Git Product home page Git Product logo

dima2021 / securityshepherd Goto Github PK

View Code? Open in Web Editor NEW

This project forked from owasp/securityshepherd

0.0 0.0 3.0 184.9 MB

Web and mobile application security training platform

Home Page: https://owasp.org/www-project-security-shepherd/

License: GNU General Public License v3.0

C 0.01% C++ 0.01% HTML 0.31% CSS 0.44% Java 98.26% JavaScript 0.62% Shell 0.25% Dockerfile 0.10% AIDL 0.04%
mendmap-dima2021

securityshepherd's Introduction

OWASP Security Shepherd OWASP Flagship

The OWASP Security Shepherd Project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.

Build Status

Where can I download Security Shepherd?

Virtual Machine or Manual Setup

You can download Security Shepherd VM's or Manual Installation Packs from GitHub

Docker (Ubuntu Linux Host)

Initial Setup

# Install pre-reqs
sudo apt install git maven docker docker-compose default-jdk

# Clone the github repository
git clone https://github.com/OWASP/SecurityShepherd.git

# Change directory into the local copy of the repository
cd SecurityShepherd

# Adds current user to the docker group (don't have to run docker with sudo)
sudo gpasswd -a $USER docker

# Run maven to generate the WAR and HTTPS Cert.
mvn -Pdocker clean install -DskipTests

# Build the docker images, docker network and bring up the environment
docker-compose up

Open up an Internet Browser & type in the address bar;

To login use the following credentials (you will be asked to update after login);

  • username: admin
  • password: password

Note: Environment variables can be configured in dotenv .env file in the root dir.

Full Guide

Docker-Environment-Setup

How do I setup Security Shepherd?

We've got fully automated and step by step walkthroughs on our wiki page to help you get Security Shepherd up and running.

What can Security Shepherd be used for?

Security Shepherd can be used as a;

  • Teaching Tool for All Application Security
  • Web Application Pen Testing Training Platform
  • Mobile Application Pen Testing Training
  • Safe Playground to Practise AppSec Techniques
  • Platform to demonstrate real Security Risk examples

Why choose Security Shepherd?

There are a lot of purposefully vulnerable applications available in the OWASP Project Inventory, and even more across the internet. Why should you use Security Shepherd? Here are a few reasons;

  • Wide Topic Coverage
    Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.
  • Gentle Learning Curve
    Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.
  • Layman Write Ups
    When each security concept is first presented in Shepherd, it is done so in layman terms so that anyone (even beginners) can absorb them.
  • Real World Examples
    The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users, and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.
  • Scalability
    Shepherd can be used locally by a single user or easily as a server for a high amount of users.
  • Highly Customisable
    Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)
  • Perfect for Classrooms
    Shepherd gives it's players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level.
  • Scoreboard
    Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard.
  • User Management
    Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points, or take penalty points away from user's accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.
  • Robust Service
    Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no down time, bar planned maintenance periods.
  • Configurable Feedback
    An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.
  • Granular Logging
    The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know.

securityshepherd's People

Contributors

abhinav-k avatar aidanknowles avatar andrew-stubbs avatar andrrac avatar anksp21 avatar brucemacd avatar caligin avatar cwavesoftware avatar dependabot[bot] avatar dima2021 avatar etnoy avatar francescacoo avatar gbena avatar ismisepaul avatar jcfl-dev avatar leishao2 avatar markdenihan avatar mend-for-github-com[bot] avatar natalilopez avatar pchaigno avatar prateepb avatar rob-conan avatar ryanjames85 avatar samuel-bf avatar sarencurrie avatar seanduggan avatar securityinfos avatar smohtadi avatar tejen avatar thomaspreece avatar

Forkers

katerinaorg jakethekid21 elikkatzgit

securityshepherd's Issues

WS-2019-0379 (Medium) detected in commons-codec-1.6.jar - autoclosed

WS-2019-0379 - Medium Severity Vulnerability

Vulnerable Library - commons-codec-1.6.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/codec/

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/commons-codec/commons-codec/1.6/commons-codec-1.6.jar,/target/owaspSecurityShepherd/WEB-INF/lib/commons-codec-1.6.jar

Dependency Hierarchy:

  • commons-codec-1.6.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: apache/commons-codec@48b6157

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

⛑️ Automatic Remediation is available for this issue

Dependency Dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Rate-Limited

These updates are currently rate-limited. Click on a checkbox below to force their creation now.

  • Update dependency de.mkammerer:argon2-jvm to v2.11
  • Update dependency gradle to v1.12
  • Update dependency gradle to v2.14.1
  • Update dependency io.fabric8:docker-maven-plugin to v0.42.1
  • Update dependency junit:junit to v4.13.2
  • Update dependency org.apache.maven.plugins:maven-clean-plugin to v3.2.0
  • Update dependency org.apache.maven.plugins:maven-compiler-plugin to v3.11.0
  • Update dependency org.apache.maven.plugins:maven-failsafe-plugin to v2.22.2
  • Update dependency org.apache.maven.plugins:maven-resources-plugin to v3.3.1
  • Update dependency org.apache.maven.plugins:maven-surefire-plugin to v2.22.2
  • Update dependency org.apache.maven.plugins:maven-war-plugin to v3.3.2
  • Update dependency org.codehaus.mojo:build-helper-maven-plugin to v3.4.0
  • Update dependency org.codehaus.mojo:keytool-maven-plugin to v1.7
  • Update dependency org.codehaus.mojo:properties-maven-plugin to v1.1.0
  • Update dependency org.mockito:mockito-core to v2.28.2
  • Update dependency org.mongodb:mongo-java-driver to v3.12.13
  • Update junit5 monorepo to v5.9.3 (org.junit.jupiter:junit-jupiter-engine, org.junit.jupiter:junit-jupiter-api)
  • Update actions/checkout action to v3
  • Update actions/setup-java action to v3
  • Update actions/upload-artifact action to v3
  • Update dependency com.android.tools.build:gradle to v2.3.3
  • Update dependency gradle to v8
  • Update dependency javax.servlet:javax.servlet-api to v4
  • Update dependency javax:javaee-api to v8
  • Update dependency net.zetetic:android-database-sqlcipher to v4
  • Update dependency org.apache.maven.plugins:maven-failsafe-plugin to v3
  • Update dependency org.apache.maven.plugins:maven-surefire-plugin to v3
  • Update dependency org.codehaus.mojo:exec-maven-plugin to v3
  • Update dependency org.mockito:mockito-core to v5
  • Update spring core to v6 (major) (org.springframework:spring-core, org.springframework:spring-test, org.springframework:spring-web)
  • 🔐 Create all rate-limited PRs at once 🔐

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

⚠ Dependency Lookup Warnings ⚠

  • Renovate failed to look up the following dependencies: Failed to look up maven package com.android.support:appcompat-v7, Failed to look up maven package com.android.support:design.

Files affected: src/MobileShepherd/BrokenCrypto/app/build.gradle, src/MobileShepherd/BrokenCrypto1/app/build.gradle, src/MobileShepherd/BrokenCrypto2/app/build.gradle, src/MobileShepherd/BrokenCrypto3/app/build.gradle, src/MobileShepherd/CProviderLeakage/app/build.gradle, src/MobileShepherd/CProviderLeakage1/app/build.gradle, src/MobileShepherd/CSInjection/app/build.gradle, src/MobileShepherd/CSInjection1/app/build.gradle, src/MobileShepherd/CSInjection2/app/build.gradle, src/MobileShepherd/InsecureData/app/build.gradle, src/MobileShepherd/InsecureData1/app/build.gradle, src/MobileShepherd/InsecureData2/app/build.gradle, src/MobileShepherd/InsecureData3/app/build.gradle, src/MobileShepherd/InsufficientTLS/app/build.gradle, src/MobileShepherd/MobShepTemplate/app/build.gradle, src/MobileShepherd/MobileShepherd/app/build.gradle, src/MobileShepherd/PoorAuthentication/app/build.gradle, src/MobileShepherd/PoorAuthentication1/app/build.gradle, src/MobileShepherd/PoorAuthentication2/app/build.gradle, src/MobileShepherd/ReverseEngineer/app/build.gradle, src/MobileShepherd/ReverseEngineer1/app/build.gradle, src/MobileShepherd/ReverseEngineer2/app/build.gradle, src/MobileShepherd/ReverseEngineer3/app/build.gradle, src/MobileShepherd/SessionManagement/app/build.gradle, src/MobileShepherd/ShepherdLogin/app/build.gradle, src/MobileShepherd/ShepherdResolver/app/build.gradle, src/MobileShepherd/UDataLeakage/app/build.gradle, src/MobileShepherd/UDataLeakage1/app/build.gradle, src/MobileShepherd/UDataLeakage2/app/build.gradle, src/MobileShepherd/UntrustedInput/app/build.gradle, src/MobileShepherd/WeakServerSideControls/app/build.gradle

Open

These updates have all been created already. Click a checkbox below to force a retry/rebase of any.

Detected dependencies

docker-compose
docker-compose.yml
dockerfile
Dockerfile
docker/mongo/Dockerfile
docker/mysql/Dockerfile
github-actions
.github/workflows/mend_cli_sca.yml
  • actions/checkout v2
  • actions/setup-java v2
  • actions/upload-artifact v2
.github/workflows/prioritize.yml
  • actions/checkout v2
  • actions/setup-java v2
gradle
src/MobileShepherd/BrokenCrypto/gradle.properties
src/MobileShepherd/BrokenCrypto/settings.gradle
src/MobileShepherd/BrokenCrypto/build.gradle
  • com.android.tools.build:gradle 1.0.0
src/MobileShepherd/BrokenCrypto/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/BrokenCrypto1/gradle.properties
src/MobileShepherd/BrokenCrypto1/settings.gradle
src/MobileShepherd/BrokenCrypto1/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/BrokenCrypto1/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/BrokenCrypto2/gradle.properties
src/MobileShepherd/BrokenCrypto2/settings.gradle
src/MobileShepherd/BrokenCrypto2/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/BrokenCrypto2/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/BrokenCrypto3/gradle.properties
src/MobileShepherd/BrokenCrypto3/settings.gradle
src/MobileShepherd/BrokenCrypto3/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/BrokenCrypto3/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/CProviderLeakage/gradle.properties
src/MobileShepherd/CProviderLeakage/settings.gradle
src/MobileShepherd/CProviderLeakage/build.gradle
  • com.android.tools.build:gradle 1.2.3
src/MobileShepherd/CProviderLeakage/app/build.gradle
  • com.android.support:appcompat-v7 22.2.0
src/MobileShepherd/CProviderLeakage1/gradle.properties
src/MobileShepherd/CProviderLeakage1/settings.gradle
src/MobileShepherd/CProviderLeakage1/build.gradle
  • com.android.tools.build:gradle 1.2.3
src/MobileShepherd/CProviderLeakage1/app/build.gradle
  • com.android.support:appcompat-v7 22.2.0
src/MobileShepherd/CSInjection/gradle.properties
src/MobileShepherd/CSInjection/settings.gradle
src/MobileShepherd/CSInjection/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/CSInjection/app/build.gradle
  • com.jayway.android.robotium:robotium-solo 5.2.1
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/CSInjection1/gradle.properties
src/MobileShepherd/CSInjection1/settings.gradle
src/MobileShepherd/CSInjection1/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/CSInjection1/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/CSInjection2/gradle.properties
src/MobileShepherd/CSInjection2/settings.gradle
src/MobileShepherd/CSInjection2/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/CSInjection2/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/InsecureData/gradle.properties
src/MobileShepherd/InsecureData/settings.gradle
src/MobileShepherd/InsecureData/build.gradle
  • com.android.tools.build:gradle 1.0.0
src/MobileShepherd/InsecureData/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/InsecureData1/gradle.properties
src/MobileShepherd/InsecureData1/settings.gradle
src/MobileShepherd/InsecureData1/build.gradle
  • com.android.tools.build:gradle 1.0.0
src/MobileShepherd/InsecureData1/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/InsecureData2/gradle.properties
src/MobileShepherd/InsecureData2/settings.gradle
src/MobileShepherd/InsecureData2/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/InsecureData2/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/InsecureData3/gradle.properties
src/MobileShepherd/InsecureData3/settings.gradle
src/MobileShepherd/InsecureData3/build.gradle
  • com.android.tools.build:gradle 1.1.0
src/MobileShepherd/InsecureData3/app/build.gradle
  • com.android.support:appcompat-v7 22.0.0
src/MobileShepherd/InsufficientTLS/gradle.properties
src/MobileShepherd/InsufficientTLS/settings.gradle
src/MobileShepherd/InsufficientTLS/build.gradle
  • com.android.tools.build:gradle 1.3.1
src/MobileShepherd/InsufficientTLS/app/build.gradle
  • junit:junit 4.12
  • com.android.support:appcompat-v7 23.1.1
src/MobileShepherd/InsufficientTLS2/build.gradle
  • com.android.tools.build:gradle 0.5.+
src/MobileShepherd/MobShepTemplate/gradle.properties
src/MobileShepherd/MobShepTemplate/settings.gradle
src/MobileShepherd/MobShepTemplate/build.gradle
  • com.android.tools.build:gradle 1.0.0
src/MobileShepherd/MobShepTemplate/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/MobileShepherd/gradle.properties
src/MobileShepherd/MobileShepherd/settings.gradle
src/MobileShepherd/MobileShepherd/build.gradle
  • com.android.tools.build:gradle 2.1.2
src/MobileShepherd/MobileShepherd/app/build.gradle
  • junit:junit 4.12
  • com.android.support:appcompat-v7 24.1.1
  • com.android.support:design 24.1.1
  • net.zetetic:android-database-sqlcipher 3.5.4
src/MobileShepherd/PoorAuthentication/gradle.properties
src/MobileShepherd/PoorAuthentication/settings.gradle
src/MobileShepherd/PoorAuthentication/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/PoorAuthentication/app/build.gradle
  • com.jayway.android.robotium:robotium-solo 5.2.1
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/PoorAuthentication1/gradle.properties
src/MobileShepherd/PoorAuthentication1/settings.gradle
src/MobileShepherd/PoorAuthentication1/build.gradle
  • com.android.tools.build:gradle 1.1.0
src/MobileShepherd/PoorAuthentication1/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/PoorAuthentication2/gradle.properties
src/MobileShepherd/PoorAuthentication2/settings.gradle
src/MobileShepherd/PoorAuthentication2/build.gradle
  • com.android.tools.build:gradle 1.2.3
src/MobileShepherd/PoorAuthentication2/app/build.gradle
  • com.jayway.android.robotium:robotium-solo 5.2.1
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/ReverseEngineer/gradle.properties
src/MobileShepherd/ReverseEngineer/settings.gradle
src/MobileShepherd/ReverseEngineer/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/ReverseEngineer/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/ReverseEngineer1/gradle.properties
src/MobileShepherd/ReverseEngineer1/settings.gradle
src/MobileShepherd/ReverseEngineer1/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/ReverseEngineer1/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/ReverseEngineer2/gradle.properties
src/MobileShepherd/ReverseEngineer2/settings.gradle
src/MobileShepherd/ReverseEngineer2/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/ReverseEngineer2/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/ReverseEngineer3/gradle.properties
src/MobileShepherd/ReverseEngineer3/settings.gradle
src/MobileShepherd/ReverseEngineer3/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/ReverseEngineer3/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/SessionManagement/gradle.properties
src/MobileShepherd/SessionManagement/settings.gradle
src/MobileShepherd/SessionManagement/build.gradle
  • com.android.tools.build:gradle 1.2.3
src/MobileShepherd/SessionManagement/app/build.gradle
  • com.android.support:appcompat-v7 22.2.0
src/MobileShepherd/ShepherdLogin/gradle.properties
src/MobileShepherd/ShepherdLogin/settings.gradle
src/MobileShepherd/ShepherdLogin/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/ShepherdLogin/app/build.gradle
  • com.android.support:appcompat-v7 22.0.0
src/MobileShepherd/ShepherdResolver/gradle.properties
src/MobileShepherd/ShepherdResolver/settings.gradle
src/MobileShepherd/ShepherdResolver/build.gradle
  • com.android.tools.build:gradle 1.2.3
src/MobileShepherd/ShepherdResolver/app/build.gradle
  • com.android.support:appcompat-v7 22.2.0
src/MobileShepherd/UDataLeakage/gradle.properties
src/MobileShepherd/UDataLeakage/settings.gradle
src/MobileShepherd/UDataLeakage/build.gradle
  • com.android.tools.build:gradle 1.0.0
src/MobileShepherd/UDataLeakage/app/build.gradle
  • com.jayway.android.robotium:robotium-solo 5.2.1
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/UDataLeakage1/gradle.properties
src/MobileShepherd/UDataLeakage1/settings.gradle
src/MobileShepherd/UDataLeakage1/build.gradle
  • com.android.tools.build:gradle 1.0.0
src/MobileShepherd/UDataLeakage1/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/UDataLeakage2/gradle.properties
src/MobileShepherd/UDataLeakage2/settings.gradle
src/MobileShepherd/UDataLeakage2/build.gradle
  • com.android.tools.build:gradle 1.5.0
src/MobileShepherd/UDataLeakage2/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
src/MobileShepherd/UntrustedInput/gradle.properties
src/MobileShepherd/UntrustedInput/settings.gradle
src/MobileShepherd/UntrustedInput/build.gradle
  • com.android.tools.build:gradle 1.3.0
src/MobileShepherd/UntrustedInput/app/build.gradle
  • junit:junit 4.12
  • com.android.support:appcompat-v7 23.1.1
  • com.android.support:design 23.1.1
src/MobileShepherd/WeakServerSideControls/gradle.properties
src/MobileShepherd/WeakServerSideControls/settings.gradle
src/MobileShepherd/WeakServerSideControls/build.gradle
  • com.android.tools.build:gradle 1.0.0
src/MobileShepherd/WeakServerSideControls/app/build.gradle
  • com.android.support:appcompat-v7 21.0.3
gradle-wrapper
src/MobileShepherd/BrokenCrypto/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/BrokenCrypto1/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/BrokenCrypto2/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/BrokenCrypto3/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/CProviderLeakage/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/CProviderLeakage1/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/CSInjection/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/CSInjection1/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/CSInjection2/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/InsecureData/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/InsecureData1/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/InsecureData2/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/InsecureData3/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/InsufficientTLS/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.8
src/MobileShepherd/InsufficientTLS2/gradle/wrapper/gradle-wrapper.properties
  • gradle 1.6
src/MobileShepherd/MobShepTemplate/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/MobileShepherd/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.10
src/MobileShepherd/PoorAuthentication/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/PoorAuthentication1/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/PoorAuthentication2/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/ReverseEngineer/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/ReverseEngineer1/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/ReverseEngineer2/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/ReverseEngineer3/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/SessionManagement/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/ShepherdLogin/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/ShepherdResolver/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/UDataLeakage/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/UDataLeakage1/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/UDataLeakage2/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
src/MobileShepherd/UntrustedInput/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.8
src/MobileShepherd/WeakServerSideControls/gradle/wrapper/gradle-wrapper.properties
  • gradle 2.2.1
maven
pom.xml
  • com.onelogin:java-saml 2.5.0
  • de.mkammerer:argon2-jvm 2.2
  • log4j:log4j 1.2.7
  • org.json:json 20180130
  • com.googlecode.json-simple:json-simple 1.1.1
  • commons-io:commons-io 2.5
  • commons-codec:commons-codec 1.6
  • org.jsoup:jsoup 1.8.2
  • net.sf.jtidy:jtidy r938
  • javax.mail:mail 1.4.7
  • org.mongodb:mongo-java-driver 3.4.1
  • javax:javaee-api 7.0
  • javax.servlet:javax.servlet-api 3.1.0
  • jstl:jstl 1.2
  • mysql:mysql-connector-java 5.1.24
  • org.owasp.encoder:encoder 1.2.1
  • commons-logging:commons-logging 1.2
  • org.springframework:spring-web 5.0.7.RELEASE
  • org.springframework:spring-test 5.0.7.RELEASE
  • org.springframework:spring-core 5.0.11.RELEASE
  • org.springframework:spring-mock 2.0.8
  • com.github.fakemongo:fongo 2.0.6
  • org.springframework:spring-context 5.1.1.RELEASE
  • org.springframework.data:spring-data-mongodb 2.1.1.RELEASE
  • org.junit.jupiter:junit-jupiter-api 5.0.1
  • org.junit.jupiter:junit-jupiter-engine 5.0.1
  • org.hamcrest:hamcrest-junit 2.0.0.0
  • org.mockito:mockito-core 2.23.0
  • org.apache.maven.plugins:maven-clean-plugin 3.1.0
  • org.apache.maven.plugins:maven-resources-plugin 3.1.0
  • org.apache.maven.plugins:maven-resources-plugin 3.1.0
  • org.codehaus.mojo:exec-maven-plugin 1.6.0
  • org.codehaus.mojo:keytool-maven-plugin 1.5
  • io.fabric8:docker-maven-plugin 0.26.0
  • org.codehaus.mojo:properties-maven-plugin 1.0.0
  • org.apache.maven.plugins:maven-compiler-plugin 3.5.1
  • org.apache.maven.plugins:maven-war-plugin 3.0.0
  • org.apache.maven.plugins:maven-resources-plugin 3.1.0
  • org.apache.maven.plugins:maven-surefire-plugin 2.19.1
  • org.apache.maven.plugins:maven-failsafe-plugin 2.19.1
  • org.codehaus.mojo:build-helper-maven-plugin 3.0.0

junit-4.10.jar: 1 vulnerabilities (highest severity is: 5.5) - autoclosed

Vulnerable Library - junit-4.10.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/junit-4.10.jar,/home/wss-scanner/.m2/repository/junit/junit/4.10/junit-4.10.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (junit version) Remediation Available
CVE-2020-15250 Medium 5.5 junit-4.10.jar Direct 4.13.1

Details

CVE-2020-15250

Vulnerable Library - junit-4.10.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/junit-4.10.jar,/home/wss-scanner/.m2/repository/junit/junit/4.10/junit-4.10.jar

Dependency Hierarchy:

  • junit-4.10.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2021-29425 (Medium) detected in commons-io-2.5.jar - autoclosed

CVE-2021-29425 - Medium Severity Vulnerability

Vulnerable Library - commons-io-2.5.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/proper/commons-io/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/commons-io-2.5.jar,/tory/commons-io/commons-io/2.5/commons-io-2.5.jar

Dependency Hierarchy:

  • commons-io-2.5.jar (Vulnerable Library)

Found in HEAD commit: 0a92568d41e0827c46048e9585e5439e282729dd

Found in base branch: dev

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution: commons-io:commons-io:2.7

⛑️ Automatic Remediation is available for this issue

CVE-2015-0254 (High) detected in jstl-1.2.jar - autoclosed

CVE-2015-0254 - High Severity Vulnerability

Vulnerable Library - jstl-1.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/jstl-1.2.jar,/tory/jstl/jstl/1.2/jstl-1.2.jar

Dependency Hierarchy:

  • jstl-1.2.jar (Vulnerable Library)

Found in HEAD commit: 0a92568d41e0827c46048e9585e5439e282729dd

Found in base branch: dev

Vulnerability Details

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

Publish Date: 2015-03-09

URL: CVE-2015-0254

CVSS 3 Score Details (7.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/taglibs/standard/

Release Date: 2015-03-09

Fix Resolution: org.apache.taglibs:taglibs-standard-impl:1.2.3

⛑️ Automatic Remediation is available for this issue

License Policy Violation detected in mysql-connector-java-5.1.24.jar

License Policy Violation detected in mysql-connector-java-5.1.24.jar

Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Library containing License Policy Violation)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

📃 License Details

GPL 2.0
License Reference File: https://repo.maven.apache.org/maven2/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.pom

    ⛔ License Policy Violation - Reject GPL

CVE-2022-22950 (Medium) detected in spring-expression-5.1.1.RELEASE.jar - autoclosed

CVE-2022-22950 - Medium Severity Vulnerability

Vulnerable Library - spring-expression-5.1.1.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar,/target/owaspSecurityShepherd/WEB-INF/lib/spring-expression-5.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-expression-5.1.1.RELEASE.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition

Publish Date: 2022-01-11

URL: CVE-2022-22950

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-01-11

Fix Resolution: org.springframework:spring-expression:5.3.17

⛑️ Automatic Remediation is available for this issue

Action Required: Fix Renovate Configuration

There is an error with this repository's Renovate configuration that needs to be fixed. As a precaution, Renovate will stop PRs until it is resolved.

Error type: Preset is invalid JSON (github>whitesource/log4j-remediations)

Code Security Report: 22 high severity findings, 937 total findings

Code Security Report

Scan Metadata

Latest Scan: 2023-05-18 03:51am
Total Findings: 937 | New Findings: 0 | Resolved Findings: 0
Tested Project Files: 588
Detected Programming Languages: 3 (JavaScript / Node.js, Android Java, C/C++ (Beta))

  • Check this box to manually trigger a scan

Most Relevant Findings

The below list presents the 10 most relevant findings that need your attention. To view information on the remaining findings, navigate to the Mend SAST Application.

SeverityVulnerability TypeCWEFileData FlowsDate
HighExternal Data In SQL Queries

CWE-89

Insecure_Data_Storage2.java:54

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/InsecureData2/app/src/main/java/com/mobshep/insecuredata2/Insecure_Data_Storage2.java

Lines 49 to 54 in 9ef42d6

}
public void createDatabase() {
try {
passwordDB = this.openOrCreateDatabase("passwordDB", MODE_PRIVATE, null);
passwordDB.execSQL("CREATE TABLE IF NOT EXISTS passwordDB " +

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/InsecureData2/app/src/main/java/com/mobshep/insecuredata2/Insecure_Data_Storage2.java

Line 54 in 9ef42d6

passwordDB.execSQL("CREATE TABLE IF NOT EXISTS passwordDB " +

HighExternal Data In SQL Queries

CWE-89

Insecure_Data_Storage2.java:89

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/MobileShepherd/app/src/main/java/com/mobshep/mobileshepherd/Insecure_Data_Storage2.java

Lines 84 to 89 in 9ef42d6

public void createDatabase() {
try {
String path = DB_PATH + DB_NAME;
passwordDB = this.openOrCreateDatabase(path, MODE_PRIVATE, null);
passwordDB.execSQL("CREATE TABLE IF NOT EXISTS passwordDB " +

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/MobileShepherd/app/src/main/java/com/mobshep/mobileshepherd/Insecure_Data_Storage2.java

Line 89 in 9ef42d6

passwordDB.execSQL("CREATE TABLE IF NOT EXISTS passwordDB " +

HighExternal Data In SQL Queries

CWE-89

SecretProvider.java:186

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/CProviderLeakage/app/src/main/java/com/somewhere/hidden/SecretProvider.java

Lines 181 to 186 in 9ef42d6

}
// Recreates the table when the database needs to be upgraded
@Override
public void onUpgrade(SQLiteDatabase sqlDB, int oldVersion, int newVersion) {
sqlDB.execSQL("DROP TABLE IF EXISTS " + TABLE_NAME);

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/CProviderLeakage/app/src/main/java/com/somewhere/hidden/SecretProvider.java

Line 186 in 9ef42d6

sqlDB.execSQL("DROP TABLE IF EXISTS " + TABLE_NAME);

HighExternal Data In SQL Queries

CWE-89

mProvider.java:186

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/CProviderLeakage1/app/src/main/java/com/app/module/mProvider.java

Lines 181 to 186 in 9ef42d6

}
// Recreates the table when the database needs to be upgraded
@Override
public void onUpgrade(SQLiteDatabase sqlDB, int oldVersion, int newVersion) {
sqlDB.execSQL("DROP TABLE IF EXISTS " + TABLE_NAME);

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/CProviderLeakage1/app/src/main/java/com/app/module/mProvider.java

Line 186 in 9ef42d6

sqlDB.execSQL("DROP TABLE IF EXISTS " + TABLE_NAME);

HighExternal Data In SQL Queries

CWE-89

SessionProvider.java:226

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/ShepherdLogin/app/src/main/java/com/mobshep/shepherdlogin/SessionProvider.java

Lines 221 to 226 in 9ef42d6

onCreate(sqlDB);
}
public void deleteData(){
SQLiteDatabase sqlDB = getWritableDatabase();
sqlDB.execSQL("DELETE FROM " + TABLE_NAME);

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/ShepherdLogin/app/src/main/java/com/mobshep/shepherdlogin/SessionProvider.java

Line 226 in 9ef42d6

sqlDB.execSQL("DELETE FROM " + TABLE_NAME);

HighExternal Data In SQL Queries

CWE-89

SessionProvider.java:220

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/ShepherdLogin/app/src/main/java/com/mobshep/shepherdlogin/SessionProvider.java

Lines 215 to 220 in 9ef42d6

}
// Recreates the table when the database needs to be upgraded
@Override
public void onUpgrade(SQLiteDatabase sqlDB, int oldVersion, int newVersion) {
sqlDB.execSQL("DROP TABLE IF EXISTS " + TABLE_NAME);

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/ShepherdLogin/app/src/main/java/com/mobshep/shepherdlogin/SessionProvider.java

Line 220 in 9ef42d6

sqlDB.execSQL("DROP TABLE IF EXISTS " + TABLE_NAME);

HighExternal Data In SQL Queries

CWE-89

Insecure_Data_Storage.java:52

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/InsecureData/app/src/main/java/com/mobshep/insecuredata/Insecure_Data_Storage.java

Lines 47 to 52 in 9ef42d6

}
public void createDatabase() {
try {
Members = this.openOrCreateDatabase("Members", MODE_PRIVATE, null);
Members.execSQL("CREATE TABLE IF NOT EXISTS Members " +

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/InsecureData/app/src/main/java/com/mobshep/insecuredata/Insecure_Data_Storage.java

Line 52 in 9ef42d6

Members.execSQL("CREATE TABLE IF NOT EXISTS Members " +

HighExternal Data In SQL Queries

CWE-89

Insecure_Data_Storage.java:83

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/MobileShepherd/app/src/main/java/com/mobshep/mobileshepherd/Insecure_Data_Storage.java

Lines 78 to 83 in 9ef42d6

public void createDatabase() {
try {
String path = DB_PATH + DB_NAME;
Members = this.openOrCreateDatabase(path, MODE_PRIVATE, null);
Members.execSQL("CREATE TABLE IF NOT EXISTS Members " +

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/MobileShepherd/app/src/main/java/com/mobshep/mobileshepherd/Insecure_Data_Storage.java

Line 83 in 9ef42d6

Members.execSQL("CREATE TABLE IF NOT EXISTS Members " +

HighExternal Data In SQL Queries

CWE-89

SessionProvider.java:85

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/ShepherdLogin/app/src/main/java/com/mobshep/shepherdlogin/SessionProvider.java

Lines 80 to 85 in 9ef42d6

}
@Override
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
// Used to create a SQL query
SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder();

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/ShepherdLogin/app/src/main/java/com/mobshep/shepherdlogin/SessionProvider.java

Line 85 in 9ef42d6

SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder();

HighExternal Data In SQL Queries

CWE-89

SecretProvider.java:62

12023-04-19 06:32pm
More info

SecurityShepherd/src/MobileShepherd/MobileShepherd/app/src/main/java/com/mobshep/mobileshepherd/SecretProvider.java

Lines 57 to 62 in 9ef42d6

}
@Override
public Cursor query(Uri uri, String[] projection, String selection, String[] selectionArgs, String sortOrder) {
// Used to create a SQL query
SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder();

1 Data Flow/s detected
View Data Flow 1

SecurityShepherd/src/MobileShepherd/MobileShepherd/app/src/main/java/com/mobshep/mobileshepherd/SecretProvider.java

Line 62 in 9ef42d6

SQLiteQueryBuilder queryBuilder = new SQLiteQueryBuilder();

Findings Overview

Severity Vulnerability Type CWE Language Count
High External Data In SQL Queries CWE-89 Android Java 15
High DOM Based Cross-Site Scripting CWE-79 JavaScript / Node.js 3
High Arbitrary Code Injection CWE-94 Android Java 4
Medium Miscellaneous Dangerous Functions CWE-676 Android Java 409
Medium Log Messages CWE-209 Android Java 64
Medium Heap Inspection CWE-244 Android Java 145
Medium Hardcoded Password/Credentials CWE-798 Android Java 11
Medium Location Information CWE-200 Android Java 2
Medium Intents Usage CWE-926 Android Java 102
Medium Shared Preferences Usage CWE-200 Android Java 3
Medium Insecure Data Storage CWE-200 Android Java 8
Medium Insufficient Transport Layer Protection CWE-319 Android Java 106
Low External URL Access Android Java 16
Low Log Forging CWE-117 JavaScript / Node.js 2
Low Weak Encryption Strength CWE-326 Android Java 23
Low Application Configuration CWE-16 Android Java 24

CVE-2020-2934 (Medium) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2020-2934 - Medium Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/mysql-connector-java-5.1.24.jar,/tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2934

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/security-alerts/cpuapr2020.html

Release Date: 2020-04-15

Fix Resolution: mysql:mysql-connector-java:5.1.49,8.0.20

⛑️ Automatic Remediation is available for this issue

CVE-2017-3589 (Low) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2017-3589 - Low Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/mysql-connector-java-5.1.24.jar,/tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3589

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589

Release Date: 2017-04-24

Fix Resolution: 5.1.42

⛑️ Automatic Remediation is available for this issue

CVE-2022-23305 (High) detected in log4j-1.2.7.jar

CVE-2022-23305 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/log4j/log4j/1.2.7/log4j-1.2.7.jar,/target/owaspSecurityShepherd/WEB-INF/lib/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

CVE-2022-23307 (Medium) detected in log4j-1.2.7.jar

CVE-2022-23307 - Medium Severity Vulnerability

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/log4j/log4j/1.2.7/log4j-1.2.7.jar,/target/owaspSecurityShepherd/WEB-INF/lib/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

CVE-2020-9493 (High) detected in log4j-1.2.7.jar

CVE-2020-9493 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/log4j/log4j/1.2.7/log4j-1.2.7.jar,/target/owaspSecurityShepherd/WEB-INF/lib/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

jquery-ui-1.11.4.min.js: 4 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /target/owaspSecurityShepherd/js/jquery-ui.min.js,/src/main/webapp/js/jquery-ui.min.js

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-41184 Medium 6.1 jquery-ui-1.11.4.min.js Direct jquery-ui - 1.13.0
CVE-2021-41183 Medium 6.1 jquery-ui-1.11.4.min.js Direct jquery-ui - 1.13.0
CVE-2021-41182 Medium 6.1 jquery-ui-1.11.4.min.js Direct jquery-ui - 1.13.0
CVE-2016-7103 Medium 6.1 jquery-ui-1.11.4.min.js Direct jquery-ui - 1.12.0

Details

CVE-2021-41184

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /target/owaspSecurityShepherd/js/jquery-ui.min.js,/src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

  • jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41184

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41184

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2021-41183

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /target/owaspSecurityShepherd/js/jquery-ui.min.js,/src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

  • jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41183

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41183

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2021-41182

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /target/owaspSecurityShepherd/js/jquery-ui.min.js,/src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

  • jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41182

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41182

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2016-7103

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /target/owaspSecurityShepherd/js/jquery-ui.min.js,/src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

  • jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Publish Date: 2017-03-15

URL: CVE-2016-7103

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103

Release Date: 2017-03-15

Fix Resolution: jquery-ui - 1.12.0

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar - autoclosed

WS-2018-0629 - High Severity Vulnerability

Vulnerable Library - woodstox-core-5.0.3.jar

Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs

Library home page: https://github.com/FasterXML/woodstox

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/woodstox-core-5.0.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar

Dependency Hierarchy:

  • woodstox-core-5.0.3.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

The woodstox-core package is vulnerable to improper restriction of XXE reference.

Publish Date: 2018-08-23

URL: WS-2018-0629

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/woodstox#61

Release Date: 2018-08-23

Fix Resolution: com.fasterxml.woodstox:woodstox-core:5.3.0

⛑️ Automatic Remediation is available for this issue

CVE-2021-41183 (Medium) detected in jquery-ui-1.11.4.min.js, jquery-ui-1.8.19.min.js - autoclosed

CVE-2021-41183 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-ui-1.11.4.min.js, jquery-ui-1.8.19.min.js

jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /target/owaspSecurityShepherd/js/jquery-ui.min.js,/src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

  • jquery-ui-1.11.4.min.js (Vulnerable Library)
jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /target/owaspSecurityShepherd/index.jsp

Path to vulnerable library: /target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js,/target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

  • jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41183

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41183

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2022-22965 (High) detected in spring-beans-5.1.1.RELEASE.jar, spring-beans-5.0.7.RELEASE.jar - autoclosed

CVE-2022-22965 - High Severity Vulnerability

Vulnerable Libraries - spring-beans-5.1.1.RELEASE.jar, spring-beans-5.0.7.RELEASE.jar

spring-beans-5.1.1.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /tmp/ws-ua_20210812155912_BTBDVP/downloadResource_JLULIP/20210812160129/spring-beans-5.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-context-5.1.1.RELEASE.jar (Root Library)
    • spring-beans-5.1.1.RELEASE.jar (Vulnerable Library)
spring-beans-5.0.7.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/spring-beans-5.0.7.RELEASE.jar

Dependency Hierarchy:

  • spring-beans-5.0.7.RELEASE.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Spring Framework before 5.2.20 and 5.3.x before 5.3.18 are vulnerable due to a vulnerability in Spring-beans which allows attackers under certain circumstances to achieve remote code execution, this vulnerability is also known as ״Spring4Shell״ or ״SpringShell״. The current POC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE (Remote Code Execution). Please note that the ease of exploitation may diverge by the code implementation.Currently, the exploit requires JDK 9 or higher, Apache Tomcat as the Servlet container, the application Packaged as WAR, and dependency on spring-webmvc or spring-webflux. Spring Framework 5.3.18 and 5.2.20 have already been released. WhiteSource's research team is carefully observing developments and researching the case. We will keep updating this page and our WhiteSource resources with updates.

Publish Date: 2022-01-11

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-01-11

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

spring-context-5.1.1.RELEASE.jar: 5 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - spring-context-5.1.1.RELEASE.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-context version) Remediation Available
CVE-2022-22965 High 9.8 spring-beans-5.1.1.RELEASE.jar Transitive 5.2.20.RELEASE
CVE-2022-22950 Medium 6.5 spring-expression-5.1.1.RELEASE.jar Transitive 5.2.20.RELEASE
CVE-2023-20861 Medium 6.5 spring-expression-5.1.1.RELEASE.jar Transitive 5.2.23.RELEASE
CVE-2023-20863 Medium 6.5 spring-expression-5.1.1.RELEASE.jar Transitive 5.2.24.RELEASE
CVE-2022-22970 Medium 5.3 spring-beans-5.1.1.RELEASE.jar Transitive 5.2.22.RELEASE

Details

CVE-2022-22965

Vulnerable Library - spring-beans-5.1.1.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /tmp/ws-ua_20230518035154_XJWLEV/downloadResource_MEXGVI/20230518035554/spring-beans-5.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-context-5.1.1.RELEASE.jar (Root Library)
    • spring-beans-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.20.RELEASE

⛑️ Automatic Remediation is available for this issue

CVE-2022-22950

Vulnerable Library - spring-expression-5.1.1.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-context-5.1.1.RELEASE.jar (Root Library)
    • spring-expression-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.20.RELEASE

⛑️ Automatic Remediation is available for this issue

CVE-2023-20861

Vulnerable Library - spring-expression-5.1.1.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-context-5.1.1.RELEASE.jar (Root Library)
    • spring-expression-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.2.23.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.23.RELEASE

⛑️ Automatic Remediation is available for this issue

CVE-2023-20863

Vulnerable Library - spring-expression-5.1.1.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-context-5.1.1.RELEASE.jar (Root Library)
    • spring-expression-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.2.24.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.24.RELEASE

⛑️ Automatic Remediation is available for this issue

CVE-2022-22970

Vulnerable Library - spring-beans-5.1.1.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /tmp/ws-ua_20230518035154_XJWLEV/downloadResource_MEXGVI/20230518035554/spring-beans-5.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-context-5.1.1.RELEASE.jar (Root Library)
    • spring-beans-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.22.RELEASE

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2015-6748 (Medium) detected in jsoup-1.8.2.jar - autoclosed

CVE-2015-6748 - Medium Severity Vulnerability

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar,/target/owaspSecurityShepherd/WEB-INF/lib/jsoup-1.8.2.jar

Dependency Hierarchy:

  • jsoup-1.8.2.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.

Publish Date: 2017-09-25

URL: CVE-2015-6748

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6748

Release Date: 2017-09-25

Fix Resolution: 1.8.3

⛑️ Automatic Remediation is available for this issue

xmlsec-2.1.4.jar: 1 vulnerabilities (highest severity is: 7.5) - autoclosed

Vulnerable Library - xmlsec-2.1.4.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: https://santuario.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/xmlsec-2.1.4.jar,/home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.1.4/xmlsec-2.1.4.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (xmlsec version) Remediation Available
CVE-2021-40690 High 7.5 xmlsec-2.1.4.jar Direct 2.1.7

Details

CVE-2021-40690

Vulnerable Library - xmlsec-2.1.4.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: https://santuario.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/xmlsec-2.1.4.jar,/home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.1.4/xmlsec-2.1.4.jar

Dependency Hierarchy:

  • xmlsec-2.1.4.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Publish Date: 2021-09-19

URL: CVE-2021-40690

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690

Release Date: 2021-09-19

Fix Resolution: 2.1.7

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2021-41182 (Medium) detected in jquery-ui-1.8.19.min.js, jquery-ui-1.11.4.min.js - autoclosed

CVE-2021-41182 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-ui-1.8.19.min.js, jquery-ui-1.11.4.min.js

jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /target/owaspSecurityShepherd/index.jsp

Path to vulnerable library: /target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js,/target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

  • jquery-ui-1.8.19.min.js (Vulnerable Library)
jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /target/owaspSecurityShepherd/js/jquery-ui.min.js,/src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

  • jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41182

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41182

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

json-20180130.jar: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - json-20180130.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/ 

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20180130/json-20180130.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (json version) Remediation Available
CVE-2022-45688 High 7.5 json-20180130.jar Direct 20230227

Details

CVE-2022-45688

Vulnerable Library - json-20180130.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/ 

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20180130/json-20180130.jar

Dependency Hierarchy:

  • json-20180130.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Publish Date: 2022-12-13

URL: CVE-2022-45688

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3vqj-43w4-2q58

Release Date: 2022-12-13

Fix Resolution: 20230227

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2017-3586 (Medium) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2017-3586 - Medium Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/mysql-connector-java-5.1.24.jar,/tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3586

CVSS 3 Score Details (6.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406

Release Date: 2017-04-24

Fix Resolution: 5.1.42

⛑️ Automatic Remediation is available for this issue

CVE-2021-4104 (High) detected in log4j-1.2.7.jar

CVE-2021-4104 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/log4j/log4j/1.2.7/log4j-1.2.7.jar,/target/owaspSecurityShepherd/WEB-INF/lib/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: log4j:log4j - 1.2.17-atlassian-1

⛑️ Automatic Remediation is available for this issue

WS-2022-0107 (High) detected in spring-beans-5.0.7.RELEASE.jar, spring-beans-5.1.1.RELEASE.jar - autoclosed

WS-2022-0107 - High Severity Vulnerability

Vulnerable Libraries - spring-beans-5.0.7.RELEASE.jar, spring-beans-5.1.1.RELEASE.jar

spring-beans-5.0.7.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/spring-beans-5.0.7.RELEASE.jar

Dependency Hierarchy:

  • spring-beans-5.0.7.RELEASE.jar (Vulnerable Library)
spring-beans-5.1.1.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /tmp/ws-ua_20210812155912_BTBDVP/downloadResource_JLULIP/20210812160129/spring-beans-5.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-context-5.1.1.RELEASE.jar (Root Library)
    • spring-beans-5.1.1.RELEASE.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Spring Framework before 5.2.20 and 5.3.x before 5.3.18 are vulnerable due to a vulnerability in Spring-beans which allows attackers under certain circumstances to achieve remote code execution, this vulnerability is also known as ״Spring4Shell״ or ״SpringShell״.

The current POC related to the attack is done by creating a specially crafted request which manipulates ClassLoader to successfully achieve RCE (Remote Code Execution).
Please note that the ease of exploitation may diverge by the code implementation.

Currently, the exploit requires JDK 9 or higher, Apache Tomcat as the Servlet container, the application Packaged as WAR, and dependency on spring-webmvc or spring-webflux.
Spring Framework 5.3.18 and 5.2.20 have already been released.

WhiteSource’s research team is carefully observing developments and researching the case. We will keep updating this page and our WhiteSource resources with updates.
This is a temporary WhiteSource ID until an official CVE ID will be released.

Publish Date: 2022-03-30

URL: WS-2022-0107

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-03-30

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

jsoup-1.8.2.jar: 3 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jsoup version) Remediation Available
CVE-2021-37714 High 7.5 jsoup-1.8.2.jar Direct 1.14.2
CVE-2015-6748 Medium 6.1 jsoup-1.8.2.jar Direct 1.8.3
CVE-2022-36033 Medium 6.1 jsoup-1.8.2.jar Direct 1.15.3

Details

CVE-2021-37714

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Dependency Hierarchy:

  • jsoup-1.8.2.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Publish Date: 2021-08-18

URL: CVE-2021-37714

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://jsoup.org/news/release-1.14.2

Release Date: 2021-08-18

Fix Resolution: 1.14.2

⛑️ Automatic Remediation is available for this issue

CVE-2015-6748

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Dependency Hierarchy:

  • jsoup-1.8.2.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.

Publish Date: 2017-09-25

URL: CVE-2015-6748

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6748

Release Date: 2017-09-25

Fix Resolution: 1.8.3

⛑️ Automatic Remediation is available for this issue

CVE-2022-36033

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Dependency Hierarchy:

  • jsoup-1.8.2.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Publish Date: 2022-08-29

URL: CVE-2022-36033

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gp7f-rwcx-9369

Release Date: 2022-08-29

Fix Resolution: 1.15.3

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

jquery-ui-1.8.19.min.js: 4 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /target/owaspSecurityShepherd/index.jsp

Path to vulnerable library: /target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js,/target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-41184 Medium 6.1 jquery-ui-1.8.19.min.js Direct jquery-ui - 1.13.0
CVE-2021-41183 Medium 6.1 jquery-ui-1.8.19.min.js Direct jquery-ui - 1.13.0
CVE-2021-41182 Medium 6.1 jquery-ui-1.8.19.min.js Direct jquery-ui - 1.13.0
CVE-2016-7103 Medium 6.1 jquery-ui-1.8.19.min.js Direct jquery-ui - 1.12.0

Details

CVE-2021-41184

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /target/owaspSecurityShepherd/index.jsp

Path to vulnerable library: /target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js,/target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

  • jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41184

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41184

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2021-41183

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /target/owaspSecurityShepherd/index.jsp

Path to vulnerable library: /target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js,/target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

  • jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41183

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41183

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2021-41182

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /target/owaspSecurityShepherd/index.jsp

Path to vulnerable library: /target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js,/target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

  • jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41182

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41182

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2016-7103

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /target/owaspSecurityShepherd/index.jsp

Path to vulnerable library: /target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js,/target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

  • jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Publish Date: 2017-03-15

URL: CVE-2016-7103

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103

Release Date: 2017-03-15

Fix Resolution: jquery-ui - 1.12.0

woodstox-core-5.0.3.jar: 2 vulnerabilities (highest severity is: 9.1) - autoclosed

Vulnerable Library - woodstox-core-5.0.3.jar

Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs

Library home page: https://github.com/FasterXML/woodstox

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/woodstox-core-5.0.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (woodstox-core version) Remediation Available
WS-2018-0629 High 9.1 woodstox-core-5.0.3.jar Direct 5.2.1
CVE-2022-40152 High 7.5 woodstox-core-5.0.3.jar Direct 5.4.0

Details

WS-2018-0629

Vulnerable Library - woodstox-core-5.0.3.jar

Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs

Library home page: https://github.com/FasterXML/woodstox

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/woodstox-core-5.0.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar

Dependency Hierarchy:

  • woodstox-core-5.0.3.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

The woodstox-core package is vulnerable to improper restriction of XXE reference.

Publish Date: 2018-08-23

URL: WS-2018-0629

CVSS 3 Score Details (9.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-08-23

Fix Resolution: 5.2.1

⛑️ Automatic Remediation is available for this issue

CVE-2022-40152

Vulnerable Library - woodstox-core-5.0.3.jar

Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs

Library home page: https://github.com/FasterXML/woodstox

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/woodstox-core-5.0.3.jar,/home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar

Dependency Hierarchy:

  • woodstox-core-5.0.3.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Publish Date: 2022-09-16

URL: CVE-2022-40152

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-16

Fix Resolution: 5.4.0

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2019-17571 (High) detected in log4j-1.2.7.jar - autoclosed

CVE-2019-17571 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/log4j/log4j/1.2.7/log4j-1.2.7.jar,/target/owaspSecurityShepherd/WEB-INF/lib/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2019-17571

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

CVE-2018-3258 (High) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2018-3258 - High Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: SecurityShepherd/target/owaspSecurityShepherd/WEB-INF/lib/mysql-connector-java-5.1.24.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.12 and prior. Easily exploitable vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.8 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H).

Publish Date: 2018-10-17

URL: CVE-2018-3258

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3258

Release Date: 2018-10-17

Fix Resolution: mysql:mysql-connector-java:8.0.13

⛑️ Automatic Remediation is available for this issue

spring-expression-5.1.1.RELEASE.jar: 1 vulnerabilities (highest severity is: 6.5) - autoclosed

Vulnerable Library - spring-expression-5.1.1.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar,/target/owaspSecurityShepherd/WEB-INF/lib/spring-expression-5.1.1.RELEASE.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-expression version) Remediation Available
CVE-2022-22950 Medium 6.5 spring-expression-5.1.1.RELEASE.jar Direct 5.2.20.RELEASE

Details

CVE-2022-22950

Vulnerable Library - spring-expression-5.1.1.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar,/target/owaspSecurityShepherd/WEB-INF/lib/spring-expression-5.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-expression-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution: 5.2.20.RELEASE

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2022-23302 (High) detected in log4j-1.2.7.jar

CVE-2022-23302 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/log4j/log4j/1.2.7/log4j-1.2.7.jar,/target/owaspSecurityShepherd/WEB-INF/lib/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

CVE-2019-2692 (Medium) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2019-2692 - Medium Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/mysql-connector-java-5.1.24.jar,/tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2019-04-23

URL: CVE-2019-2692

CVSS 3 Score Details (6.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jcq3-cprp-m333

Release Date: 2020-08-24

Fix Resolution: mysql:mysql-connector-java:8.0.16

⛑️ Automatic Remediation is available for this issue

commons-codec-1.6.jar: 1 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - commons-codec-1.6.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/codec/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (commons-codec version) Remediation Available
WS-2019-0379 Medium 6.5 commons-codec-1.6.jar Direct 1.13

Details

WS-2019-0379

Vulnerable Library - commons-codec-1.6.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/codec/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar

Dependency Hierarchy:

  • commons-codec-1.6.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: 1.13

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2020-2875 (Medium) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2020-2875 - Medium Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/mysql-connector-java-5.1.24.jar,/tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

Publish Date: 2020-04-15

URL: CVE-2020-2875

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mysql/mysql-connector-j@79a4336

Release Date: 2020-04-15

Fix Resolution: mysql:mysql-connector-java:5.1.49,8.0.15

⛑️ Automatic Remediation is available for this issue

CVE-2017-3523 (High) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2017-3523 - High Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/mysql-connector-java-5.1.24.jar,/tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Publish Date: 2017-04-24

URL: CVE-2017-3523

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

Release Date: 2017-04-24

Fix Resolution: 5.1.41

⛑️ Automatic Remediation is available for this issue

log4j-1.2.7.jar: 8 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (log4j version) Remediation Available
CVE-2022-23305 High 9.8 log4j-1.2.7.jar Direct ch.qos.reload4j:reload4j:1.2.18.2
CVE-2019-17571 High 9.8 log4j-1.2.7.jar Direct log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
CVE-2020-9493 High 9.8 log4j-1.2.7.jar Direct ch.qos.reload4j:reload4j:1.2.18.1
CVE-2022-23307 High 8.8 log4j-1.2.7.jar Direct ch.qos.reload4j:reload4j:1.2.18.1
CVE-2022-23302 High 8.8 log4j-1.2.7.jar Direct ch.qos.reload4j:reload4j:1.2.18.1
CVE-2021-4104 High 7.5 log4j-1.2.7.jar Direct uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
CVE-2023-26464 High 7.5 log4j-1.2.7.jar Direct org.apache.logging.log4j:log4j-core:2.0
CVE-2020-9488 Low 3.7 log4j-1.2.7.jar Direct ch.qos.reload4j:reload4j:1.2.18.3

Details

CVE-2022-23305

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

⛑️ Automatic Remediation is available for this issue

CVE-2019-17571

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

⛑️ Automatic Remediation is available for this issue

CVE-2020-9493

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

⛑️ Automatic Remediation is available for this issue

CVE-2022-23307

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

⛑️ Automatic Remediation is available for this issue

CVE-2022-23302

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

⛑️ Automatic Remediation is available for this issue

CVE-2021-4104

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

⛑️ Automatic Remediation is available for this issue

CVE-2023-26464

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-10

URL: CVE-2023-26464

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vp98-w2p3-mv35

Release Date: 2023-03-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-9488

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

mysql-connector-java-5.1.24.jar: 9 vulnerabilities (highest severity is: 8.5)

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mysql-connector-java version) Remediation Available
CVE-2017-3523 High 8.5 mysql-connector-java-5.1.24.jar Direct 5.1.41
CVE-2022-21363 Medium 6.6 mysql-connector-java-5.1.24.jar Direct mysql:mysql-connector-java:8.0.28
CVE-2017-3586 Medium 6.4 mysql-connector-java-5.1.24.jar Direct 5.1.42
CVE-2019-2692 Medium 6.3 mysql-connector-java-5.1.24.jar Direct 5.1.48
CVE-2020-2934 Medium 5.0 mysql-connector-java-5.1.24.jar Direct 5.1.49
CVE-2020-2875 Medium 4.7 mysql-connector-java-5.1.24.jar Direct 5.1.49
CVE-2015-2575 Medium 4.2 mysql-connector-java-5.1.24.jar Direct 5.1.35
CVE-2017-3589 Low 3.3 mysql-connector-java-5.1.24.jar Direct 5.1.42
CVE-2020-2933 Low 2.2 mysql-connector-java-5.1.24.jar Direct 5.1.49

Details

CVE-2017-3523

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Publish Date: 2017-04-24

URL: CVE-2017-3523

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2xxh-f8r3-hvvr

Release Date: 2017-04-24

Fix Resolution: 5.1.41

⛑️ Automatic Remediation is available for this issue

CVE-2022-21363

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

Publish Date: 2022-01-19

URL: CVE-2022-21363

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g76j-4cxx-23h9

Release Date: 2022-01-19

Fix Resolution: mysql:mysql-connector-java:8.0.28

⛑️ Automatic Remediation is available for this issue

CVE-2017-3586

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3586

CVSS 3 Score Details (6.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406

Release Date: 2017-04-24

Fix Resolution: 5.1.42

⛑️ Automatic Remediation is available for this issue

CVE-2019-2692

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2019-04-23

URL: CVE-2019-2692

CVSS 3 Score Details (6.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jcq3-cprp-m333

Release Date: 2019-04-23

Fix Resolution: 5.1.48

⛑️ Automatic Remediation is available for this issue

CVE-2020-2934

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2934

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/security-alerts/cpuapr2020.html

Release Date: 2020-04-15

Fix Resolution: 5.1.49

⛑️ Automatic Remediation is available for this issue

CVE-2020-2875

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

Publish Date: 2020-04-15

URL: CVE-2020-2875

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-15

Fix Resolution: 5.1.49

⛑️ Automatic Remediation is available for this issue

CVE-2015-2575

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.

Publish Date: 2015-04-16

URL: CVE-2015-2575

CVSS 3 Score Details (4.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gc43-g62c-99g2

Release Date: 2015-04-16

Fix Resolution: 5.1.35

⛑️ Automatic Remediation is available for this issue

CVE-2017-3589

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3589

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589

Release Date: 2017-04-24

Fix Resolution: 5.1.42

⛑️ Automatic Remediation is available for this issue

CVE-2020-2933

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2933

CVSS 3 Score Details (2.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

Release Date: 2020-04-15

Fix Resolution: 5.1.49

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2020-15250 (Medium) detected in junit-4.10.jar - autoclosed

CVE-2020-15250 - Medium Severity Vulnerability

Vulnerable Library - junit-4.10.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/junit-4.10.jar,/home/wss-scanner/.m2/repository/junit/junit/4.10/junit-4.10.jar

Dependency Hierarchy:

  • junit-4.10.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: junit:junit:4.13.1

⛑️ Automatic Remediation is available for this issue

commons-io-2.5.jar: 1 vulnerabilities (highest severity is: 4.8)

Vulnerable Library - commons-io-2.5.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/proper/commons-io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (commons-io version) Remediation Available
CVE-2021-29425 Medium 4.8 commons-io-2.5.jar Direct 2.7

Details

CVE-2021-29425

Vulnerable Library - commons-io-2.5.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/proper/commons-io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar

Dependency Hierarchy:

  • commons-io-2.5.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution: 2.7

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2020-9488 (Low) detected in log4j-1.2.7.jar - autoclosed

CVE-2020-9488 - Low Severity Vulnerability

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/log4j/log4j/1.2.7/log4j-1.2.7.jar,/target/owaspSecurityShepherd/WEB-INF/lib/log4j-1.2.7.jar

Dependency Hierarchy:

  • log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 277fa3ae778486f7b6560cbd3015b8a81c5f7cd7

Found in base branch: dev

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

⛑️ Automatic Remediation is available for this issue

spring-beans-5.0.7.RELEASE.jar: 2 vulnerabilities (highest severity is: 9.8) - autoclosed

Vulnerable Library - spring-beans-5.0.7.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/spring-beans-5.0.7.RELEASE.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-beans version) Remediation Available
CVE-2022-22965 High 9.8 spring-beans-5.0.7.RELEASE.jar Direct 5.2.20.RELEASE
CVE-2022-22970 Medium 5.3 spring-beans-5.0.7.RELEASE.jar Direct 5.2.22.RELEASE

Details

CVE-2022-22965

Vulnerable Library - spring-beans-5.0.7.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/spring-beans-5.0.7.RELEASE.jar

Dependency Hierarchy:

  • spring-beans-5.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution: 5.2.20.RELEASE

CVE-2022-22970

Vulnerable Library - spring-beans-5.0.7.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/spring-beans-5.0.7.RELEASE.jar

Dependency Hierarchy:

  • spring-beans-5.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution: 5.2.22.RELEASE

CVE-2020-2933 (Low) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2020-2933 - Low Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/mysql-connector-java-5.1.24.jar,/tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2933

CVSS 3 Score Details (2.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

Release Date: 2020-04-15

Fix Resolution: mysql:mysql-connector-java:5.1.49

⛑️ Automatic Remediation is available for this issue

CVE-2021-37714 (High) detected in jsoup-1.8.2.jar - autoclosed

CVE-2021-37714 - High Severity Vulnerability

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /tory/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar,/target/owaspSecurityShepherd/WEB-INF/lib/jsoup-1.8.2.jar

Dependency Hierarchy:

  • jsoup-1.8.2.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Publish Date: 2021-08-18

URL: CVE-2021-37714

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://jsoup.org/news/release-1.14.2

Release Date: 2021-08-18

Fix Resolution: org.jsoup:jsoup:1.14.2

⛑️ Automatic Remediation is available for this issue

CVE-2021-40690 (High) detected in xmlsec-2.1.4.jar - autoclosed

CVE-2021-40690 - High Severity Vulnerability

Vulnerable Library - xmlsec-2.1.4.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: https://santuario.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /target/owaspSecurityShepherd/WEB-INF/lib/xmlsec-2.1.4.jar,/home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.1.4/xmlsec-2.1.4.jar

Dependency Hierarchy:

  • xmlsec-2.1.4.jar (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Publish Date: 2021-09-19

URL: CVE-2021-40690

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690

Release Date: 2021-09-19

Fix Resolution: org.apache.santuario:xmlsec:2.1.7, 2.2.3

⛑️ Automatic Remediation is available for this issue

jstl-1.2.jar: 1 vulnerabilities (highest severity is: 7.3)

Vulnerable Library - jstl-1.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/jstl/jstl/1.2/jstl-1.2.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jstl version) Remediation Available
CVE-2015-0254 High 7.3 jstl-1.2.jar Direct org.apache.taglibs:taglibs-standard-impl:1.2.3

Details

CVE-2015-0254

Vulnerable Library - jstl-1.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/jstl/jstl/1.2/jstl-1.2.jar

Dependency Hierarchy:

  • jstl-1.2.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

Publish Date: 2015-03-09

URL: CVE-2015-0254

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/taglibs/standard/

Release Date: 2015-03-09

Fix Resolution: org.apache.taglibs:taglibs-standard-impl:1.2.3

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

CVE-2021-41184 (Medium) detected in jquery-ui-1.11.4.min.js, jquery-ui-1.8.19.min.js - autoclosed

CVE-2021-41184 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-ui-1.11.4.min.js, jquery-ui-1.8.19.min.js

jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /target/owaspSecurityShepherd/js/jquery-ui.min.js,/src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

  • jquery-ui-1.11.4.min.js (Vulnerable Library)
jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /target/owaspSecurityShepherd/index.jsp

Path to vulnerable library: /target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js,/target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

  • jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41184

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41184

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2016-7103 (Medium) detected in jquery-ui-1.8.19.min.js, jquery-ui-1.11.4.min.js - autoclosed

CVE-2016-7103 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-ui-1.8.19.min.js, jquery-ui-1.11.4.min.js

jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /target/owaspSecurityShepherd/index.jsp

Path to vulnerable library: /target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js,/target/owaspSecurityShepherd/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

  • jquery-ui-1.8.19.min.js (Vulnerable Library)
jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /target/owaspSecurityShepherd/js/jquery-ui.min.js,/src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

  • jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: 112f4333629c368161fb9b26b23dce3ffb9286e1

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Publish Date: 2017-03-15

URL: CVE-2016-7103

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-7103

Release Date: 2017-03-15

Fix Resolution: jquery-ui - 1.12.0

spring-data-mongodb-2.1.1.RELEASE.jar: 1 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - spring-data-mongodb-2.1.1.RELEASE.jar

MongoDB support for Spring Data

Library home page: http://projects.spring.io/spring-data-mongodb

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-mongodb/2.1.1.RELEASE/spring-data-mongodb-2.1.1.RELEASE.jar

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-data-mongodb version) Remediation Available
CVE-2022-22980 High 9.8 spring-data-mongodb-2.1.1.RELEASE.jar Direct 3.2.12

Details

CVE-2022-22980

Vulnerable Library - spring-data-mongodb-2.1.1.RELEASE.jar

MongoDB support for Spring Data

Library home page: http://projects.spring.io/spring-data-mongodb

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-mongodb/2.1.1.RELEASE/spring-data-mongodb-2.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-data-mongodb-2.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: e1b4e8cce3d73c6bf16c847576c713de85e7efc6

Found in base branch: dev

Vulnerability Details

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Publish Date: 2022-06-23

URL: CVE-2022-22980

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22980

Release Date: 2022-06-23

Fix Resolution: 3.2.12

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.