Git Product home page Git Product logo

katerinaorg / clients-generator-00098856 Goto Github PK

View Code? Open in Web Editor NEW

This project forked from kaltura/clients-generator

0.0 0.0 0.0 25.08 MB

Kaltura API Client Libraries Generator - PHP source code introspection based automation for API native SDKs generation for various programming languages and API platforms

Home Page: https://developer.kaltura.com/api-docs/Client_Libraries/

License: GNU Affero General Public License v3.0

Shell 0.13% JavaScript 3.94% Ruby 0.95% Python 1.11% C 0.02% ActionScript 1.39% PHP 13.00% Erlang 0.10% Objective-C 8.93% Java 15.36% Go 0.47% C# 45.91% TypeScript 5.93% CSS 0.21% Swift 2.05% HTML 0.49% Batchfile 0.01%

clients-generator-00098856's Introduction

Kaltura Client Generator

The code in this repo is used to auto generate the Kaltura client libraries for each supported language.

License

Deployment Instructions

The list of supported clients is here

Download the API scheme XML from http://www.kaltura.com/api_v3/api_schema.php.

To generate one client run:

$ php /opt/kaltura/clients-generator/exec.php -x/path-to-xml/KalturaClient.xml $CLIENT_NAME

For example, to generate a php53 client run:

php /opt/kaltura/clients-generator/exec.php -x/path-to-xml/KalturaClient.xml php53

To generate all available clients, run:

while read CLIENT;do php /opt/kaltura/clients-generator/exec.php -x/path-to-xml/KalturaClient.xml $CLIENT;done < /opt/kaltura/clients-generator/config/generator.all.ini

Getting started with the API

To learn how to use the Kaltura API, go to developer.kaltura.com

How you can help (guidelines for contributors)

Thank you for helping Kaltura grow! If you'd like to contribute please follow these steps:

Where to get help

Get in touch

You can learn more about Kaltura and start a free trial at: http://corp.kaltura.com
Contact us via Twitter @Kaltura or email: [email protected]
We'd love to hear from you!

License and Copyright Information

All code in this project is released under the AGPLv3 license unless a different license for a particular library is specified in the applicable library path.

Copyright © Kaltura Inc. All rights reserved.
Authors and contributors: See GitHub contributors list.

Kaltura C# OTT API Client Library.

Compatible with Kaltura OTT server version 6.1.0.28931 and above.

clients-generator-00098856's People

Contributors

alonbasin-kaltura avatar amiras89 avatar arthurvaverko-kaltura avatar atarsh avatar bcluyse avatar blitzkrig1o1 avatar ccorbacho avatar chausov avatar coralburg12 avatar erankor avatar eransakal avatar esakal avatar flipmcf avatar gilgaldi avatar gonenradai avatar gotlieb avatar hilak avatar himberjack avatar inbal-ben-david avatar irena-l avatar jessp011 avatar moshemaorkaltura avatar nadavharnik avatar noam-arad avatar ravitshalem avatar rkreich avatar shirbruchim avatar srivkas avatar tehilar avatar yossipapi avatar

clients-generator-00098856's Issues

commons-codec-1.11.jar: 1 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /ns-codec/commons-codec/1.11/commons-codec-1.11.jar

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2019-0379 Medium 6.5 commons-codec-1.11.jar Direct 1.13

Details

WS-2019-0379

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /ns-codec/commons-codec/1.11/commons-codec-1.11.jar

Dependency Hierarchy:

  • commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: 1.13

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

microsoft.netcore.app.2.0.0.nupkg: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - microsoft.netcore.app.2.0.0.nupkg

A set of .NET API's that are included in the default .NET Core application model. e8b8861ac7faf042c87a5c2f9f2d04c98b69f28d When using NuGet 3.x this package requires at least version 3.4.

Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.0.0.nupkg

Path to dependency file: /KalturaClientTester/KalturaClientTester.csproj

Path to vulnerable library: /osoft.netcore.app/2.0.0/microsoft.netcore.app.2.0.0.nupkg

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2018-8292 High 7.5 microsoft.netcore.app.2.0.0.nupkg Direct System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1
CVE-2018-8416 Medium 6.5 microsoft.netcore.app.2.0.0.nupkg Direct Microsoft.NETCore.App - 2.1.7

Details

CVE-2018-8292

Vulnerable Library - microsoft.netcore.app.2.0.0.nupkg

A set of .NET API's that are included in the default .NET Core application model. e8b8861ac7faf042c87a5c2f9f2d04c98b69f28d When using NuGet 3.x this package requires at least version 3.4.

Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.0.0.nupkg

Path to dependency file: /KalturaClientTester/KalturaClientTester.csproj

Path to vulnerable library: /osoft.netcore.app/2.0.0/microsoft.netcore.app.2.0.0.nupkg

Dependency Hierarchy:

  • microsoft.netcore.app.2.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

An information disclosure vulnerability exists in .NET Core when authentication information is inadvertently exposed in a redirect, aka ".NET Core Information Disclosure Vulnerability." This affects .NET Core 2.1, .NET Core 1.0, .NET Core 1.1, PowerShell Core 6.0.

Publish Date: 2018-10-10

URL: CVE-2018-8292

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-10-10

Fix Resolution: System.Net.Http - 4.3.4;Microsoft.PowerShell.Commands.Utility - 6.1.0-rc.1

CVE-2018-8416

Vulnerable Library - microsoft.netcore.app.2.0.0.nupkg

A set of .NET API's that are included in the default .NET Core application model. e8b8861ac7faf042c87a5c2f9f2d04c98b69f28d When using NuGet 3.x this package requires at least version 3.4.

Library home page: https://api.nuget.org/packages/microsoft.netcore.app.2.0.0.nupkg

Path to dependency file: /KalturaClientTester/KalturaClientTester.csproj

Path to vulnerable library: /osoft.netcore.app/2.0.0/microsoft.netcore.app.2.0.0.nupkg

Dependency Hierarchy:

  • microsoft.netcore.app.2.0.0.nupkg (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A tampering vulnerability exists when .NET Core improperly handles specially crafted files, aka ".NET Core Tampering Vulnerability." This affects .NET Core 2.1.

Publish Date: 2018-11-14

URL: CVE-2018-8416

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-11-14

Fix Resolution: Microsoft.NETCore.App - 2.1.7

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

mysql-connector-java-5.0.8.jar: 7 vulnerabilities (highest severity is: 8.5)

Vulnerable Library - mysql-connector-java-5.0.8.jar

MySQL java connector

Library home page: http://dev.mysql.com/usingmysql/java/

Path to vulnerable library: /sources/bpmn/deploy/lib/mysql-connector-java-5.0.8-bin.jar

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2017-3523 High 8.5 mysql-connector-java-5.0.8.jar Direct 5.1.21
CVE-2022-21363 Medium 6.6 mysql-connector-java-5.0.8.jar Direct mysql:mysql-connector-java:8.0.28
CVE-2017-3586 Medium 6.4 mysql-connector-java-5.0.8.jar Direct 5.1.21
CVE-2020-2934 Medium 5.0 mysql-connector-java-5.0.8.jar Direct 5.1.49
CVE-2019-2692 Medium 4.5 mysql-connector-java-5.0.8.jar Direct 5.1.48
CVE-2015-2575 Medium 4.2 mysql-connector-java-5.0.8.jar Direct 5.1.35
CVE-2017-3589 Low 3.3 mysql-connector-java-5.0.8.jar Direct 5.1.21

Details

CVE-2017-3523

Vulnerable Library - mysql-connector-java-5.0.8.jar

MySQL java connector

Library home page: http://dev.mysql.com/usingmysql/java/

Path to vulnerable library: /sources/bpmn/deploy/lib/mysql-connector-java-5.0.8-bin.jar

Dependency Hierarchy:

  • mysql-connector-java-5.0.8.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Publish Date: 2017-04-24

URL: CVE-2017-3523

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2xxh-f8r3-hvvr

Release Date: 2017-04-24

Fix Resolution: 5.1.21

CVE-2022-21363

Vulnerable Library - mysql-connector-java-5.0.8.jar

MySQL java connector

Library home page: http://dev.mysql.com/usingmysql/java/

Path to vulnerable library: /sources/bpmn/deploy/lib/mysql-connector-java-5.0.8-bin.jar

Dependency Hierarchy:

  • mysql-connector-java-5.0.8.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

Publish Date: 2022-01-19

URL: CVE-2022-21363

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g76j-4cxx-23h9

Release Date: 2022-01-19

Fix Resolution: mysql:mysql-connector-java:8.0.28

CVE-2017-3586

Vulnerable Library - mysql-connector-java-5.0.8.jar

MySQL java connector

Library home page: http://dev.mysql.com/usingmysql/java/

Path to vulnerable library: /sources/bpmn/deploy/lib/mysql-connector-java-5.0.8-bin.jar

Dependency Hierarchy:

  • mysql-connector-java-5.0.8.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3586

CVSS 3 Score Details (6.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406

Release Date: 2017-04-24

Fix Resolution: 5.1.21

CVE-2020-2934

Vulnerable Library - mysql-connector-java-5.0.8.jar

MySQL java connector

Library home page: http://dev.mysql.com/usingmysql/java/

Path to vulnerable library: /sources/bpmn/deploy/lib/mysql-connector-java-5.0.8-bin.jar

Dependency Hierarchy:

  • mysql-connector-java-5.0.8.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2934

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/security-alerts/cpuapr2020.html

Release Date: 2020-04-15

Fix Resolution: 5.1.49

CVE-2019-2692

Vulnerable Library - mysql-connector-java-5.0.8.jar

MySQL java connector

Library home page: http://dev.mysql.com/usingmysql/java/

Path to vulnerable library: /sources/bpmn/deploy/lib/mysql-connector-java-5.0.8-bin.jar

Dependency Hierarchy:

  • mysql-connector-java-5.0.8.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2019-04-23

URL: CVE-2019-2692

CVSS 3 Score Details (4.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jcq3-cprp-m333

Release Date: 2020-08-24

Fix Resolution: 5.1.48

CVE-2015-2575

Vulnerable Library - mysql-connector-java-5.0.8.jar

MySQL java connector

Library home page: http://dev.mysql.com/usingmysql/java/

Path to vulnerable library: /sources/bpmn/deploy/lib/mysql-connector-java-5.0.8-bin.jar

Dependency Hierarchy:

  • mysql-connector-java-5.0.8.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.

Publish Date: 2015-04-16

URL: CVE-2015-2575

CVSS 3 Score Details (4.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gc43-g62c-99g2

Release Date: 2015-04-16

Fix Resolution: 5.1.35

CVE-2017-3589

Vulnerable Library - mysql-connector-java-5.0.8.jar

MySQL java connector

Library home page: http://dev.mysql.com/usingmysql/java/

Path to vulnerable library: /sources/bpmn/deploy/lib/mysql-connector-java-5.0.8-bin.jar

Dependency Hierarchy:

  • mysql-connector-java-5.0.8.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3589

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589

Release Date: 2017-04-24

Fix Resolution: 5.1.21

json-20090211.jar: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - json-20090211.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: http://www.json.org/

Path to dependency file: /sources/android2/pom.xml

Path to vulnerable library: /son/json/20090211/json-20090211.jar,/son/json/20090211/json-20090211.jar,/son/json/20090211/json-20090211.jar

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2017-3805 High 7.5 json-20090211.jar Direct 20180130

Details

WS-2017-3805

Vulnerable Library - json-20090211.jar

JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but uses conventions that are familiar to programmers of the C-family of languages, including C, C++, C#, Java, JavaScript, Perl, Python, and many others. These properties make JSON an ideal data-interchange language.

Library home page: http://www.json.org/

Path to dependency file: /sources/android2/pom.xml

Path to vulnerable library: /son/json/20090211/json-20090211.jar,/son/json/20090211/json-20090211.jar,/son/json/20090211/json-20090211.jar

Dependency Hierarchy:

  • json-20090211.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Affected versions of JSON In Java are vulnerable to Denial of Service (DoS) when trying to initialize a JSONArray object and the input is [. This will cause the jvm to crash with StackOverflowError due to non-cyclical stack overflow.

Publish Date: 2017-10-30

URL: WS-2017-3805

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-10-30

Fix Resolution: 20180130

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

commons-httpclient-3.1.jar: 1 vulnerabilities (highest severity is: 4.8)

Vulnerable Library - commons-httpclient-3.1.jar

The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /ns-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2012-5783 Medium 4.8 commons-httpclient-3.1.jar Direct 20020423

Details

CVE-2012-5783

Vulnerable Library - commons-httpclient-3.1.jar

The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /ns-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar

Dependency Hierarchy:

  • commons-httpclient-3.1.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Publish Date: 2012-11-04

URL: CVE-2012-5783

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783

Release Date: 2012-11-04

Fix Resolution: 20020423

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

got-11.8.2.tgz: 1 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - got-11.8.2.tgz

Human-friendly and powerful HTTP request library for Node.js

Library home page: https://registry.npmjs.org/got/-/got-11.8.2.tgz

Path to dependency file: /sources/node-typescript/package.json

Path to vulnerable library: /sources/node-typescript/node_modules/got/package.json

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-33987 Medium 5.3 got-11.8.2.tgz Direct 12.0.0-beta.1

Details

CVE-2022-33987

Vulnerable Library - got-11.8.2.tgz

Human-friendly and powerful HTTP request library for Node.js

Library home page: https://registry.npmjs.org/got/-/got-11.8.2.tgz

Path to dependency file: /sources/node-typescript/package.json

Path to vulnerable library: /sources/node-typescript/node_modules/got/package.json

Dependency Hierarchy:

  • got-11.8.2.tgz (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

The got package before 12.1.0 (also fixed in 11.8.5) for Node.js allows a redirect to a UNIX socket.

Publish Date: 2022-06-18

URL: CVE-2022-33987

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-33987

Release Date: 2022-06-18

Fix Resolution: 12.0.0-beta.1

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

newtonsoft.json.6.0.1.nupkg: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - newtonsoft.json.6.0.1.nupkg

Json.NET is a popular high-performance JSON framework for .NET

Library home page: https://api.nuget.org/packages/newtonsoft.json.6.0.1.nupkg

Path to dependency file: /tests/ott/csharp2/KalturaClient/KalturaClient.csproj

Path to vulnerable library: /onsoft.json/6.0.1/newtonsoft.json.6.0.1.nupkg,/home/wss-scanner/.nuget/packages/newtonsoft.json/6.0.1/newtonsoft.json.6.0.1.nupkg,/onsoft.json/6.0.1/newtonsoft.json.6.0.1.nupkg,/onsoft.json/6.0.1/newtonsoft.json.6.0.1.nupkg

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2022-0161 High 7.5 newtonsoft.json.6.0.1.nupkg Direct Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

Details

WS-2022-0161

Vulnerable Library - newtonsoft.json.6.0.1.nupkg

Json.NET is a popular high-performance JSON framework for .NET

Library home page: https://api.nuget.org/packages/newtonsoft.json.6.0.1.nupkg

Path to dependency file: /tests/ott/csharp2/KalturaClient/KalturaClient.csproj

Path to vulnerable library: /onsoft.json/6.0.1/newtonsoft.json.6.0.1.nupkg,/home/wss-scanner/.nuget/packages/newtonsoft.json/6.0.1/newtonsoft.json.6.0.1.nupkg,/onsoft.json/6.0.1/newtonsoft.json.6.0.1.nupkg,/onsoft.json/6.0.1/newtonsoft.json.6.0.1.nupkg

Dependency Hierarchy:

  • newtonsoft.json.6.0.1.nupkg (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Improper Handling of Exceptional Conditions in Newtonsoft.Json.
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.

Publish Date: 2022-06-22

URL: WS-2022-0161

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5crp-9r3c-p9vr

Release Date: 2022-06-22

Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

log4j-core-2.11.1.jar: 5 vulnerabilities (highest severity is: 10.0)

Vulnerable Library - log4j-core-2.11.1.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /pache/logging/log4j/log4j-core/2.11.1/log4j-core-2.11.1.jar

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-44228 High 10.0 log4j-core-2.11.1.jar Direct 2.12.2
CVE-2021-45046 High 9.0 log4j-core-2.11.1.jar Direct 2.12.2
CVE-2021-44832 Medium 6.6 log4j-core-2.11.1.jar Direct 2.12.4
CVE-2021-45105 Medium 5.9 log4j-core-2.11.1.jar Direct 2.12.3
CVE-2020-9488 Low 3.7 log4j-core-2.11.1.jar Direct 2.12.2

Details

CVE-2021-44228

Vulnerable Library - log4j-core-2.11.1.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /pache/logging/log4j/log4j-core/2.11.1/log4j-core-2.11.1.jar

Dependency Hierarchy:

  • log4j-core-2.11.1.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.

Publish Date: 2021-12-10

URL: CVE-2021-44228

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logging.apache.org/log4j/2.x/security.html

Release Date: 2021-12-10

Fix Resolution: 2.12.2

⛑️ Automatic Remediation is available for this issue

CVE-2021-45046

Vulnerable Library - log4j-core-2.11.1.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /pache/logging/log4j/log4j-core/2.11.1/log4j-core-2.11.1.jar

Dependency Hierarchy:

  • log4j-core-2.11.1.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.

Publish Date: 2021-12-14

URL: CVE-2021-45046

CVSS 3 Score Details (9.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logging.apache.org/log4j/2.x/security.html

Release Date: 2021-12-14

Fix Resolution: 2.12.2

⛑️ Automatic Remediation is available for this issue

CVE-2021-44832

Vulnerable Library - log4j-core-2.11.1.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /pache/logging/log4j/log4j-core/2.11.1/log4j-core-2.11.1.jar

Dependency Hierarchy:

  • log4j-core-2.11.1.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.

Publish Date: 2021-12-28

URL: CVE-2021-44832

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logging.apache.org/log4j/2.x/security.html

Release Date: 2021-12-28

Fix Resolution: 2.12.4

⛑️ Automatic Remediation is available for this issue

CVE-2021-45105

Vulnerable Library - log4j-core-2.11.1.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /pache/logging/log4j/log4j-core/2.11.1/log4j-core-2.11.1.jar

Dependency Hierarchy:

  • log4j-core-2.11.1.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.

Publish Date: 2021-12-18

URL: CVE-2021-45105

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://logging.apache.org/log4j/2.x/security.html

Release Date: 2021-12-18

Fix Resolution: 2.12.3

⛑️ Automatic Remediation is available for this issue

CVE-2020-9488

Vulnerable Library - log4j-core-2.11.1.jar

The Apache Log4j Implementation

Library home page: https://logging.apache.org/log4j/2.x/

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /pache/logging/log4j/log4j-core/2.11.1/log4j-core-2.11.1.jar

Dependency Hierarchy:

  • log4j-core-2.11.1.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: 2.12.2

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

gson-2.8.2.jar: 2 vulnerabilities (highest severity is: 7.7)

Vulnerable Library - gson-2.8.2.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /oogle/code/gson/gson/2.8.2/gson-2.8.2.jar

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2021-0419 High 7.7 gson-2.8.2.jar Direct 2.8.9
CVE-2022-25647 High 7.5 gson-2.8.2.jar Direct 2.8.9

Details

WS-2021-0419

Vulnerable Library - gson-2.8.2.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /oogle/code/gson/gson/2.8.2/gson-2.8.2.jar

Dependency Hierarchy:

  • gson-2.8.2.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.

Publish Date: 2021-10-11

URL: WS-2021-0419

CVSS 3 Score Details (7.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-10-11

Fix Resolution: 2.8.9

⛑️ Automatic Remediation is available for this issue

CVE-2022-25647

Vulnerable Library - gson-2.8.2.jar

Gson JSON library

Library home page: https://github.com/google/gson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /oogle/code/gson/gson/2.8.2/gson-2.8.2.jar

Dependency Hierarchy:

  • gson-2.8.2.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.

Publish Date: 2022-05-01

URL: CVE-2022-25647

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`

Release Date: 2022-05-01

Fix Resolution: 2.8.9

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

log4j-1.2.15.jar: 7 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - log4j-1.2.15.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org:80/log4j/1.2/

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /log4j/1.2.15/log4j-1.2.15.jar

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2022-23305 High 9.8 log4j-1.2.15.jar Direct ch.qos.reload4j:reload4j:1.2.18.2
CVE-2019-17571 High 9.8 log4j-1.2.15.jar Direct log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
CVE-2020-9493 High 9.8 log4j-1.2.15.jar Direct ch.qos.reload4j:reload4j:1.2.18.1
CVE-2022-23307 High 8.8 log4j-1.2.15.jar Direct ch.qos.reload4j:reload4j:1.2.18.1
CVE-2022-23302 High 8.8 log4j-1.2.15.jar Direct ch.qos.reload4j:reload4j:1.2.18.1
CVE-2021-4104 High 7.5 log4j-1.2.15.jar Direct uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
CVE-2020-9488 Low 3.7 log4j-1.2.15.jar Direct ch.qos.reload4j:reload4j:1.2.18.3

Details

CVE-2022-23305

Vulnerable Library - log4j-1.2.15.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org:80/log4j/1.2/

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /log4j/1.2.15/log4j-1.2.15.jar

Dependency Hierarchy:

  • log4j-1.2.15.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

⛑️ Automatic Remediation is available for this issue

CVE-2019-17571

Vulnerable Library - log4j-1.2.15.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org:80/log4j/1.2/

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /log4j/1.2.15/log4j-1.2.15.jar

Dependency Hierarchy:

  • log4j-1.2.15.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

CVE-2020-9493

Vulnerable Library - log4j-1.2.15.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org:80/log4j/1.2/

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /log4j/1.2.15/log4j-1.2.15.jar

Dependency Hierarchy:

  • log4j-1.2.15.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

⛑️ Automatic Remediation is available for this issue

CVE-2022-23307

Vulnerable Library - log4j-1.2.15.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org:80/log4j/1.2/

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /log4j/1.2.15/log4j-1.2.15.jar

Dependency Hierarchy:

  • log4j-1.2.15.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

⛑️ Automatic Remediation is available for this issue

CVE-2022-23302

Vulnerable Library - log4j-1.2.15.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org:80/log4j/1.2/

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /log4j/1.2.15/log4j-1.2.15.jar

Dependency Hierarchy:

  • log4j-1.2.15.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

⛑️ Automatic Remediation is available for this issue

CVE-2021-4104

Vulnerable Library - log4j-1.2.15.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org:80/log4j/1.2/

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /log4j/1.2.15/log4j-1.2.15.jar

Dependency Hierarchy:

  • log4j-1.2.15.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

CVE-2020-9488

Vulnerable Library - log4j-1.2.15.jar

Apache Log4j 1.2

Library home page: http://logging.apache.org:80/log4j/1.2/

Path to dependency file: /sources/java/pom.xml

Path to vulnerable library: /log4j/1.2.15/log4j-1.2.15.jar

Dependency Hierarchy:

  • log4j-1.2.15.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

jackson-databind-2.9.5.jar: 62 vulnerabilities (highest severity is: 10.0)

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2018-14721 High 10.0 jackson-databind-2.9.5.jar Direct 2.9.7
CVE-2019-14540 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10.2
CVE-2019-17531 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10.1
CVE-2018-14720 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.7
CVE-2019-16335 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10
CVE-2019-17267 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10
CVE-2018-11307 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.6
CVE-2019-16942 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10.1
CVE-2020-8840 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10.3
CVE-2019-16943 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10.1
CVE-2018-19362 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.8
CVE-2018-19361 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.8
CVE-2018-19360 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.8
CVE-2019-10202 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.9
CVE-2019-14893 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10
CVE-2019-14892 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10
CVE-2020-9546 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-9547 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2019-14379 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.9.2
CVE-2020-9548 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2019-20330 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.10.2
CVE-2018-14719 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.7
CVE-2018-14718 High 9.8 jackson-databind-2.9.5.jar Direct 2.9.7
CVE-2020-10968 High 8.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-10969 High 8.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-11111 High 8.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-11113 High 8.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-11112 High 8.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-10672 High 8.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-10673 High 8.8 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-11619 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-35728 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-36189 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-36188 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-11620 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-10650 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.4
CVE-2020-36181 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-36180 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-36183 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-35490 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.5
CVE-2020-36182 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-36185 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-35491 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.5
CVE-2020-36184 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-36187 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-36186 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2021-20190 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.7
CVE-2020-36179 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.8
CVE-2020-24616 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.5
CVE-2020-14060 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.5
CVE-2020-14061 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.5
CVE-2020-14062 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.5
CVE-2020-24750 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.5
CVE-2020-14195 High 8.1 jackson-databind-2.9.5.jar Direct 2.9.10.5
CVE-2019-12086 High 7.5 jackson-databind-2.9.5.jar Direct 2.9.9
CVE-2020-25649 High 7.5 jackson-databind-2.9.5.jar Direct 2.9.10.7
CVE-2018-12022 High 7.5 jackson-databind-2.9.5.jar Direct 2.9.6
CVE-2018-12023 High 7.5 jackson-databind-2.9.5.jar Direct 2.9.6
CVE-2019-14439 High 7.5 jackson-databind-2.9.5.jar Direct 2.9.9.2
CVE-2020-36518 High 7.5 jackson-databind-2.9.5.jar Direct 2.12.6.1
CVE-2019-12814 Medium 5.9 jackson-databind-2.9.5.jar Direct 2.9.9.1
CVE-2019-12384 Medium 5.9 jackson-databind-2.9.5.jar Direct 2.9.9.1

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2018-14721

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.9.7

⛑️ Automatic Remediation is available for this issue

CVE-2019-14540

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution: 2.9.10.2

⛑️ Automatic Remediation is available for this issue

CVE-2019-17531

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.9.10.1

⛑️ Automatic Remediation is available for this issue

CVE-2018-14720

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

⛑️ Automatic Remediation is available for this issue

CVE-2019-16335

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-09-15

Fix Resolution: 2.9.10

⛑️ Automatic Remediation is available for this issue

CVE-2019-17267

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-07

Fix Resolution: 2.9.10

⛑️ Automatic Remediation is available for this issue

CVE-2018-11307

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Publish Date: 2019-07-09

URL: CVE-2018-11307

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-09

Fix Resolution: 2.9.6

⛑️ Automatic Remediation is available for this issue

CVE-2019-16942

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution: 2.9.10.1

⛑️ Automatic Remediation is available for this issue

CVE-2020-8840

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution: 2.9.10.3

⛑️ Automatic Remediation is available for this issue

CVE-2019-16943

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution: 2.9.10.1

⛑️ Automatic Remediation is available for this issue

CVE-2018-19362

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

⛑️ Automatic Remediation is available for this issue

CVE-2018-19361

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

⛑️ Automatic Remediation is available for this issue

CVE-2018-19360

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

⛑️ Automatic Remediation is available for this issue

CVE-2019-10202

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://access.redhat.com/errata/RHSA-2019:2938

Release Date: 2019-10-01

Fix Resolution: 2.9.9

⛑️ Automatic Remediation is available for this issue

CVE-2019-14893

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14893

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893

Release Date: 2020-03-02

Fix Resolution: 2.9.10

⛑️ Automatic Remediation is available for this issue

CVE-2019-14892

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14892

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-04

Fix Resolution: 2.9.10

⛑️ Automatic Remediation is available for this issue

CVE-2020-9546

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution: 2.9.10.4

⛑️ Automatic Remediation is available for this issue

CVE-2020-9547

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547

Release Date: 2020-03-02

Fix Resolution: 2.9.10.4

⛑️ Automatic Remediation is available for this issue

CVE-2019-14379

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution: 2.9.9.2

⛑️ Automatic Remediation is available for this issue

CVE-2020-9548

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to br.com.anteros.dbcp.AnterosDBCPConfig (aka anteros-core).

Publish Date: 2020-03-02

URL: CVE-2020-9548

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9548

Release Date: 2020-03-02

Fix Resolution: 2.9.10.4

⛑️ Automatic Remediation is available for this issue

CVE-2019-20330

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.2 lacks certain net.sf.ehcache blocking.

Publish Date: 2020-01-03

URL: CVE-2019-20330

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-03

Fix Resolution: 2.9.10.2

⛑️ Automatic Remediation is available for this issue

CVE-2018-14719

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /tests/ott/java2/pom.xml

Path to vulnerable library: /asterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

  • jackson-databind-2.9.5.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution: 2.9.7

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

newtonsoft.json.11.0.2.nupkg: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - newtonsoft.json.11.0.2.nupkg

Json.NET is a popular high-performance JSON framework for .NET

Library home page: https://api.nuget.org/packages/newtonsoft.json.11.0.2.nupkg

Path to dependency file: /KalturaClient/KalturaClient.csproj

Path to vulnerable library: /onsoft.json/11.0.2/newtonsoft.json.11.0.2.nupkg,/home/wss-scanner/.nuget/packages/newtonsoft.json/11.0.2/newtonsoft.json.11.0.2.nupkg

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
WS-2022-0161 High 7.5 newtonsoft.json.11.0.2.nupkg Direct Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

Details

WS-2022-0161

Vulnerable Library - newtonsoft.json.11.0.2.nupkg

Json.NET is a popular high-performance JSON framework for .NET

Library home page: https://api.nuget.org/packages/newtonsoft.json.11.0.2.nupkg

Path to dependency file: /KalturaClient/KalturaClient.csproj

Path to vulnerable library: /onsoft.json/11.0.2/newtonsoft.json.11.0.2.nupkg,/home/wss-scanner/.nuget/packages/newtonsoft.json/11.0.2/newtonsoft.json.11.0.2.nupkg

Dependency Hierarchy:

  • newtonsoft.json.11.0.2.nupkg (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Improper Handling of Exceptional Conditions in Newtonsoft.Json.
Newtonsoft.Json prior to version 13.0.1 is vulnerable to Insecure Defaults due to improper handling of StackOverFlow exception (SOE) whenever nested expressions are being processed. Exploiting this vulnerability results in Denial Of Service (DoS), and it is exploitable when an attacker sends 5 requests that cause SOE in time frame of 5 minutes. This vulnerability affects Internet Information Services (IIS) Applications.

Publish Date: 2022-06-22

URL: WS-2022-0161

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-5crp-9r3c-p9vr

Release Date: 2022-06-22

Fix Resolution: Newtonsoft.Json - 13.0.1;Microsoft.Extensions.ApiDescription.Server - 6.0.0

core-6.1.0.tgz: 1 vulnerabilities (highest severity is: 5.4)

Vulnerable Library - core-6.1.0.tgz

Angular - the core framework

Library home page: https://registry.npmjs.org/@angular/core/-/core-6.1.0.tgz

Path to dependency file: /sources/ngx/package.json

Path to vulnerable library: /sources/ngx/node_modules/@angular/core/package.json

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-4231 Medium 5.4 core-6.1.0.tgz Direct 10.2.5

Details

CVE-2021-4231

Vulnerable Library - core-6.1.0.tgz

Angular - the core framework

Library home page: https://registry.npmjs.org/@angular/core/-/core-6.1.0.tgz

Path to dependency file: /sources/ngx/package.json

Path to vulnerable library: /sources/ngx/node_modules/@angular/core/package.json

Dependency Hierarchy:

  • core-6.1.0.tgz (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

A vulnerability was found in Angular up to 11.0.4/11.1.0-next.2. It has been classified as problematic. Affected is the handling of comments. The manipulation leads to cross site scripting. It is possible to launch the attack remotely but it might require an authentication first. Upgrading to version 11.0.5 and 11.1.0-next.3 is able to address this issue. The name of the patch is ba8da742e3b243e8f43d4c63aa842b44e14f2b09. It is recommended to upgrade the affected component.

Publish Date: 2022-05-26

URL: CVE-2021-4231

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-05-26

Fix Resolution: 10.2.5

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

utils-0.3.1.tgz: 1 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - utils-0.3.1.tgz

Path to dependency file: /sources/node/package.json

Path to vulnerable library: /sources/node/node_modules/striptags/package.json

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2021-32696 Medium 5.3 striptags-2.2.1.tgz Transitive N/A

Details

CVE-2021-32696

Vulnerable Library - striptags-2.2.1.tgz

PHP strip_tags in Node.js

Library home page: https://registry.npmjs.org/striptags/-/striptags-2.2.1.tgz

Path to dependency file: /sources/node/package.json

Path to vulnerable library: /sources/node/node_modules/striptags/package.json

Dependency Hierarchy:

  • utils-0.3.1.tgz (Root Library)
    • striptags-2.2.1.tgz (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

The npm package "striptags" is an implementation of PHP's strip_tags in Typescript. In striptags before version 3.2.0, a type-confusion vulnerability can cause striptags to concatenate unsanitized strings when an array-like object is passed in as the html parameter. This can be abused by an attacker who can control the shape of their input, e.g. if query parameters are passed directly into the function. This can lead to a XSS.

Publish Date: 2021-06-18

URL: CVE-2021-32696

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-qxg5-2qff-p49r

Release Date: 2021-06-18

Fix Resolution: striptags - 3.2.0

jquery-1.3.1.min.js: 4 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-1.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.1/jquery.min.js

Path to dependency file: /sources/testmeDoc/index.html

Path to vulnerable library: /sources/testmeDoc/../testme/js/jquery-1.3.1.min.js

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2015-9251 Medium 6.1 jquery-1.3.1.min.js Direct jQuery - v3.0.0
CVE-2020-7656 Medium 6.1 jquery-1.3.1.min.js Direct jquery - 1.9.0
CVE-2012-6708 Medium 6.1 jquery-1.3.1.min.js Direct jQuery - v1.9.0
CVE-2011-4969 Low 3.7 jquery-1.3.1.min.js Direct 1.6.3

Details

CVE-2015-9251

Vulnerable Library - jquery-1.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.1/jquery.min.js

Path to dependency file: /sources/testmeDoc/index.html

Path to vulnerable library: /sources/testmeDoc/../testme/js/jquery-1.3.1.min.js

Dependency Hierarchy:

  • jquery-1.3.1.min.js (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

CVE-2020-7656

Vulnerable Library - jquery-1.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.1/jquery.min.js

Path to dependency file: /sources/testmeDoc/index.html

Path to vulnerable library: /sources/testmeDoc/../testme/js/jquery-1.3.1.min.js

Dependency Hierarchy:

  • jquery-1.3.1.min.js (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

CVE-2012-6708

Vulnerable Library - jquery-1.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.1/jquery.min.js

Path to dependency file: /sources/testmeDoc/index.html

Path to vulnerable library: /sources/testmeDoc/../testme/js/jquery-1.3.1.min.js

Dependency Hierarchy:

  • jquery-1.3.1.min.js (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

CVE-2011-4969

Vulnerable Library - jquery-1.3.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.3.1/jquery.min.js

Path to dependency file: /sources/testmeDoc/index.html

Path to vulnerable library: /sources/testmeDoc/../testme/js/jquery-1.3.1.min.js

Dependency Hierarchy:

  • jquery-1.3.1.min.js (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery before 1.6.3, when using location.hash to select elements, allows remote attackers to inject arbitrary web script or HTML via a crafted tag.

Publish Date: 2013-03-08

URL: CVE-2011-4969

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-4969

Release Date: 2013-03-08

Fix Resolution: 1.6.3

junit-4.7.jar: 1 vulnerabilities (highest severity is: 5.5)

Vulnerable Library - junit-4.7.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /sources/android2/pom.xml

Path to vulnerable library: /junit/4.7/junit-4.7.jar,/junit/4.7/junit-4.7.jar

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in Remediation Available
CVE-2020-15250 Medium 5.5 junit-4.7.jar Direct 4.13.1

Details

CVE-2020-15250

Vulnerable Library - junit-4.7.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /sources/android2/pom.xml

Path to vulnerable library: /junit/4.7/junit-4.7.jar,/junit/4.7/junit-4.7.jar

Dependency Hierarchy:

  • junit-4.7.jar (Vulnerable Library)

Found in HEAD commit: f920dec611e0ce3c836c6c64545af2e438d50ce0

Found in base branch: Rigel-18.13.0

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

⛑️ Automatic Remediation is available for this issue

⛑️ Automatic Remediation is available for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.