4.12.jar | Transitive | 5.8.0 | ✅ |
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Library home page: http://junit.org
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution (junit:junit): 4.13.1
Direct dependency fix Resolution (org.junit.vintage:junit-vintage-engine): 5.8.0
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (Django version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-19844 | High | 9.8 | Django-1.11.22-py2.py3-none-any.whl | Direct | 1.11.27;2.2.9;3.0.1 | ❌ |
CVE-2020-7471 | High | 9.8 | Django-1.11.22-py2.py3-none-any.whl | Direct | 1.11.28,2.2.10,3.0.3 | ❌ |
CVE-2019-14234 | High | 9.8 | Django-1.11.22-py2.py3-none-any.whl | Direct | 2.2.4, 2.1.11, 1.11.23 | ❌ |
CVE-2022-34265 | High | 9.8 | Django-1.11.22-py2.py3-none-any.whl | Direct | Django - 3.2.14,4.0.6 | ❌ |
CVE-2020-9402 | High | 8.8 | Django-1.11.22-py2.py3-none-any.whl | Direct | 1.11.29,2.2.11,3.0.4 | ❌ |
CVE-2019-14232 | High | 7.5 | Django-1.11.22-py2.py3-none-any.whl | Direct | 1.11.23,2.1.11,2.2.4 | ❌ |
CVE-2019-14235 | High | 7.5 | Django-1.11.22-py2.py3-none-any.whl | Direct | 1.11.23,2.1.11,2.2.4 | ❌ |
CVE-2021-44420 | High | 7.3 | Django-1.11.22-py2.py3-none-any.whl | Direct | Django - 2.2.25,3.1.14,3.2.10 | ❌ |
CVE-2019-14233 | Low | 2.8 | Django-1.11.22-py2.py3-none-any.whl | Direct | 1.11.23,2.1.11,2.2.4 | ❌ |
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Django before 1.11.27, 2.x before 2.2.9, and 3.x before 3.0.1 allows account takeover. A suitably crafted email address (that is equal to an existing user's email address after case transformation of Unicode characters) would allow an attacker to be sent a password reset token for the matched user account. (One mitigation in the new releases is to send password reset tokens only to the registered user email address.)
Publish Date: 2019-12-18
URL: CVE-2019-19844
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-19844
Release Date: 2019-12-18
Fix Resolution: 1.11.27;2.2.9;3.0.1
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Django 1.11 before 1.11.28, 2.2 before 2.2.10, and 3.0 before 3.0.3 allows SQL Injection if untrusted data is used as a StringAgg delimiter (e.g., in Django applications that offer downloads of data as a series of rows with a user-specified column delimiter). By passing a suitably crafted delimiter to a contrib.postgres.aggregates.StringAgg instance, it was possible to break escaping and inject malicious SQL.
Publish Date: 2020-02-03
URL: CVE-2020-7471
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7471
Release Date: 2020-06-19
Fix Resolution: 1.11.28,2.2.10,3.0.3
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to an error in shallow key transformation, key and index lookups for django.contrib.postgres.fields.JSONField, and key lookups for django.contrib.postgres.fields.HStoreField, were subject to SQL injection. This could, for example, be exploited via crafted use of "OR 1=1" in a key or index name to return all records, using a suitably crafted dictionary, with dictionary expansion, as the **kwargs passed to the QuerySet.filter() function.
Publish Date: 2019-08-09
URL: CVE-2019-14234
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2019/aug/01/security-releases/
Release Date: 2019-08-09
Fix Resolution: 2.2.4, 2.1.11, 1.11.23
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in Django 3.2 before 3.2.14 and 4.0 before 4.0.6. The Trunc() and Extract() database functions are subject to SQL injection if untrusted data is used as a kind/lookup_name value. Applications that constrain the lookup name and kind choice to a known safe list are unaffected.
Mend Note: After conducting further research, Mend has determined that all versions of Django before version 3.2.14 and before 4.0.6 are vulnerable to CVE-2022-34265.
Publish Date: 2022-07-04
URL: CVE-2022-34265
Base Score Metrics:
Type: Upgrade version
Origin: https://www.djangoproject.com/weblog/2022/jul/04/security-releases/
Release Date: 2022-07-04
Fix Resolution: Django - 3.2.14,4.0.6
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Django 1.11 before 1.11.29, 2.2 before 2.2.11, and 3.0 before 3.0.4 allows SQL Injection if untrusted data is used as a tolerance parameter in GIS functions and aggregates on Oracle. By passing a suitably crafted tolerance to GIS functions and aggregates on Oracle, it was possible to break escaping and inject malicious SQL.
Publish Date: 2020-03-05
URL: CVE-2020-9402
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9402
Release Date: 2020-03-05
Fix Resolution: 1.11.29,2.2.11,3.0.4
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If django.utils.text.Truncator's chars() and words() methods were passed the html=True argument, they were extremely slow to evaluate certain inputs due to a catastrophic backtracking vulnerability in a regular expression. The chars() and words() methods are used to implement the truncatechars_html and truncatewords_html template filters, which were thus vulnerable.
Publish Date: 2019-08-02
URL: CVE-2019-14232
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14232
Release Date: 2019-08-02
Fix Resolution: 1.11.23,2.1.11,2.2.4
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. If passed certain inputs, django.utils.encoding.uri_to_iri could lead to significant memory usage due to a recursion when repercent-encoding invalid UTF-8 octet sequences.
Publish Date: 2019-08-02
URL: CVE-2019-14235
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14235
Release Date: 2019-08-02
Fix Resolution: 1.11.23,2.1.11,2.2.4
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In Django 2.2 before 2.2.25, 3.1 before 3.1.14, and 3.2 before 3.2.10, HTTP requests for URLs with trailing newlines could bypass upstream access control based on URL paths.
Publish Date: 2021-12-08
URL: CVE-2021-44420
Base Score Metrics:
Type: Upgrade version
Origin: https://docs.djangoproject.com/en/3.2/releases/security/
Release Date: 2021-12-08
Fix Resolution: Django - 2.2.25,3.1.14,3.2.10
A high-level Python Web framework that encourages rapid development and clean, pragmatic design.
Library home page: https://files.pythonhosted.org/packages/70/22/237da71dc112f2bba335c18380bc403fba430c44cc4da088824e77652738/Django-1.11.22-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in Django 1.11.x before 1.11.23, 2.1.x before 2.1.11, and 2.2.x before 2.2.4. Due to the behaviour of the underlying HTMLParser, django.utils.html.strip_tags would be extremely slow to evaluate certain inputs containing large sequences of nested incomplete HTML entities.
Publish Date: 2019-08-02
URL: CVE-2019-14233
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14233
Release Date: 2019-08-02
Fix Resolution: 1.11.23,2.1.11,2.2.4
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (plexus-utils version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2017-1000487 | High | 9.8 | plexus-utils-2.0.3.jar | Direct | 3.0.16 | ✅ |
WS-2016-7057 | Medium | 5.9 | plexus-utils-2.0.3.jar | Direct | 3.0.24 | ✅ |
WS-2016-7062 | Medium | 5.3 | plexus-utils-2.0.3.jar | Direct | 3.0.24 | ✅ |
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Publish Date: 2018-01-03
URL: CVE-2017-1000487
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
Release Date: 2018-01-03
Fix Resolution: 3.0.16
In order to enable automatic remediation, please create workflow rules
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Plexus-utils before 3.0.24 are vulnerable to Directory Traversal
Publish Date: 2016-05-07
URL: WS-2016-7057
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-05-07
Fix Resolution: 3.0.24
In order to enable automatic remediation, please create workflow rules
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.
Publish Date: 2016-05-07
URL: WS-2016-7062
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-05-07
Fix Resolution: 3.0.24
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.70/e5d97e25bb5b30dcfc022ec1c8f3959a875257fb/kotlin-stdlib-1.3.70.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-24329 | Medium | 5.3 | kotlin-stdlib-1.3.70.jar | Transitive | N/A | ❌ |
Kotlin Standard Library for JVM
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.70/e5d97e25bb5b30dcfc022ec1c8f3959a875257fb/kotlin-stdlib-1.3.70.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution: org.jetbrains.kotlin:kotlin-stdlib:1.6.0
The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.8/af3be3f74d25fc5163b54f56a0d394b462dafafd/commons-codec-1.8.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (commons-codec version) | Remediation Available |
---|---|---|---|---|---|---|
WS-2019-0379 | Medium | 6.5 | commons-codec-1.8.jar | Direct | 1.13 | ✅ |
The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /Java/Gradle/simple-build-1/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.8/af3be3f74d25fc5163b54f56a0d394b462dafafd/commons-codec-1.8.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: 1.13
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
These updates are currently rate-limited. Click on a checkbox below to force their creation now.
br.com.creditas:eventlib-starter
.Files affected: Java/Gradle/kotlin-build-1/build.gradle.kts
These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
io.springfox:springfox-swagger-ui
, io.springfox:springfox-swagger2
)org.mockito:mockito-junit-jupiter
, org.mockito:mockito-inline
, org.mockito:mockito-core
)io.springfox:springfox-swagger-ui
, io.springfox:springfox-swagger2
)These are blocked by an existing closed PR and will not be recreated unless you click a checkbox below.
Go/Practice1/go.mod
go 1.15
github.com/dsnet/compress v0.0.2-0.20210315054119-f66993602bf5@f66993602bf5
github.com/gookit/color v1.4.2
github.com/hashicorp/go-version v1.6.0
github.com/mholt/archiver/v3 v3.5.1
Go/Practice2/go.mod
go 1.15
github.com/dsnet/compress v0.0.1
github.com/gookit/color v1.5.2
github.com/hashicorp/go-version v1.6.0
Go/Practice3/go.mod
go 1.15
github.com/dsnet/compress v0.0.1
github.com/gookit/color v1.5.2
github.com/hashicorp/go-version v1.6.0
Java/Gradle/kotlin-build-1/build.gradle.kts
org.jetbrains.kotlin.jvm 1.8.0
javax.activation:activation 1.1.1
br.com.creditas:eventlib-starter 1.10.0
com.kreait.slack:slack-spring-boot-starter 2.0.0
com.kreait.slack:slack-spring-test-api-client 2.0.0
com.github.kittinunf.fuel:fuel 2.3.1
com.github.kittinunf.fuel:fuel-jackson 2.2.3
com.kreait.slack:slack-jackson-dto-test 2.0.0
io.springfox:springfox-swagger2 2.9.2
io.springfox:springfox-swagger-ui 2.9.2
Java/Gradle/kotlin-build-2/build.gradle.kts
junit:junit 4.13.2
junit:junit 4.13.2
junit:junit 4.13.2
Java/Gradle/simple-build-1/build.gradle
com.fasterxml.jackson.core:jackson-databind 2.14.1
org.apache.commons:commons-compress 1.22
io.netty:netty-codec-http 4.1.87.Final
org.yaml:snakeyaml 1.19
commons-codec:commons-codec 1.15
org.codehaus.plexus:plexus-utils 3.5.0
org.apache.struts:struts2-core 6.1.1
Java/Gradle/simple-build-2/build.gradle
org.junit.vintage:junit-vintage-engine 5.9.2
org.springframework.boot:spring-boot-starter-test 2.2.10.RELEASE
org.apiguardian:apiguardian-api 1.1.2
Java/Gradle/simple-build-3/build.gradle
com.google.dagger:dagger-compiler 2.44.2
com.jayway.jsonpath:json-path 2.7.0
com.google.dagger:dagger 2.44.2
software.amazon.awssdk:bom 2.19.17
com.amazonaws:aws-lambda-java-core 1.2.2
com.amazonaws:aws-lambda-java-events 3.11.0
com.google.code.gson:gson 2.10.1
org.hibernate.validator:hibernate-validator 8.0.0.Final
javax.el:javax.el-api 3.0.0
org.glassfish:javax.el 3.0.0
org.slf4j:slf4j-api 2.0.6
org.slf4j:slf4j-simple 2.0.6
org.apache.commons:commons-text 1.10.0
org.junit.jupiter:junit-jupiter 5.9.2
org.mockito:mockito-core 3.12.4
org.mockito:mockito-inline 2.28.2
org.assertj:assertj-core 3.24.1
org.mockito:mockito-junit-jupiter 3.12.4
uk.org.lidalia:slf4j-test 1.2.0
org.json:json 20220924
io.cucumber:cucumber-picocontainer 7.11.0
org.assertj:assertj-core 3.24.1
Java/Maven/simple-pom-1/pom.xml
commons-lang:commons-lang 2.6
commons-logging:commons-logging 1.2
Java/Maven/simple-pom-2/pom.xml
org.apache.camel:camel-zookeeper 3.20.1
Java/Maven/simple-pom-3/pom.xml
com.fasterxml.woodstox:woodstox-core 6.5.0
javax.jmdns:jmdns 3.4.1
log4j:log4j 1.2.17
Java/Maven/simple-pom-4/pom.xml
com.opdar.gulosity:gulosity-all 0.1.1
com.opdar.gulosity:parse 0.1
org.springframework:spring-beans 6.0.4
org.springframework:spring-context 6.0.4
com.amazonaws:aws-java-sdk 1.12.385
org.whitesource:whitesource-maven-plugin 20.7.1
Python/Pip/requirements.txt
Django ==4.1.5
django-formtools ==2.4
djangorestframework ==3.14.0
django-filter ==22.1
django-widget-tweaks ==1.4.12
Markdown ==3.4.1
phonenumbers ==8.13.4
Pygments ==2.14.0
pytz ==2018.9
requests ==2.28.2
threadfix-api ==1.1.1
Python/Poetry/pyproject.toml
django 4.1.5
django-formtools 2.4
djangorestframework 3.14.0
markdown 3.4.1
phonenumbers 8.13.4
pygments 2.14.0
pytz 2018.9
requests 2.28.2
threadfix-api 1.1.1
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.2.9.RELEASE/80e722ffa73a43459f639d36e25aa4e4a08d8d79/spring-beans-5.2.9.RELEASE.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (spring-boot-starter-test version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-22965 | High | 9.8 | spring-beans-5.2.9.RELEASE.jar | Transitive | 2.3.0.RELEASE | ✅ |
CVE-2022-1471 | High | 9.8 | snakeyaml-1.25.jar | Transitive | N/A* | ❌ |
CVE-2021-27568 | High | 9.1 | json-smart-2.3.jar | Transitive | 2.6.0 | ✅ |
CVE-2022-27772 | High | 7.8 | spring-boot-2.2.10.RELEASE.jar | Transitive | 2.2.11.RELEASE | ✅ |
CVE-2022-25857 | High | 7.5 | snakeyaml-1.25.jar | Transitive | 2.6.9 | ✅ |
CVE-2017-18640 | High | 7.5 | snakeyaml-1.25.jar | Transitive | 2.3.0.RELEASE | ✅ |
CVE-2021-42550 | Medium | 6.6 | detected in multiple dependencies | Transitive | 2.5.8 | ✅ |
CVE-2022-41854 | Medium | 6.5 | snakeyaml-1.25.jar | Transitive | 2.6.9 | ✅ |
CVE-2022-22950 | Medium | 6.5 | spring-expression-5.2.9.RELEASE.jar | Transitive | 2.3.0.RELEASE | ✅ |
CVE-2022-38752 | Medium | 6.5 | snakeyaml-1.25.jar | Transitive | 2.6.9 | ✅ |
CVE-2022-38751 | Medium | 6.5 | snakeyaml-1.25.jar | Transitive | 2.6.9 | ✅ |
CVE-2022-38749 | Medium | 6.5 | snakeyaml-1.25.jar | Transitive | 2.6.9 | ✅ |
CVE-2022-38750 | Medium | 5.5 | snakeyaml-1.25.jar | Transitive | 2.6.9 | ✅ |
CVE-2022-22968 | Medium | 5.3 | spring-context-5.2.9.RELEASE.jar | Transitive | 2.3.0.RELEASE | ✅ |
CVE-2022-22970 | Medium | 5.3 | detected in multiple dependencies | Transitive | 2.3.0.RELEASE | ✅ |
CVE-2021-22060 | Medium | 4.3 | spring-core-5.2.9.RELEASE.jar | Transitive | 2.3.0.RELEASE | ✅ |
CVE-2021-22096 | Medium | 4.3 | spring-core-5.2.9.RELEASE.jar | Transitive | 2.3.0.RELEASE | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Spring Beans
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.2.9.RELEASE/80e722ffa73a43459f639d36e25aa4e4a08d8d79/spring-beans-5.2.9.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Publish Date: 2022-04-01
URL: CVE-2022-22965
Base Score Metrics:
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.3.0.RELEASE
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.25/8b6e01ef661d8378ae6dd7b511a7f2a33fae1421/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Publish Date: 2022-12-01
URL: CVE-2022-1471
Base Score Metrics:
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.
Library home page: http://www.minidev.net/
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/net.minidev/json-smart/2.3/7396407491352ce4fa30de92efb158adb76b5b/json-smart-2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in netplex json-smart-v1 through 2015-10-23 and json-smart-v2 through 2.4. An exception is thrown from a function, but it is not caught, as demonstrated by NumberFormatException. When it is not caught, it may cause programs using the library to crash or expose sensitive information.
Publish Date: 2021-02-23
URL: CVE-2021-27568
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-02-23
Fix Resolution (net.minidev:json-smart): 2.3.1
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.6.0
In order to enable automatic remediation, please create workflow rules
Spring Boot
Library home page: https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/2.2.10.RELEASE/6319e4ced2068453beb6c433b2169a0738bb8de/spring-boot-2.2.10.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.
Publish Date: 2022-03-30
URL: CVE-2022-27772
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cm59-pr5q-cw85
Release Date: 2022-03-30
Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.2.11.RELEASE
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.25/8b6e01ef661d8378ae6dd7b511a7f2a33fae1421/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.6.9
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.25/8b6e01ef661d8378ae6dd7b511a7f2a33fae1421/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution (org.yaml:snakeyaml): 1.26
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.3.0.RELEASE
In order to enable automatic remediation, please create workflow rules
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.2.3/7c4f3c474fb2c041d8028740440937705ebb473a/logback-classic-1.2.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.2.3/7c4f3c474fb2c041d8028740440937705ebb473a/logback-classic-1.2.3.jar
Dependency Hierarchy:
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /Java/Gradle/kotlin-build-1/build.gradle.kts
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.3/864344400c3d4d92dfeb0a305dc87d953677c03c/logback-core-1.2.3.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.3/864344400c3d4d92dfeb0a305dc87d953677c03c/logback-core-1.2.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Publish Date: 2021-12-16
URL: CVE-2021-42550
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution (ch.qos.logback:logback-classic): 1.2.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.5.8
Fix Resolution (ch.qos.logback:logback-core): 1.2.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.5.8
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.25/8b6e01ef661d8378ae6dd7b511a7f2a33fae1421/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Publish Date: 2022-11-11
URL: CVE-2022-41854
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/
Release Date: 2022-11-11
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.6.9
In order to enable automatic remediation, please create workflow rules
Spring Expression Language (SpEL)
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.2.9.RELEASE/c8584de306be115ef1715b7ed9d50fb2802867aa/spring-expression-5.2.9.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Publish Date: 2022-04-01
URL: CVE-2022-22950
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22950
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.3.0.RELEASE
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.25/8b6e01ef661d8378ae6dd7b511a7f2a33fae1421/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.6.9
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.25/8b6e01ef661d8378ae6dd7b511a7f2a33fae1421/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.6.9
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.25/8b6e01ef661d8378ae6dd7b511a7f2a33fae1421/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.6.9
In order to enable automatic remediation, please create workflow rules
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.25/8b6e01ef661d8378ae6dd7b511a7f2a33fae1421/snakeyaml-1.25.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38750
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.6.9
In order to enable automatic remediation, please create workflow rules
Spring Context
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-context/5.2.9.RELEASE/4003ef2db8b5e4b22330fc6d67aae7ac5d304319/spring-context-5.2.9.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
Publish Date: 2022-04-14
URL: CVE-2022-22968
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22968
Release Date: 2022-04-14
Fix Resolution (org.springframework:spring-context): 5.2.21.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.3.0.RELEASE
In order to enable automatic remediation, please create workflow rules
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.9.RELEASE/400a6fdb45bfa5318aa7d06360f4495b75080bb5/spring-core-5.2.9.RELEASE.jar
Dependency Hierarchy:
Spring Beans
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.2.9.RELEASE/80e722ffa73a43459f639d36e25aa4e4a08d8d79/spring-beans-5.2.9.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution (org.springframework:spring-core): 5.2.22.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.3.0.RELEASE
Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.3.0.RELEASE
In order to enable automatic remediation, please create workflow rules
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.9.RELEASE/400a6fdb45bfa5318aa7d06360f4495b75080bb5/spring-core-5.2.9.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
Publish Date: 2022-01-10
URL: CVE-2021-22060
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6gf2-pvqw-37ph
Release Date: 2022-01-10
Fix Resolution (org.springframework:spring-core): 5.2.19.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.3.0.RELEASE
In order to enable automatic remediation, please create workflow rules
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /Java/Gradle/simple-build-2/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.2.9.RELEASE/400a6fdb45bfa5318aa7d06360f4495b75080bb5/spring-core-5.2.9.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.3.0.RELEASE
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Library home page: http://junit.org
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (junit version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2020-15250 | Medium | 5.5 | junit-4.13.jar | Direct | 4.13.1 | ❌ |
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Library home page: http://junit.org
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: 4.13.1
There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.
Location: renovate.json
Error type: Invalid JSON (parsing failed)
Message: Syntax error: expecting end of expression or separator near "lock
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
CVE | Severity | CVSS | Dependency | Type | Fixed in (aws-java-sdk version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-14540 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2019-17531 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2019-17267 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2018-11307 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-8840 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2018-19360 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2019-10202 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2019-14893 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-9546 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2017-17485 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-9547 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-9548 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2019-20330 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2018-7489 | High | 9.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-10969 | High | 8.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-11111 | High | 8.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-11113 | High | 8.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-11112 | High | 8.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-10672 | High | 8.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-10673 | High | 8.8 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36189 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36188 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-11620 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-10650 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36181 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36180 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36183 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36182 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36185 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36184 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36187 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36186 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2021-20190 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36179 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-24616 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-14060 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-14061 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-14062 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-24750 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-14195 | High | 8.1 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2021-37136 | High | 7.5 | netty-codec-4.1.48.Final.jar | Transitive | 1.11.875 | ✅ |
CVE-2021-37137 | High | 7.5 | netty-codec-4.1.48.Final.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-25649 | High | 7.5 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-28491 | High | 7.5 | jackson-dataformat-cbor-2.6.7.jar | Transitive | 1.11.875 | ✅ |
CVE-2022-42004 | High | 7.5 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2022-42003 | High | 7.5 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-36518 | High | 7.5 | jackson-databind-2.6.7.3.jar | Transitive | 1.11.875 | ✅ |
WS-2020-0408 | High | 7.4 | netty-handler-4.1.48.Final.jar | Transitive | 1.11.875 | ✅ |
CVE-2022-31159 | Medium | 6.5 | aws-java-sdk-s3-1.11.856.jar | Transitive | 1.11.875 | ✅ |
WS-2019-0379 | Medium | 6.5 | commons-codec-1.11.jar | Transitive | 1.11.875 | ✅ |
CVE-2022-41915 | Medium | 6.5 | netty-codec-http-4.1.48.Final.jar | Transitive | 1.11.875 | ✅ |
CVE-2021-43797 | Medium | 6.5 | netty-codec-http-4.1.48.Final.jar | Transitive | 1.11.875 | ✅ |
CVE-2021-21295 | Medium | 5.9 | netty-codec-http-4.1.48.Final.jar | Transitive | 1.11.875 | ✅ |
CVE-2022-24823 | Medium | 5.5 | netty-common-4.1.48.Final.jar | Transitive | N/A* | ❌ |
CVE-2021-21290 | Medium | 5.5 | detected in multiple dependencies | Transitive | 1.11.875 | ✅ |
WS-2018-0125 | Medium | 5.3 | jackson-core-2.6.7.jar | Transitive | 1.11.875 | ✅ |
WS-2018-0124 | Medium | 5.3 | jackson-core-2.6.7.jar | Transitive | 1.11.875 | ✅ |
CVE-2020-13956 | Medium | 5.3 | httpclient-4.5.9.jar | Transitive | 1.11.875 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Partial details (19 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-10-07
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Publish Date: 2019-07-09
URL: CVE-2018-11307
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-07-09
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-02-10
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19360
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
Base Score Metrics:
Type: Upgrade version
Origin: https://access.redhat.com/errata/RHSA-2019:2938
Release Date: 2019-10-01
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping()
or when @JsonTypeInfo is using Id.CLASS
or Id.MINIMAL_CLASS
or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.
Publish Date: 2020-03-02
URL: CVE-2019-14893
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).
Publish Date: 2020-03-02
URL: CVE-2020-9546
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Publish Date: 2018-01-10
URL: CVE-2017-17485
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485
Release Date: 2018-01-10
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).
Publish Date: 2020-03-02
URL: CVE-2020-9547
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).
Publish Date: 2020-03-02
URL: CVE-2020-9548
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548
Release Date: 2020-03-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.
Publish Date: 2020-01-03
URL: CVE-2019-20330
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-01-03
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Publish Date: 2018-02-26
URL: CVE-2018-7489
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7489
Release Date: 2018-02-26
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
Publish Date: 2020-03-26
URL: CVE-2020-10969
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969
Release Date: 2020-03-26
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.activemq.* (aka activemq-jms, activemq-core, activemq-pool, and activemq-pool-jms).
Publish Date: 2020-03-31
URL: CVE-2020-11111
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113
Release Date: 2020-03-31
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.openjpa.ee.WASRegistryManagedRuntime (aka openjpa).
Publish Date: 2020-03-31
URL: CVE-2020-11113
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11113
Release Date: 2020-03-31
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.proxy.provider.remoting.RmiProvider (aka apache/commons-proxy).
Publish Date: 2020-03-31
URL: CVE-2020-11112
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11112
Release Date: 2020-03-31
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /Java/Maven/simple-pom-4/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.6.7.3/jackson-databind-2.6.7.3.jar
Dependency Hierarchy:
Found in HEAD commit: 4839f6588961e746880b27503fdce27cafb1e42e
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.aries.transaction.jms.internal.XaPooledConnectionFactory (aka aries.transaction.jms).
Publish Date: 2020-03-18
URL: CVE-2020-10672
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10672
Release Date: 2020-03-18
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.6.7.4
Direct dependency fix Resolution (com.amazonaws:aws-java-sdk): 1.11.875
In order to enable automatic remediation, please create workflow rules
In order to enable automatic remediation for this issue, please create workflow rules
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.