katerinaorg / ksa-multimodule Goto Github PK

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

CVE-2017-5638

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Publish Date: 2017-03-11

URL: CVE-2017-5638

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2017-03-11

Fix Resolution: 2.3.32

⛑️ Automatic Remediation is available for this issue

CVE-2017-12611

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

Publish Date: 2017-09-20

URL: CVE-2017-12611

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-053

Release Date: 2017-09-20

Fix Resolution: 2.3.34

⛑️ Automatic Remediation is available for this issue

CVE-2021-31805

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Publish Date: 2022-04-12

URL: CVE-2021-31805

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-062

Release Date: 2022-04-12

Fix Resolution: org.apache.struts:struts2-core:2.5.30

⛑️ Automatic Remediation is available for this issue

CVE-2020-17530

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Publish Date: 2020-12-11

URL: CVE-2020-17530

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-061

Release Date: 2020-12-11

Fix Resolution: 2.5.26

⛑️ Automatic Remediation is available for this issue

CVE-2019-0230

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Publish Date: 2020-09-14

URL: CVE-2019-0230

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/ww/s2-059

Release Date: 2020-09-14

Fix Resolution: 2.5.22

⛑️ Automatic Remediation is available for this issue

CVE-2018-11776

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

Publish Date: 2018-08-22

URL: CVE-2018-11776

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11776

Release Date: 2018-08-22

Fix Resolution: 2.3.35

⛑️ Automatic Remediation is available for this issue

CVE-2017-9787

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

Publish Date: 2017-07-13

URL: CVE-2017-9787

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2017-07-13

Fix Resolution: 2.3.33

⛑️ Automatic Remediation is available for this issue

CVE-2017-9804

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.

Publish Date: 2017-09-20

URL: CVE-2017-9804

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2017-09-20

Fix Resolution: 2.3.34

⛑️ Automatic Remediation is available for this issue

CVE-2019-0233

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/struts2-core-2.3.31.jar

Dependency Hierarchy:

• ❌ struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

Publish Date: 2020-09-14

URL: CVE-2019-0233

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/ww/s2-060

Release Date: 2020-09-14

Fix Resolution: 2.5.22

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

CVE-2017-3523

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Publish Date: 2017-04-24

URL: CVE-2017-3523

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

Release Date: 2017-04-24

Fix Resolution: 5.1.21

⛑️ Automatic Remediation is available for this issue

CVE-2017-3586

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3586

CVSS 3 Score Details (6.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406

Release Date: 2017-04-24

Fix Resolution: 5.1.21

⛑️ Automatic Remediation is available for this issue

CVE-2019-2692

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2019-04-23

URL: CVE-2019-2692

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jcq3-cprp-m333

Release Date: 2020-08-24

Fix Resolution: 5.1.48

⛑️ Automatic Remediation is available for this issue

CVE-2020-2934

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2934

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/security-alerts/cpuapr2020.html

Release Date: 2020-04-15

Fix Resolution: 5.1.49

⛑️ Automatic Remediation is available for this issue

CVE-2020-2875

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

Publish Date: 2020-04-15

URL: CVE-2020-2875

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-15

Fix Resolution: 5.1.49

⛑️ Automatic Remediation is available for this issue

CVE-2017-3589

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3589

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589

Release Date: 2017-04-24

Fix Resolution: 5.1.21

⛑️ Automatic Remediation is available for this issue

CVE-2020-2933

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2933

CVSS 3 Score Details (2.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

Release Date: 2020-04-15

Fix Resolution: 5.1.49

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - mybatis-3.1.1.jar

The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.

Library home page: http://www.mybatis.org/core/

Path to dependency file: /ksa-dao-context/pom.xml

Path to vulnerable library: /itory/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

CVE-2020-26945

Vulnerable Library - mybatis-3.1.1.jar

The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.

Library home page: http://www.mybatis.org/core/

Path to dependency file: /ksa-dao-context/pom.xml

Path to vulnerable library: /itory/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar

Dependency Hierarchy:

• ❌ mybatis-3.1.1.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

MyBatis before 3.5.6 mishandles deserialization of object streams.

Publish Date: 2020-10-10

URL: CVE-2020-26945

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-26

Fix Resolution: 3.5.6

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - junit-4.8.2.jar

JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/junit/junit/4.8.2/junit-4.8.2.jar

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

CVE-2020-15250

Vulnerable Library - junit-4.8.2.jar

JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /ksa-debug/pom.xml

Path to vulnerable library: /itory/junit/junit/4.8.2/junit-4.8.2.jar

Dependency Hierarchy:

• ❌ junit-4.8.2.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /-1.7.2.min.js

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

CVE-2020-11023

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /-1.7.2.min.js

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

CVE-2020-11022

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /-1.7.2.min.js

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

CVE-2015-9251

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /-1.7.2.min.js

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - v3.0.0

CVE-2019-11358

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /-1.7.2.min.js

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

CVE-2020-7656

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /-1.7.2.min.js

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-28

Fix Resolution: jquery - 1.9.0

CVE-2012-6708

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /-1.7.2.min.js

Dependency Hierarchy:

• ❌ jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192425/shiro-web-1.2.0.jar

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

CVE-2020-17510

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192425/shiro-web-1.2.0.jar

Dependency Hierarchy:

• ❌ shiro-web-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

Publish Date: 2020-11-05

URL: CVE-2020-17510

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E

Release Date: 2020-11-05

Fix Resolution: 1.7.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-1957

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192425/shiro-web-1.2.0.jar

Dependency Hierarchy:

• ❌ shiro-web-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Publish Date: 2020-03-25

URL: CVE-2020-1957

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://shiro.apache.org/news.html

Release Date: 2020-03-25

Fix Resolution: 1.5.2

⛑️ Automatic Remediation is available for this issue

CVE-2020-11989

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192425/shiro-web-1.2.0.jar

Dependency Hierarchy:

• ❌ shiro-web-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Publish Date: 2020-06-22

URL: CVE-2020-11989

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/SHIRO-753

Release Date: 2020-06-22

Fix Resolution: 1.5.3

⛑️ Automatic Remediation is available for this issue

CVE-2016-6802

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192425/shiro-web-1.2.0.jar

Dependency Hierarchy:

• ❌ shiro-web-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.

Publish Date: 2016-09-20

URL: CVE-2016-6802

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6802

Release Date: 2016-09-20

Fix Resolution: 1.3.2

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /bootstrap.js

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

CVE-2019-8331

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /bootstrap.js

Dependency Hierarchy:

• ❌ bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

CVE-2018-14040

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /bootstrap.js

Dependency Hierarchy:

• ❌ bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

CVE-2018-14042

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /bootstrap.js

Dependency Hierarchy:

• ❌ bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

CVE-2018-20676

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /bootstrap.js

Dependency Hierarchy:

• ❌ bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

CVE-2016-10735

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /bootstrap.js

Dependency Hierarchy:

• ❌ bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-service-root/ksa-security-service/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/shiro-core-1.2.0.jar

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

CVE-2021-41303

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-service-root/ksa-security-service/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/shiro-core-1.2.0.jar

Dependency Hierarchy:

• ❌ shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

Publish Date: 2021-09-17

URL: CVE-2021-41303

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-f6jp-j6w3-w9hm

Release Date: 2021-09-17

Fix Resolution: 1.8.0

⛑️ Automatic Remediation is available for this issue

CVE-2020-13933

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-service-root/ksa-security-service/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/shiro-core-1.2.0.jar

Dependency Hierarchy:

• ❌ shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

Publish Date: 2020-08-17

URL: CVE-2020-13933

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-13933

Release Date: 2020-08-17

Fix Resolution: 1.6.0

⛑️ Automatic Remediation is available for this issue

CVE-2014-0074

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-service-root/ksa-security-service/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/shiro-core-1.2.0.jar

Dependency Hierarchy:

• ❌ shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Publish Date: 2014-10-06

URL: CVE-2014-0074

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0074

Release Date: 2014-10-06

Fix Resolution: 1.2.3

⛑️ Automatic Remediation is available for this issue

CVE-2016-4437

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-service-root/ksa-security-service/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/shiro-core-1.2.0.jar

Dependency Hierarchy:

• ❌ shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Publish Date: 2016-06-07

URL: CVE-2016-4437

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437

Release Date: 2016-06-07

Fix Resolution: 1.2.5

⛑️ Automatic Remediation is available for this issue

Vulnerable Library - poi-3.8.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/poi-3.8.jar

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

CVE-2017-12626

Vulnerable Library - poi-3.8.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/poi-3.8.jar

Dependency Hierarchy:

• ❌ poi-3.8.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).

Publish Date: 2018-01-29

URL: CVE-2017-12626

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b@%3Cdev.poi.apache.org%3E

Release Date: 2018-01-29

Fix Resolution: 3.17-beta1

⛑️ Automatic Remediation is available for this issue

WS-2016-7061

Vulnerable Library - poi-3.8.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /NZFHA/downloadResource_WWVQKI/20220622192424/poi-3.8.jar

Dependency Hierarchy:

• ❌ poi-3.8.jar (Vulnerable Library)

Found in HEAD commit: 6ff98937d8108e10b02d7d74ad01cac70cd3d78e

Found in base branch: master

Vulnerability Details

Apache POI before 3.16-beta1 is vulnerable to bufferoverflow attack due to lack of length sanity check for length of embedded OLE10Native.

Publish Date: 2016-10-14

URL: WS-2016-7061

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2016-10-14

Fix Resolution: 3.16-beta1

⛑️ Automatic Remediation is available for this issue