dima2022 / atom-hopper Goto Github PK
View Code? Open in Web Editor NEWThis project forked from rackerlabs/atom-hopper
ATOM Hopper - The Java ATOMpub Server
Home Page: http://atomhopper.org
This project forked from rackerlabs/atom-hopper
ATOM Hopper - The Java ATOMpub Server
Home Page: http://atomhopper.org
A module of the Hibernate Core project
Library home page: http://hibernate.org
Path to dependency file: /atomhopper/pom.xml
Path to vulnerable library: /atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/epository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/epository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Publish Date: 2020-12-02
URL: CVE-2020-25638
Base Score Metrics:
Type: Upgrade version
Origin: https://in.relation.to/2020/11/19/hibernate-orm-5424-final-release/
Release Date: 2020-12-02
Fix Resolution: org.hibernate:hibernate-core:5.3.20.Final,5.4.24.Final
⛑️ Automatic Remediation is available for this issue
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /adapters/mongodb/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/epository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/epository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/epository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/spring-web-4.3.22.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
Pivotal Spring Framework 4.1.4 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
Base Score Metrics:
Type: Upgrade version
Origin: spring-projects/spring-framework#25379
Release Date: 2020-01-02
Fix Resolution: org.springframework:spring-web:5.3.0
⛑️ Automatic Remediation is available for this issue
Google Gson library
Library home page: http://code.google.com/p/google-gson/
Path to dependency file: /adapters/jdbc/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.1/gson-2.1.jar,/epository/com/google/code/gson/gson/2.1/gson-2.1.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.1/gson-2.1.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.1/gson-2.1.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.1/gson-2.1.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/gson-2.1.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.1/gson-2.1.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.1/gson-2.1.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.1/gson-2.1.jar,/home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.1/gson-2.1.jar
Dependency Hierarchy:
Found in base branch: master
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/google/gson/releases/tag/gson-parent-2.8.9
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
⛑️ Automatic Remediation is available for this issue
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /server/pom.xml
Path to vulnerable library: /epository/org/eclipse/jetty/jetty-server/9.4.17.v20190418/jetty-server-9.4.17.v20190418.jar,/epository/org/eclipse/jetty/jetty-server/9.4.17.v20190418/jetty-server-9.4.17.v20190418.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
In Eclipse Jetty version 9.4.0.RC0 to 9.4.34.v20201102, 10.0.0.alpha0 to 10.0.0.beta2, and 11.0.0.alpha0 to 11.0.0.beta2, if GZIP request body inflation is enabled and requests from different clients are multiplexed onto a single connection, and if an attacker can send a request with a body that is received entirely but not consumed by the application, then a subsequent request on the same connection will see that body prepended to its body. The attacker will not see any data but may inject data into the body of the subsequent request.
Publish Date: 2020-11-28
URL: CVE-2020-27218
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-86wm-rrjm-8wh8
Release Date: 2020-11-28
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.35.v20201120, 10.0.0.beta3, 11.0.0.beta3
⛑️ Automatic Remediation is available for this issue
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.17.v20190418/jetty-io-9.4.17.v20190418.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.17.v20190418/jetty-io-9.4.17.v20190418.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Publish Date: 2021-04-01
URL: CVE-2021-28165
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-26vr-8j45-3r4w
Release Date: 2021-04-01
Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2
A module of the Hibernate Core project
Library home page: http://hibernate.org
Path to dependency file: /atomhopper/pom.xml
Path to vulnerable library: /atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/epository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/home/wss-scanner/.m2/repository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar,/epository/org/hibernate/hibernate-core/4.1.3.Final/hibernate-core-4.1.3.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
Publish Date: 2020-07-06
URL: CVE-2019-14900
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14900
Release Date: 2020-07-06
Fix Resolution: org.hibernate:hibernate-core:5.4.18.Final
⛑️ Automatic Remediation is available for this issue
JDBC Type 4 driver for MySQL
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /server/pom.xml
Path to vulnerable library: /epository/mysql/mysql-connector-java/8.0.16/mysql-connector-java-8.0.16.jar,/epository/mysql/mysql-connector-java/8.0.16/mysql-connector-java-8.0.16.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/mysql-connector-java-8.0.16.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2934
Base Score Metrics:
Type: Upgrade version
Origin: https://www.oracle.com/security-alerts/cpuapr2020.html
Release Date: 2020-04-15
Fix Resolution: mysql:mysql-connector-java:5.1.49,8.0.20
⛑️ Automatic Remediation is available for this issue
dom4j: the flexible XML framework for Java
Library home page: http://dom4j.org
Path to dependency file: /server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/dom4j-1.6.1.jar,/home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Publish Date: 2018-08-20
URL: CVE-2018-1000632
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632
Release Date: 2018-08-20
Fix Resolution: org.dom4j:dom4j:2.0.3
⛑️ Automatic Remediation is available for this issue
H2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /adapters/jdbc/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/h2-1.3.167.jar,/epository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/epository/com/h2database/h2/1.3.167/h2-1.3.167.jar
Dependency Hierarchy:
Found in base branch: master
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Publish Date: 2022-01-10
URL: CVE-2021-42392
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h376-j262-vhq6
Release Date: 2022-01-10
Fix Resolution: com.h2database:h2:2.0.206
⛑️ Automatic Remediation is available for this issue
A fast, comprehensive, and easy-to-use Java API for communicating with LDAP directory servers and performing related tasks like reading and writing LDIF, encoding and decoding data using base64 and ASN.1 BER, and performing secure communication.
Library home page: http://www.unboundid.com/
Path to dependency file: /adapters/jdbc/pom.xml
Path to vulnerable library: /epository/com/unboundid/unboundid-ldapsdk/2.3.1/unboundid-ldapsdk-2.3.1.jar,/home/wss-scanner/.m2/repository/com/unboundid/unboundid-ldapsdk/2.3.1/unboundid-ldapsdk-2.3.1.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/unboundid-ldapsdk-2.3.1.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
UnboundID LDAP SDK version from commit 801111d8b5c732266a5dbd4b3bb0b6c7b94d7afb up to commit 8471904a02438c03965d21367890276bc25fa5a6, where the issue was reported and fixed contains an Incorrect Access Control vulnerability in process function in SimpleBindRequest class doesn't check for empty password when running in synchronous mode. commit with applied fix pingidentity/ldapsdk@8471904#diff-f6cb23b459be1ec17df1da33760087fd that can result in Ability to impersonate any valid user. This attack appear to be exploitable via Providing valid username and empty password against servers that do not do additional validation as per https://tools.ietf.org/html/rfc4513#section-5.1.1. This vulnerability appears to have been fixed in after commit 8471904a02438c03965d21367890276bc25fa5a6.
Publish Date: 2018-03-16
URL: CVE-2018-1000134
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000134
Release Date: 2018-03-16
Fix Resolution: 4.0.5
⛑️ Automatic Remediation is available for this issue
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /adapters/mongodb/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/epository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/epository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/epository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/spring-web-4.3.22.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Publish Date: 2020-09-19
URL: CVE-2020-5421
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2020-5421
Release Date: 2020-09-19
Fix Resolution: org.springframework:spring-web:4.3.29,5.0.19,5.1.18,5.2.9
⛑️ Automatic Remediation is available for this issue
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /adapters/mongodb/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/epository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/epository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/epository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.22.RELEASE/spring-web-4.3.22.RELEASE.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/spring-web-4.3.22.RELEASE.jar
Dependency Hierarchy:
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /server/pom.xml
Path to vulnerable library: /epository/org/springframework/spring-core/4.3.22.RELEASE/spring-core-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.22.RELEASE/spring-core-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.22.RELEASE/spring-core-4.3.22.RELEASE.jar,/epository/org/springframework/spring-core/4.3.22.RELEASE/spring-core-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.22.RELEASE/spring-core-4.3.22.RELEASE.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/spring-core-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.22.RELEASE/spring-core-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.22.RELEASE/spring-core-4.3.22.RELEASE.jar,/epository/org/springframework/spring-core/4.3.22.RELEASE/spring-core-4.3.22.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.22.RELEASE/spring-core-4.3.22.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution: org.springframework:spring-core:5.2.18.RELEASE,5.3.12;org.springframework:spring-web:5.2.18.RELEASE,5.3.12;org.springframework:spring-webmvc:5.2.18.RELEASE,5.3.12;org.springframework:spring-webflux:5.2.18.RELEASE,5.3.12
H2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /adapters/jdbc/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/h2-1.3.167.jar,/epository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/epository/com/h2database/h2/1.3.167/h2-1.3.167.jar
Dependency Hierarchy:
Found in base branch: master
The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.
Publish Date: 2021-12-10
URL: CVE-2021-23463
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23463
Release Date: 2021-12-10
Fix Resolution: com.h2database:h2:2.0.202
⛑️ Automatic Remediation is available for this issue
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Path to vulnerable library: /documentation/target/docbkx/webhelp/ah-intro-external/common/jquery/jquery-1.4.2.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.3/jquery.min.js
Path to dependency file: /documentation/target/docbkx/webhelp/ah-intro-external/content/Deploy_RPM-d1e444.html
Path to vulnerable library: /documentation/target/docbkx/webhelp/ah-intro-external/common/jquery/jquery-1.4.3.min.js,/ocbkx/webhelp/ah-intro-external/content/../common/jquery/jquery-1.4.3.min.js
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.
Publish Date: 2013-03-08
URL: CVE-2011-4969
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969
Release Date: 2013-03-08
Fix Resolution: 1.6.3
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to dependency file: /atomhopper/pom.xml
Path to vulnerable library: /atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/jackson-mapper-asl-1.9.5.jar,/home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.5/jackson-mapper-asl-1.9.5.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Publish Date: 2019-11-18
URL: CVE-2019-10172
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172
Release Date: 2019-11-18
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0-RC1
⛑️ Automatic Remediation is available for this issue
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to dependency file: /atomhopper/pom.xml
Path to vulnerable library: /atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/jackson-mapper-asl-1.9.5.jar,/home/wss-scanner/.m2/repository/org/codehaus/jackson/jackson-mapper-asl/1.9.5/jackson-mapper-asl-1.9.5.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
Base Score Metrics:
Type: Upgrade version
Origin: https://access.redhat.com/errata/RHSA-2019:2938
Release Date: 2019-10-01
Fix Resolution: JBoss Enterprise Application Platform - 7.2.4;com.fasterxml.jackson.core:jackson-databind:2.9.9
c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.
Library home page: http://c3p0.sourceforge.net
Path to dependency file: /adapters/hibernate/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar,/home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar,/home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/c3p0-0.9.1.jar,/home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
Publish Date: 2018-12-24
URL: CVE-2018-20433
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
Release Date: 2018-12-24
Fix Resolution: 0.9.5.3
⛑️ Automatic Remediation is available for this issue
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /server/pom.xml
Path to vulnerable library: /epository/org/eclipse/jetty/jetty-server/9.4.17.v20190418/jetty-server-9.4.17.v20190418.jar,/epository/org/eclipse/jetty/jetty-server/9.4.17.v20190418/jetty-server-9.4.17.v20190418.jar
Dependency Hierarchy:
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.17.v20190418/jetty-http-9.4.17.v20190418.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.17.v20190418/jetty-http-9.4.17.v20190418.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml
can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /server/pom.xml
Path to vulnerable library: /epository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/epository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/logback-classic-1.2.0.jar,/epository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar
Dependency Hierarchy:
Found in base branch: master
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Publish Date: 2021-12-16
URL: CVE-2021-42550
Base Score Metrics:
Type: Upgrade version
Origin: http://logback.qos.ch/news.html
Release Date: 2021-12-16
Fix Resolution: ch.qos.logback:logback-classic:1.2.8
⛑️ Automatic Remediation is available for this issue
c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.
Library home page: http://c3p0.sourceforge.net
Path to dependency file: /adapters/hibernate/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar,/home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar,/home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/c3p0-0.9.1.jar,/home/wss-scanner/.m2/repository/c3p0/c3p0/0.9.1/c3p0-0.9.1.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
Publish Date: 2019-04-22
URL: CVE-2019-5427
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
Release Date: 2019-04-22
Fix Resolution: com.mchange:c3p0:0.9.5.4
⛑️ Automatic Remediation is available for this issue
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to dependency file: /hopper/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
Release Date: 2012-11-04
Fix Resolution: commons-httpclient:commons-httpclient - 3.1-jenkins-1,3.1-redhat-3,3.1-HTTPCLIENT-1265
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /server/pom.xml
Path to vulnerable library: /epository/org/eclipse/jetty/jetty-server/9.4.17.v20190418/jetty-server-9.4.17.v20190418.jar,/epository/org/eclipse/jetty/jetty-server/9.4.17.v20190418/jetty-server-9.4.17.v20190418.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, if an exception is thrown from the SessionListener#sessionDestroyed() method, then the session ID is not invalidated in the session ID manager. On deployments with clustered sessions and multiple contexts this can result in a session not being invalidated. This can result in an application used on a shared computer being left logged in.
Publish Date: 2021-06-22
URL: CVE-2021-34428
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m6cp-vxjx-65j6
Release Date: 2021-06-22
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.41.v20210516,10.0.3,11.0.3
⛑️ Automatic Remediation is available for this issue
H2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /adapters/jdbc/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/h2-1.3.167.jar,/epository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.167/h2-1.3.167.jar,/epository/com/h2database/h2/1.3.167/h2-1.3.167.jar
Dependency Hierarchy:
Found in base branch: master
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Publish Date: 2022-01-19
URL: CVE-2022-23221
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/h2database/h2database/releases/tag/version-2.1.210
Release Date: 2022-01-19
Fix Resolution: com.h2database:h2:2.1.210
⛑️ Automatic Remediation is available for this issue
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.3/jquery.min.js
Path to dependency file: /documentation/target/docbkx/webhelp/ah-intro-external/content/Deploy_RPM-d1e444.html
Path to vulnerable library: /documentation/target/docbkx/webhelp/ah-intro-external/common/jquery/jquery-1.4.3.min.js,/ocbkx/webhelp/ah-intro-external/content/../common/jquery/jquery-1.4.3.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Path to vulnerable library: /documentation/target/docbkx/webhelp/ah-intro-external/common/jquery/jquery-1.4.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-28
Fix Resolution: jquery - 1.9.0
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>
Library home page: https://xerces.apache.org/xerces2-j/
Path to dependency file: /adapters/hibernate/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/xercesImpl-2.12.0.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar,/home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar
Dependency Hierarchy:
Found in base branch: master
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
⛑️ Automatic Remediation is available for this issue
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Path to vulnerable library: /documentation/target/docbkx/webhelp/ah-intro-external/common/jquery/jquery-1.4.2.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.3/jquery.min.js
Path to dependency file: /documentation/target/docbkx/webhelp/ah-intro-external/content/Deploy_RPM-d1e444.html
Path to vulnerable library: /documentation/target/docbkx/webhelp/ah-intro-external/common/jquery/jquery-1.4.3.min.js,/ocbkx/webhelp/ah-intro-external/content/../common/jquery/jquery-1.4.3.min.js
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Path to vulnerable library: /documentation/target/docbkx/webhelp/ah-intro-external/common/jquery/jquery-1.4.2.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.3/jquery.min.js
Path to dependency file: /documentation/target/docbkx/webhelp/ah-intro-external/content/Deploy_RPM-d1e444.html
Path to vulnerable library: /documentation/target/docbkx/webhelp/ah-intro-external/common/jquery/jquery-1.4.3.min.js,/ocbkx/webhelp/ah-intro-external/content/../common/jquery/jquery-1.4.3.min.js
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.17.v20190418/jetty-http-9.4.17.v20190418.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.17.v20190418/jetty-http-9.4.17.v20190418.jar
Dependency Hierarchy:
Found in HEAD commit: 2f0948603cbd52986b3eb3fbe66e1662d4716d78
Found in base branch: master
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of “quality” (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Publish Date: 2021-02-26
URL: CVE-2020-27223
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-m394-8rww-3jr7
Release Date: 2021-02-26
Fix Resolution: org.eclipse.jetty:jetty-http:9.4.37.v20210219, org.eclipse.jetty:jetty-http:10.0.1, org.eclipse.jetty:jetty-http:11.0.1
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /atomhopper/pom.xml
Path to vulnerable library: /atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/protobuf-java-3.6.1.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.6.1/protobuf-java-3.6.1.jar,/home/wss-scanner/.m2/repository/com/google/protobuf/protobuf-java/3.6.1/protobuf-java-3.6.1.jar
Dependency Hierarchy:
Found in base branch: master
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Publish Date: 2022-01-10
URL: CVE-2021-22569
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wrvw-hg22-4m67
Release Date: 2022-01-10
Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: atom-hopper/server/pom.xml
Path to vulnerable library: epository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,epository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/atomhopper/target/atomhopper-1.2.35-SNAPSHOT/WEB-INF/lib/logback-classic-1.2.0.jar,epository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.2.0/logback-classic-1.2.0.jar
Dependency Hierarchy:
Found in base branch: master
LOGBack before 1.2.8 is vulnerable to Remote-Code-Execution (RCE) when the write access to 'logback.xml' and JNDI lookup are enabled.
Publish Date: 2021-12-13
URL: WS-2021-0491
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.