katerinaorg / securityshepherd Goto Github PK

View Code? Open in Web Editor NEW

This project forked from dima2021/securityshepherd

0.0 0.0 0.0 184.88 MB

Web and mobile application security training platform

Home Page: https://owasp.org/www-project-security-shepherd/

License: GNU General Public License v3.0

C 0.01% C++ 0.01% HTML 0.31% CSS 0.44% Java 98.26% JavaScript 0.62% Shell 0.25% Dockerfile 0.10% AIDL 0.04%

securityshepherd's Introduction

OWASP Security Shepherd

The OWASP Security Shepherd Project is a web and mobile application security training platform. Security Shepherd has been designed to foster and improve security awareness among a varied skill-set demographic. The aim of this project is to take AppSec novices or experienced engineers and sharpen their penetration testing skill set to security expert status.

Where can I download Security Shepherd?

Virtual Machine or Manual Setup

You can download Security Shepherd VM's or Manual Installation Packs from GitHub

Docker (Ubuntu Linux Host)

Initial Setup

# Install pre-reqs
sudo apt install git maven docker docker-compose default-jdk

# Clone the github repository
git clone https://github.com/OWASP/SecurityShepherd.git

# Change directory into the local copy of the repository
cd SecurityShepherd

# Adds current user to the docker group (don't have to run docker with sudo)
sudo gpasswd -a $USER docker

# Run maven to generate the WAR and HTTPS Cert.
mvn -Pdocker clean install -DskipTests

# Build the docker images, docker network and bring up the environment
docker-compose up

Open up an Internet Browser & type in the address bar;

localhost

To login use the following credentials (you will be asked to update after login);

username: admin
password: password

Note: Environment variables can be configured in dotenv .env file in the root dir.

Full Guide

Docker-Environment-Setup

How do I setup Security Shepherd?

We've got fully automated and step by step walkthroughs on our wiki page to help you get Security Shepherd up and running.

What can Security Shepherd be used for?

Security Shepherd can be used as a;

Teaching Tool for All Application Security
Web Application Pen Testing Training Platform
Mobile Application Pen Testing Training
Safe Playground to Practise AppSec Techniques
Platform to demonstrate real Security Risk examples

Why choose Security Shepherd?

There are a lot of purposefully vulnerable applications available in the OWASP Project Inventory, and even more across the internet. Why should you use Security Shepherd? Here are a few reasons;

Wide Topic Coverage
Shepherd includes over sixty levels across the entire spectrum of Web and Mobile application security under a single project.
Gentle Learning Curve
Shepherd is a perfect for users completely new to security with levels increases in difficulty at a pleasant pace.
Layman Write Ups
When each security concept is first presented in Shepherd, it is done so in layman terms so that anyone (even beginners) can absorb them.
Real World Examples
The security risks in Shepherd are real vulnerabilities that have had their exploit impact dampened to protect the application, users, and environment. There are no simulated security risks which require an expected, specific attack vector in order to pass a level. Attack vectors when used on Shepherd are how they would behave in the real world.
Scalability
Shepherd can be used locally by a single user or easily as a server for a high amount of users.
Highly Customisable
Shepherd enables admins to set what levels are available to their users and in what way they are presentended (Open, CTF and Tournament Layouts)
Perfect for Classrooms
Shepherd gives it's players user specific solution keys to prevent students from sharing keys, rather than going through the steps required to complete a level.
Scoreboard
Security Shepherd has a configurable scoreboard to encourage a competitive learning environment. Users that complete levels first, second and third get medals on their scoreboard entry and bonus points to keep things entertaining on the scoreboard.
User Management
Security Shepherd admins can create users, create admins, suspend, unsuspend, add bonus points, or take penalty points away from user's accounts with the admin user management controls. Admins can also segment their students into specific class groups. Admins can view the progress a class has made to identify struggling participants. An admin can even close public registration and manually create users if they wish for a private experience.
Robust Service
Shepherd has been used to run online CTFs such as the OWASP Global CTF and OWASP LATAM Tour CTF 2015, both surpassing 200 active users and running with no down time, bar planned maintenance periods.
Configurable Feedback
An administrator can enable a feedback process, which must be completed by users before a level is marked as complete. This is used both to facilitate project improvements based on feedback submitted and for system administrators to collect "Reports of Understanding" from their students.
Granular Logging
The logs reported by Security Shepherd are highly detailed and descriptive, but not screen blinding. If a user is misbehaving, you will know.

securityshepherd's People

Contributors

securityshepherd's Issues

CVE-2020-15250 (Medium) detected in junit-4.10.jar - autoclosed

CVE-2020-15250 - Medium Severity Vulnerability

Vulnerable Library - junit-4.10.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.10/junit-4.10.jar

Dependency Hierarchy:

json-simple-1.1.1.jar (Root Library)
- ❌ junit-4.10.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: junit:junit:4.13.1

fongo-2.0.6.jar: 68 vulnerabilities (highest severity is: 10.0)

Vulnerable Library - fongo-2.0.6.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (fongo version)	Remediation Possible**
CVE-2018-14721	Critical	10.0	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-14540	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-17531	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2017-15095	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2017-7525	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-14720	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-16335	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-17267	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-11307	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-8840	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-16942	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-16943	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-19362	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-19361	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-19360	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-10202	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-14893	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-14892	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-9546	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-9547	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-14379	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2017-17485	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-9548	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-20330	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-14719	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-14718	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-7489	Critical	9.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-10968	High	8.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-10969	High	8.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-11111	High	8.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-11113	High	8.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-11112	High	8.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-10672	High	8.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-10673	High	8.8	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-11619	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36189	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36188	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-11620	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-10650	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36181	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36180	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36183	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36182	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-5968	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36185	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36184	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36187	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36186	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2021-20190	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36179	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-24616	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-14060	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-14061	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-14062	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-24750	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-14195	High	8.1	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-12086	High	7.5	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-25649	High	7.5	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-12022	High	7.5	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2018-12023	High	7.5	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-14439	High	7.5	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2022-42004	High	7.5	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2022-42003	High	7.5	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2020-36518	High	7.5	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-12814	Medium	5.9	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
CVE-2019-12384	Medium	5.9	jackson-databind-2.2.2.jar	Transitive	N/A*	❌
WS-2018-0125	Medium	5.3	jackson-core-2.2.2.jar	Transitive	N/A*	❌
WS-2018-0124	Medium	5.3	jackson-core-2.2.2.jar	Transitive	N/A*	❌

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

Partial details (22 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.

CVE-2018-14721

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.7,2.8.11.3,2.7.9.5,2.6.7.3

CVE-2019-14540

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1

CVE-2019-17531

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution: 2.10

CVE-2017-15095

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095

Release Date: 2018-02-06

Fix Resolution: 2.8.10,2.9.1

CVE-2017-7525

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

Publish Date: 2018-02-06

URL: CVE-2017-7525

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525

Release Date: 2018-02-06

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.1,2.7.9.1,2.8.9

CVE-2018-14720

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

CVE-2019-16335

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-09-15

Fix Resolution: 2.9.10

CVE-2019-17267

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-07

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10

CVE-2018-11307

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Publish Date: 2019-07-09

URL: CVE-2018-11307

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-09

Fix Resolution: jackson-databind-2.9.6

CVE-2020-8840

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.3

CVE-2019-16942

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1

CVE-2019-16943

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1

CVE-2018-19362

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

CVE-2018-19361

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

CVE-2018-19360

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.7.9.5,2.8.11.3,2.9.8,2.10.0.pr1

CVE-2019-10202

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0

CVE-2019-14893

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A flaw was discovered in FasterXML jackson-databind in all versions before 2.9.10 and 2.10.0, where it would permit polymorphic deserialization of malicious objects using the xalan JNDI gadget when used in conjunction with polymorphic type handling methods such as enableDefaultTyping() or when @JsonTypeInfo is using Id.CLASS or Id.MINIMAL_CLASS or in any other way which ObjectMapper.readValue might instantiate objects from unsafe sources. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14893

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14893

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.0

CVE-2019-14892

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A flaw was discovered in jackson-databind in versions before 2.9.10, 2.8.11.5 and 2.6.7.3, where it would permit polymorphic deserialization of a malicious object using commons-configuration 1 and 2 JNDI classes. An attacker could use this flaw to execute arbitrary code.

Publish Date: 2020-03-02

URL: CVE-2019-14892

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10

CVE-2020-9546

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.hadoop.shaded.com.zaxxer.hikari.HikariConfig (aka shaded hikari-config).

Publish Date: 2020-03-02

URL: CVE-2020-9546

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9546

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3

CVE-2020-9547

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to com.ibatis.sqlmap.engine.transaction.jta.JtaTransactionConfig (aka ibatis-sqlmap).

Publish Date: 2020-03-02

URL: CVE-2020-9547

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9547

Release Date: 2020-03-02

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.10.3

CVE-2019-14379

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.

Publish Date: 2019-07-29

URL: CVE-2019-14379

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379

Release Date: 2019-07-29

Fix Resolution: 2.9.9.2

CVE-2017-17485

Vulnerable Library - jackson-databind-2.2.2.jar

General data-binding functionality for Jackson: works on core streaming API

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.2.2/jackson-databind-2.2.2.jar

Dependency Hierarchy:

fongo-2.0.6.jar (Root Library)
- geojson-jackson-1.2.jar
  - ❌ jackson-databind-2.2.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: 2018-01-10

URL: CVE-2017-17485

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485

Release Date: 2018-01-10

Fix Resolution: 2.9.4

CVE-2017-3523 (High) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2017-3523 - High Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Publish Date: 2017-04-24

URL: CVE-2017-3523

CVSS 3 Score Details (8.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html

Release Date: 2017-04-24

Fix Resolution: 5.1.41

⛑️ Automatic Remediation is available for this issue

mysql-connector-java-5.1.24.jar: 9 vulnerabilities (highest severity is: 8.5)

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (mysql-connector-java version)	Remediation Possible**
CVE-2017-3523	High	8.5	mysql-connector-java-5.1.24.jar	Direct	5.1.41	✅
CVE-2022-21363	Medium	6.6	mysql-connector-java-5.1.24.jar	Direct	mysql:mysql-connector-java:8.0.28	✅
CVE-2017-3586	Medium	6.4	mysql-connector-java-5.1.24.jar	Direct	5.1.42	✅
CVE-2019-2692	Medium	6.3	mysql-connector-java-5.1.24.jar	Direct	5.1.48	✅
CVE-2020-2934	Medium	5.0	mysql-connector-java-5.1.24.jar	Direct	5.1.49	✅
CVE-2020-2875	Medium	4.7	mysql-connector-java-5.1.24.jar	Direct	5.1.49	✅
CVE-2015-2575	Medium	4.2	mysql-connector-java-5.1.24.jar	Direct	5.1.35	✅
CVE-2017-3589	Low	3.3	mysql-connector-java-5.1.24.jar	Direct	5.1.42	✅
CVE-2020-2933	Low	2.2	mysql-connector-java-5.1.24.jar	Direct	5.1.49	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-3523

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2017-04-24

URL: CVE-2017-3523

CVSS 3 Score Details (8.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2xxh-f8r3-hvvr

Release Date: 2017-04-24

Fix Resolution: 5.1.41

In order to enable automatic remediation, please create workflow rules

CVE-2022-21363

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

Publish Date: 2022-01-19

URL: CVE-2022-21363

CVSS 3 Score Details (6.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g76j-4cxx-23h9

Release Date: 2022-01-19

Fix Resolution: mysql:mysql-connector-java:8.0.28

In order to enable automatic remediation, please create workflow rules

CVE-2017-3586

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3586

CVSS 3 Score Details (6.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406

Release Date: 2017-04-24

Fix Resolution: 5.1.42

In order to enable automatic remediation, please create workflow rules

CVE-2019-2692

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2019-04-23

URL: CVE-2019-2692

CVSS 3 Score Details (6.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jcq3-cprp-m333

Release Date: 2019-04-23

Fix Resolution: 5.1.48

In order to enable automatic remediation, please create workflow rules

CVE-2020-2934

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2934

CVSS 3 Score Details (5.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/security-alerts/cpuapr2020.html

Release Date: 2020-04-15

Fix Resolution: 5.1.49

In order to enable automatic remediation, please create workflow rules

CVE-2020-2875

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

Publish Date: 2020-04-15

URL: CVE-2020-2875

CVSS 3 Score Details (4.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-15

Fix Resolution: 5.1.49

In order to enable automatic remediation, please create workflow rules

CVE-2015-2575

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.

Publish Date: 2015-04-16

URL: CVE-2015-2575

CVSS 3 Score Details (4.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gc43-g62c-99g2

Release Date: 2015-04-16

Fix Resolution: 5.1.35

In order to enable automatic remediation, please create workflow rules

CVE-2017-3589

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3589

CVSS 3 Score Details (3.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589

Release Date: 2017-04-24

Fix Resolution: 5.1.42

In order to enable automatic remediation, please create workflow rules

CVE-2020-2933

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2933

CVSS 3 Score Details (2.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

Release Date: 2020-04-15

Fix Resolution: 5.1.49

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

CVE-2021-37714 (High) detected in jsoup-1.8.2.jar - autoclosed

CVE-2021-37714 - High Severity Vulnerability

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Dependency Hierarchy:

❌ jsoup-1.8.2.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.

Publish Date: 2021-08-18

URL: CVE-2021-37714

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://jsoup.org/news/release-1.14.2

Release Date: 2021-08-18

Fix Resolution: org.jsoup:jsoup:1.14.2

⛑️ Automatic Remediation is available for this issue

CVE-2020-2934 (Medium) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2020-2934 - Medium Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Publish Date: 2020-04-15

URL: CVE-2020-2934

CVSS 3 Score Details (5.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/security-alerts/cpuapr2020.html

Release Date: 2020-04-15

Fix Resolution: mysql:mysql-connector-java:5.1.49,8.0.20

⛑️ Automatic Remediation is available for this issue

CVE-2015-0254 (High) detected in jstl-1.2.jar - autoclosed

CVE-2015-0254 - High Severity Vulnerability

Vulnerable Library - jstl-1.2.jar

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/jstl/jstl/1.2/jstl-1.2.jar

Dependency Hierarchy:

❌ jstl-1.2.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

Publish Date: 2015-03-09

URL: CVE-2015-0254

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/taglibs/standard/

Release Date: 2015-03-09

Fix Resolution: org.apache.taglibs:taglibs-standard-impl:1.2.3

⛑️ Automatic Remediation is available for this issue

CVE-2015-6748 (Medium) detected in jsoup-1.8.2.jar - autoclosed

CVE-2015-6748 - Medium Severity Vulnerability

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Dependency Hierarchy:

❌ jsoup-1.8.2.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.

Publish Date: 2017-09-25

URL: CVE-2015-6748

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6748

Release Date: 2017-09-25

Fix Resolution: 1.8.3

⛑️ Automatic Remediation is available for this issue

CVE-2020-2933 (Low) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2020-2933 - Low Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Publish Date: 2020-04-15

URL: CVE-2020-2933

CVSS 3 Score Details (2.2)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

Release Date: 2020-04-15

Fix Resolution: mysql:mysql-connector-java:5.1.49

⛑️ Automatic Remediation is available for this issue

spring-web-5.0.7.RELEASE.jar: 9 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - spring-web-5.0.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.0.7.RELEASE/spring-web-5.0.7.RELEASE.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-web version)	Remediation Possible**
CVE-2022-22965	Critical	9.8	spring-beans-5.1.1.RELEASE.jar	Transitive	5.2.21.RELEASE	✅
CVE-2016-1000027	Critical	9.8	spring-web-5.0.7.RELEASE.jar	Direct	5.0.18.RELEASE	✅
CVE-2018-15756	High	7.5	spring-web-5.0.7.RELEASE.jar	Direct	5.0.10.RELEASE	✅
CVE-2020-5398	High	7.5	spring-web-5.0.7.RELEASE.jar	Direct	5.0.16.RELEASE	✅
CVE-2020-5421	Medium	6.5	spring-web-5.0.7.RELEASE.jar	Direct	5.0.19.RELEASE	✅
WS-2021-0172	Medium	6.3	spring-web-5.0.7.RELEASE.jar	Direct	5.1.0.RELEASE	✅
CVE-2022-22970	Medium	5.3	detected in multiple dependencies	Transitive	5.2.22.RELEASE	✅
CVE-2021-22060	Medium	4.3	spring-core-5.0.11.RELEASE.jar	Transitive	5.2.19.RELEASE	✅
CVE-2021-22096	Medium	4.3	detected in multiple dependencies	Direct	5.2.18.RELEASE	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-22965

Vulnerable Library - spring-beans-5.1.1.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy:

spring-web-5.0.7.RELEASE.jar (Root Library)
- ❌ spring-beans-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework:spring-web): 5.2.21.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2016-1000027

Vulnerable Library - spring-web-5.0.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.0.7.RELEASE/spring-web-5.0.7.RELEASE.jar

Dependency Hierarchy:

❌ spring-web-5.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Mend Note: After conducting further research, Mend has determined that all versions of spring-web up to version 6.0.0 are vulnerable to CVE-2016-1000027.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4wrc-f8pq-fpqp

Release Date: 2020-01-02

Fix Resolution: 5.0.18.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2018-15756

Vulnerable Library - spring-web-5.0.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.0.7.RELEASE/spring-web-5.0.7.RELEASE.jar

Dependency Hierarchy:

❌ spring-web-5.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.

Publish Date: 2018-10-18

URL: CVE-2018-15756

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2018-15756

Release Date: 2018-10-16

Fix Resolution: 5.0.10.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2020-5398

Vulnerable Library - spring-web-5.0.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.0.7.RELEASE/spring-web-5.0.7.RELEASE.jar

Dependency Hierarchy:

❌ spring-web-5.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

In Spring Framework, versions 5.2.x prior to 5.2.3, versions 5.1.x prior to 5.1.13, and versions 5.0.x prior to 5.0.16, an application is vulnerable to a reflected file download (RFD) attack when it sets a "Content-Disposition" header in the response where the filename attribute is derived from user supplied input.

Publish Date: 2020-01-17

URL: CVE-2020-5398

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2020-5398

Release Date: 2020-01-17

Fix Resolution: 5.0.16.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2020-5421

Vulnerable Library - spring-web-5.0.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.0.7.RELEASE/spring-web-5.0.7.RELEASE.jar

Dependency Hierarchy:

❌ spring-web-5.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Publish Date: 2020-09-19

URL: CVE-2020-5421

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2020-5421

Release Date: 2020-09-19

Fix Resolution: 5.0.19.RELEASE

In order to enable automatic remediation, please create workflow rules

WS-2021-0172

Vulnerable Library - spring-web-5.0.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.0.7.RELEASE/spring-web-5.0.7.RELEASE.jar

Dependency Hierarchy:

❌ spring-web-5.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

In spring-framework, versions v5.0.0.M1 through v5.0.20.RELEASE are vulnerable to cross-site request forgery (CSRF), due to ‘SameSite’ cookie not implemented

Publish Date: 2021-06-29

URL: WS-2021-0172

CVSS 3 Score Details (6.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-29

Fix Resolution: 5.1.0.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2022-22970

Vulnerable Libraries - spring-beans-5.1.1.RELEASE.jar, spring-core-5.0.11.RELEASE.jar

spring-beans-5.1.1.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /pom.xml

Dependency Hierarchy:

spring-web-5.0.7.RELEASE.jar (Root Library)
- ❌ spring-beans-5.1.1.RELEASE.jar (Vulnerable Library)

spring-core-5.0.11.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.0.11.RELEASE/spring-core-5.0.11.RELEASE.jar

Dependency Hierarchy:

spring-web-5.0.7.RELEASE.jar (Root Library)
- spring-beans-5.1.1.RELEASE.jar
  - ❌ spring-core-5.0.11.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework:spring-web): 5.2.22.RELEASE

Fix Resolution (org.springframework:spring-core): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework:spring-web): 5.2.22.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-22060

Vulnerable Library - spring-core-5.0.11.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.0.11.RELEASE/spring-core-5.0.11.RELEASE.jar

Dependency Hierarchy:

spring-web-5.0.7.RELEASE.jar (Root Library)
- spring-beans-5.1.1.RELEASE.jar
  - ❌ spring-core-5.0.11.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-10

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2021-22060

Release Date: 2022-01-10

Fix Resolution (org.springframework:spring-core): 5.2.19.RELEASE

Direct dependency fix Resolution (org.springframework:spring-web): 5.2.19.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2021-22096

Vulnerable Libraries - spring-web-5.0.7.RELEASE.jar, spring-core-5.0.11.RELEASE.jar

spring-web-5.0.7.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.0.7.RELEASE/spring-web-5.0.7.RELEASE.jar

Dependency Hierarchy:

❌ spring-web-5.0.7.RELEASE.jar (Vulnerable Library)

spring-core-5.0.11.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.0.11.RELEASE/spring-core-5.0.11.RELEASE.jar

Dependency Hierarchy:

spring-web-5.0.7.RELEASE.jar (Root Library)
- spring-beans-5.1.1.RELEASE.jar
  - ❌ spring-core-5.0.11.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE

Direct dependency fix Resolution (org.springframework:spring-web): 5.2.18.RELEASE

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

CVE-2017-3589 (Low) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2017-3589 - Low Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3589

CVSS 3 Score Details (3.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589

Release Date: 2017-04-24

Fix Resolution: 5.1.42

⛑️ Automatic Remediation is available for this issue

spring-data-mongodb-2.1.1.RELEASE.jar: 1 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - spring-data-mongodb-2.1.1.RELEASE.jar

MongoDB support for Spring Data

Library home page: http://projects.spring.io/spring-data-mongodb

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-mongodb/2.1.1.RELEASE/spring-data-mongodb-2.1.1.RELEASE.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-data-mongodb version)	Remediation Possible**	Reachability
CVE-2022-22980	Critical	9.8	spring-data-mongodb-2.1.1.RELEASE.jar	Direct	3.2.12	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-22980

Vulnerable Library - spring-data-mongodb-2.1.1.RELEASE.jar

MongoDB support for Spring Data

Library home page: http://projects.spring.io/spring-data-mongodb

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/data/spring-data-mongodb/2.1.1.RELEASE/spring-data-mongodb-2.1.1.RELEASE.jar

Dependency Hierarchy:

❌ spring-data-mongodb-2.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A Spring Data MongoDB application is vulnerable to SpEL Injection when using @query or @Aggregation-annotated query methods with SpEL expressions that contain query parameter placeholders for value binding if the input is not sanitized.

Publish Date: 2022-06-23

URL: CVE-2022-22980

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22980

Release Date: 2022-06-23

Fix Resolution: 3.2.12

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

java-saml-2.5.0.jar: 4 vulnerabilities (highest severity is: 9.1)

Vulnerable Library - java-saml-2.5.0.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (java-saml version)	Remediation Possible**
WS-2018-0629	Critical	9.1	woodstox-core-5.0.3.jar	Transitive	2.6.0	✅
CVE-2021-40690	High	7.5	xmlsec-2.1.4.jar	Transitive	2.6.0	✅
CVE-2022-40152	High	7.5	woodstox-core-5.0.3.jar	Transitive	N/A*	❌
WS-2019-0379	Medium	6.5	commons-codec-1.6.jar	Transitive	2.6.0	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2018-0629

Vulnerable Library - woodstox-core-5.0.3.jar

Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs

Library home page: https://github.com/FasterXML/woodstox

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar

Dependency Hierarchy:

java-saml-2.5.0.jar (Root Library)
- java-saml-core-2.5.0.jar
  - xmlsec-2.1.4.jar
    - ❌ woodstox-core-5.0.3.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

The woodstox-core package is vulnerable to improper restriction of XXE reference.

Publish Date: 2018-08-23

URL: WS-2018-0629

CVSS 3 Score Details (9.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-08-23

Fix Resolution (com.fasterxml.woodstox:woodstox-core): 5.2.1

Direct dependency fix Resolution (com.onelogin:java-saml): 2.6.0

In order to enable automatic remediation, please create workflow rules

CVE-2021-40690

Vulnerable Library - xmlsec-2.1.4.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: https://santuario.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.1.4/xmlsec-2.1.4.jar

Dependency Hierarchy:

java-saml-2.5.0.jar (Root Library)
- java-saml-core-2.5.0.jar
  - ❌ xmlsec-2.1.4.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Publish Date: 2021-09-19

URL: CVE-2021-40690

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690

Release Date: 2021-09-19

Fix Resolution (org.apache.santuario:xmlsec): 2.1.7

Direct dependency fix Resolution (com.onelogin:java-saml): 2.6.0

In order to enable automatic remediation, please create workflow rules

CVE-2022-40152

Vulnerable Library - woodstox-core-5.0.3.jar

Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs

Library home page: https://github.com/FasterXML/woodstox

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar

Dependency Hierarchy:

java-saml-2.5.0.jar (Root Library)
- java-saml-core-2.5.0.jar
  - xmlsec-2.1.4.jar
    - ❌ woodstox-core-5.0.3.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Those using Woodstox to parse XML data may be vulnerable to Denial of Service attacks (DOS) if DTD support is enabled. If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow. This effect may support a denial of service attack.

Publish Date: 2022-09-16

URL: CVE-2022-40152

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-09-16

Fix Resolution: com.fasterxml.woodstox:woodstox-core:5.4.0,6.4.0

WS-2019-0379

Vulnerable Library - commons-codec-1.6.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/codec/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar

Dependency Hierarchy:

java-saml-2.5.0.jar (Root Library)
- java-saml-core-2.5.0.jar
  - xmlsec-2.1.4.jar
    - ❌ commons-codec-1.6.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution (commons-codec:commons-codec): 1.13

Direct dependency fix Resolution (com.onelogin:java-saml): 2.6.0

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

jsoup-1.8.2.jar: 3 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jsoup version)	Remediation Possible**
CVE-2021-37714	High	7.5	jsoup-1.8.2.jar	Direct	1.14.2	✅
CVE-2015-6748	Medium	6.1	jsoup-1.8.2.jar	Direct	1.8.3	✅
CVE-2022-36033	Medium	6.1	jsoup-1.8.2.jar	Direct	1.15.3	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-37714

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Dependency Hierarchy:

❌ jsoup-1.8.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2021-08-18

URL: CVE-2021-37714

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://jsoup.org/news/release-1.14.2

Release Date: 2021-08-18

Fix Resolution: 1.14.2

In order to enable automatic remediation, please create workflow rules

CVE-2015-6748

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Dependency Hierarchy:

❌ jsoup-1.8.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.

Publish Date: 2017-09-25

URL: CVE-2015-6748

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-6748

Release Date: 2017-09-25

Fix Resolution: 1.8.3

In order to enable automatic remediation, please create workflow rules

CVE-2022-36033

Vulnerable Library - jsoup-1.8.2.jar

jsoup HTML parser

Library home page: http://jsoup.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.8.2/jsoup-1.8.2.jar

Dependency Hierarchy:

❌ jsoup-1.8.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript: URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks option is enabled, HTML including javascript: URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)

Publish Date: 2022-08-29

URL: CVE-2022-36033

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gp7f-rwcx-9369

Release Date: 2022-08-29

Fix Resolution: 1.15.3

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

jstl-1.2.jar: 1 vulnerabilities (highest severity is: 7.3)

Vulnerable Library - jstl-1.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/jstl/jstl/1.2/jstl-1.2.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jstl version)	Remediation Possible**	Reachability
CVE-2015-0254	High	7.3	jstl-1.2.jar	Direct	org.apache.taglibs:taglibs-standard-impl:1.2.3	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2015-0254

Vulnerable Library - jstl-1.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/jstl/jstl/1.2/jstl-1.2.jar

Dependency Hierarchy:

❌ jstl-1.2.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2015-03-09

URL: CVE-2015-0254

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/taglibs/standard/

Release Date: 2015-03-09

Fix Resolution: org.apache.taglibs:taglibs-standard-impl:1.2.3

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

jquery-ui-1.8.19.min.js: 5 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /src/main/webapp/index.jsp

Path to vulnerable library: /src/main/webapp/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jquery-ui version)	Remediation Possible**
CVE-2021-41184	Medium	6.1	jquery-ui-1.8.19.min.js	Direct	jquery-ui - 1.13.0	❌
CVE-2021-41183	Medium	6.1	jquery-ui-1.8.19.min.js	Direct	jquery-ui - 1.13.0	❌
CVE-2021-41182	Medium	6.1	jquery-ui-1.8.19.min.js	Direct	jquery-ui - 1.13.0	❌
CVE-2022-31160	Medium	6.1	jquery-ui-1.8.19.min.js	Direct	jquery-ui - 1.13.2	❌
CVE-2016-7103	Medium	6.1	jquery-ui-1.8.19.min.js	Direct	katello - 4.7.2	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-41184

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /src/main/webapp/index.jsp

Path to vulnerable library: /src/main/webapp/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

❌ jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the of option of the .position() util from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the of option is now treated as a CSS selector. A workaround is to not accept the value of the of option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41184

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41184

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2021-41183

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /src/main/webapp/index.jsp

Path to vulnerable library: /src/main/webapp/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

❌ jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of various *Text options of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. The values passed to various *Text options are now always treated as pure text, not HTML. A workaround is to not accept the value of the *Text options from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41183

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41183

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2021-41182

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /src/main/webapp/index.jsp

Path to vulnerable library: /src/main/webapp/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

❌ jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

jQuery-UI is the official jQuery user interface library. Prior to version 1.13.0, accepting the value of the altField option of the Datepicker widget from untrusted sources may execute untrusted code. The issue is fixed in jQuery UI 1.13.0. Any string value passed to the altField option is now treated as a CSS selector. A workaround is to not accept the value of the altField option from untrusted sources.

Publish Date: 2021-10-26

URL: CVE-2021-41182

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41182

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2022-31160

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /src/main/webapp/index.jsp

Path to vulnerable library: /src/main/webapp/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

❌ jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

jQuery UI is a curated set of user interface interactions, effects, widgets, and themes built on top of jQuery. Versions prior to 1.13.2 are potentially vulnerable to cross-site scripting. Initializing a checkboxradio widget on an input enclosed within a label makes that parent label contents considered as the input label. Calling .checkboxradio( "refresh" ) on such a widget and the initial HTML contained encoded HTML entities will make them erroneously get decoded. This can lead to potentially executing JavaScript code. The bug has been patched in jQuery UI 1.13.2. To remediate the issue, someone who can change the initial HTML can wrap all the non-input contents of the label in a span.

Publish Date: 2022-07-20

URL: CVE-2022-31160

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160

Release Date: 2022-07-20

Fix Resolution: jquery-ui - 1.13.2

CVE-2016-7103

Vulnerable Library - jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: /src/main/webapp/index.jsp

Path to vulnerable library: /src/main/webapp/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

❌ jquery-ui-1.8.19.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Publish Date: 2017-03-15

URL: CVE-2016-7103

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-03-15

Fix Resolution: katello - 4.7.2

CVE-2020-2875 (Medium) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2020-2875 - Medium Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Publish Date: 2020-04-15

URL: CVE-2020-2875

CVSS 3 Score Details (4.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: mysql/mysql-connector-j@79a4336

Release Date: 2020-04-15

Fix Resolution: mysql:mysql-connector-java:5.1.49,8.0.15

⛑️ Automatic Remediation is available for this issue

Renovate's dashboard

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.

Pending Approval

These branches will be created by Renovate only once you click their checkbox below.

Edited/Blocked

These updates have been manually edited so Renovate will no longer make changes. To discard all commits and start over, click on a checkbox.

⚠ Dependency Lookup Warnings ⚠

Renovate failed to look up the following dependencies: Failed to look up maven package com.android.support:appcompat-v7, Failed to look up maven package com.android.support:design.

Files affected: src/MobileShepherd/BrokenCrypto/app/build.gradle, src/MobileShepherd/BrokenCrypto1/app/build.gradle, src/MobileShepherd/BrokenCrypto2/app/build.gradle, src/MobileShepherd/BrokenCrypto3/app/build.gradle, src/MobileShepherd/CProviderLeakage/app/build.gradle, src/MobileShepherd/CProviderLeakage1/app/build.gradle, src/MobileShepherd/CSInjection/app/build.gradle, src/MobileShepherd/CSInjection1/app/build.gradle, src/MobileShepherd/CSInjection2/app/build.gradle, src/MobileShepherd/InsecureData/app/build.gradle, src/MobileShepherd/InsecureData1/app/build.gradle, src/MobileShepherd/InsecureData2/app/build.gradle, src/MobileShepherd/InsecureData3/app/build.gradle, src/MobileShepherd/InsufficientTLS/app/build.gradle, src/MobileShepherd/MobShepTemplate/app/build.gradle, src/MobileShepherd/MobileShepherd/app/build.gradle, src/MobileShepherd/PoorAuthentication/app/build.gradle, src/MobileShepherd/PoorAuthentication1/app/build.gradle, src/MobileShepherd/PoorAuthentication2/app/build.gradle, src/MobileShepherd/ReverseEngineer/app/build.gradle, src/MobileShepherd/ReverseEngineer1/app/build.gradle, src/MobileShepherd/ReverseEngineer2/app/build.gradle, src/MobileShepherd/ReverseEngineer3/app/build.gradle, src/MobileShepherd/SessionManagement/app/build.gradle, src/MobileShepherd/ShepherdLogin/app/build.gradle, src/MobileShepherd/ShepherdResolver/app/build.gradle, src/MobileShepherd/UDataLeakage/app/build.gradle, src/MobileShepherd/UDataLeakage1/app/build.gradle, src/MobileShepherd/UDataLeakage2/app/build.gradle, src/MobileShepherd/UntrustedInput/app/build.gradle, src/MobileShepherd/WeakServerSideControls/app/build.gradle

Detected dependencies

docker-compose

docker-compose.yml

dockerfile

Dockerfile

docker/mongo/Dockerfile

docker/mysql/Dockerfile

github-actions

.github/workflows/prioritize.yml

actions/checkout v2

actions/setup-java v2

gradle

src/MobileShepherd/BrokenCrypto/gradle.properties

src/MobileShepherd/BrokenCrypto/settings.gradle

src/MobileShepherd/BrokenCrypto/build.gradle

com.android.tools.build:gradle 1.0.0

src/MobileShepherd/BrokenCrypto/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/BrokenCrypto1/gradle.properties

src/MobileShepherd/BrokenCrypto1/settings.gradle

src/MobileShepherd/BrokenCrypto1/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/BrokenCrypto1/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/BrokenCrypto2/gradle.properties

src/MobileShepherd/BrokenCrypto2/settings.gradle

src/MobileShepherd/BrokenCrypto2/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/BrokenCrypto2/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/BrokenCrypto3/gradle.properties

src/MobileShepherd/BrokenCrypto3/settings.gradle

src/MobileShepherd/BrokenCrypto3/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/BrokenCrypto3/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/CProviderLeakage/gradle.properties

src/MobileShepherd/CProviderLeakage/settings.gradle

src/MobileShepherd/CProviderLeakage/build.gradle

com.android.tools.build:gradle 1.2.3

src/MobileShepherd/CProviderLeakage/app/build.gradle

com.android.support:appcompat-v7 22.2.0

src/MobileShepherd/CProviderLeakage1/gradle.properties

src/MobileShepherd/CProviderLeakage1/settings.gradle

src/MobileShepherd/CProviderLeakage1/build.gradle

com.android.tools.build:gradle 1.2.3

src/MobileShepherd/CProviderLeakage1/app/build.gradle

com.android.support:appcompat-v7 22.2.0

src/MobileShepherd/CSInjection/gradle.properties

src/MobileShepherd/CSInjection/settings.gradle

src/MobileShepherd/CSInjection/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/CSInjection/app/build.gradle

com.jayway.android.robotium:robotium-solo 5.2.1

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/CSInjection1/gradle.properties

src/MobileShepherd/CSInjection1/settings.gradle

src/MobileShepherd/CSInjection1/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/CSInjection1/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/CSInjection2/gradle.properties

src/MobileShepherd/CSInjection2/settings.gradle

src/MobileShepherd/CSInjection2/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/CSInjection2/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/InsecureData/gradle.properties

src/MobileShepherd/InsecureData/settings.gradle

src/MobileShepherd/InsecureData/build.gradle

com.android.tools.build:gradle 1.0.0

src/MobileShepherd/InsecureData/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/InsecureData1/gradle.properties

src/MobileShepherd/InsecureData1/settings.gradle

src/MobileShepherd/InsecureData1/build.gradle

com.android.tools.build:gradle 1.0.0

src/MobileShepherd/InsecureData1/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/InsecureData2/gradle.properties

src/MobileShepherd/InsecureData2/settings.gradle

src/MobileShepherd/InsecureData2/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/InsecureData2/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/InsecureData3/gradle.properties

src/MobileShepherd/InsecureData3/settings.gradle

src/MobileShepherd/InsecureData3/build.gradle

com.android.tools.build:gradle 1.1.0

src/MobileShepherd/InsecureData3/app/build.gradle

com.android.support:appcompat-v7 22.0.0

src/MobileShepherd/InsufficientTLS/gradle.properties

src/MobileShepherd/InsufficientTLS/settings.gradle

src/MobileShepherd/InsufficientTLS/build.gradle

com.android.tools.build:gradle 1.3.1

src/MobileShepherd/InsufficientTLS/app/build.gradle

junit:junit 4.12

com.android.support:appcompat-v7 23.1.1

src/MobileShepherd/InsufficientTLS2/build.gradle

com.android.tools.build:gradle 0.5.+

src/MobileShepherd/MobShepTemplate/gradle.properties

src/MobileShepherd/MobShepTemplate/settings.gradle

src/MobileShepherd/MobShepTemplate/build.gradle

com.android.tools.build:gradle 1.0.0

src/MobileShepherd/MobShepTemplate/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/MobileShepherd/gradle.properties

src/MobileShepherd/MobileShepherd/settings.gradle

src/MobileShepherd/MobileShepherd/build.gradle

com.android.tools.build:gradle 2.1.2

src/MobileShepherd/MobileShepherd/app/build.gradle

junit:junit 4.12

com.android.support:appcompat-v7 24.1.1

com.android.support:design 24.1.1

net.zetetic:android-database-sqlcipher 3.5.4

src/MobileShepherd/PoorAuthentication/gradle.properties

src/MobileShepherd/PoorAuthentication/settings.gradle

src/MobileShepherd/PoorAuthentication/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/PoorAuthentication/app/build.gradle

com.jayway.android.robotium:robotium-solo 5.2.1

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/PoorAuthentication1/gradle.properties

src/MobileShepherd/PoorAuthentication1/settings.gradle

src/MobileShepherd/PoorAuthentication1/build.gradle

com.android.tools.build:gradle 1.1.0

src/MobileShepherd/PoorAuthentication1/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/PoorAuthentication2/gradle.properties

src/MobileShepherd/PoorAuthentication2/settings.gradle

src/MobileShepherd/PoorAuthentication2/build.gradle

com.android.tools.build:gradle 1.2.3

src/MobileShepherd/PoorAuthentication2/app/build.gradle

com.jayway.android.robotium:robotium-solo 5.2.1

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/ReverseEngineer/gradle.properties

src/MobileShepherd/ReverseEngineer/settings.gradle

src/MobileShepherd/ReverseEngineer/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/ReverseEngineer/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/ReverseEngineer1/gradle.properties

src/MobileShepherd/ReverseEngineer1/settings.gradle

src/MobileShepherd/ReverseEngineer1/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/ReverseEngineer1/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/ReverseEngineer2/gradle.properties

src/MobileShepherd/ReverseEngineer2/settings.gradle

src/MobileShepherd/ReverseEngineer2/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/ReverseEngineer2/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/ReverseEngineer3/gradle.properties

src/MobileShepherd/ReverseEngineer3/settings.gradle

src/MobileShepherd/ReverseEngineer3/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/ReverseEngineer3/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/SessionManagement/gradle.properties

src/MobileShepherd/SessionManagement/settings.gradle

src/MobileShepherd/SessionManagement/build.gradle

com.android.tools.build:gradle 1.2.3

src/MobileShepherd/SessionManagement/app/build.gradle

com.android.support:appcompat-v7 22.2.0

src/MobileShepherd/ShepherdLogin/gradle.properties

src/MobileShepherd/ShepherdLogin/settings.gradle

src/MobileShepherd/ShepherdLogin/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/ShepherdLogin/app/build.gradle

com.android.support:appcompat-v7 22.0.0

src/MobileShepherd/ShepherdResolver/gradle.properties

src/MobileShepherd/ShepherdResolver/settings.gradle

src/MobileShepherd/ShepherdResolver/build.gradle

com.android.tools.build:gradle 1.2.3

src/MobileShepherd/ShepherdResolver/app/build.gradle

com.android.support:appcompat-v7 22.2.0

src/MobileShepherd/UDataLeakage/gradle.properties

src/MobileShepherd/UDataLeakage/settings.gradle

src/MobileShepherd/UDataLeakage/build.gradle

com.android.tools.build:gradle 1.0.0

src/MobileShepherd/UDataLeakage/app/build.gradle

com.jayway.android.robotium:robotium-solo 5.2.1

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/UDataLeakage1/gradle.properties

src/MobileShepherd/UDataLeakage1/settings.gradle

src/MobileShepherd/UDataLeakage1/build.gradle

com.android.tools.build:gradle 1.0.0

src/MobileShepherd/UDataLeakage1/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/UDataLeakage2/gradle.properties

src/MobileShepherd/UDataLeakage2/settings.gradle

src/MobileShepherd/UDataLeakage2/build.gradle

com.android.tools.build:gradle 1.5.0

src/MobileShepherd/UDataLeakage2/app/build.gradle

com.android.support:appcompat-v7 21.0.3

src/MobileShepherd/UntrustedInput/gradle.properties

src/MobileShepherd/UntrustedInput/settings.gradle

src/MobileShepherd/UntrustedInput/build.gradle

com.android.tools.build:gradle 1.3.0

src/MobileShepherd/UntrustedInput/app/build.gradle

junit:junit 4.12

com.android.support:appcompat-v7 23.1.1

com.android.support:design 23.1.1

src/MobileShepherd/WeakServerSideControls/gradle.properties

src/MobileShepherd/WeakServerSideControls/settings.gradle

src/MobileShepherd/WeakServerSideControls/build.gradle

com.android.tools.build:gradle 1.0.0

src/MobileShepherd/WeakServerSideControls/app/build.gradle

com.android.support:appcompat-v7 21.0.3

gradle-wrapper

src/MobileShepherd/BrokenCrypto/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/BrokenCrypto1/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/BrokenCrypto2/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/BrokenCrypto3/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/CProviderLeakage/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/CProviderLeakage1/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/CSInjection/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/CSInjection1/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/CSInjection2/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/InsecureData/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/InsecureData1/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/InsecureData2/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/InsecureData3/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/InsufficientTLS/gradle/wrapper/gradle-wrapper.properties

gradle 2.8

src/MobileShepherd/InsufficientTLS2/gradle/wrapper/gradle-wrapper.properties

gradle 1.6

src/MobileShepherd/MobShepTemplate/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/MobileShepherd/gradle/wrapper/gradle-wrapper.properties

gradle 2.10

src/MobileShepherd/PoorAuthentication/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/PoorAuthentication1/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/PoorAuthentication2/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/ReverseEngineer/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/ReverseEngineer1/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/ReverseEngineer2/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/ReverseEngineer3/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/SessionManagement/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/ShepherdLogin/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/ShepherdResolver/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/UDataLeakage/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/UDataLeakage1/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/UDataLeakage2/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

src/MobileShepherd/UntrustedInput/gradle/wrapper/gradle-wrapper.properties

gradle 2.8

src/MobileShepherd/WeakServerSideControls/gradle/wrapper/gradle-wrapper.properties

gradle 2.2.1

maven

pom.xml

com.onelogin:java-saml 2.5.0

de.mkammerer:argon2-jvm 2.2

log4j:log4j 1.2.7

org.json:json 20180130

com.googlecode.json-simple:json-simple 1.1.1

commons-io:commons-io 2.5

commons-codec:commons-codec 1.6

org.jsoup:jsoup 1.8.2

net.sf.jtidy:jtidy r938

javax.mail:mail 1.4.7

org.mongodb:mongo-java-driver 3.4.1

javax:javaee-api 7.0

javax.servlet:javax.servlet-api 3.1.0

jstl:jstl 1.2

mysql:mysql-connector-java 5.1.24

org.owasp.encoder:encoder 1.2.1

commons-logging:commons-logging 1.2

org.springframework:spring-web 5.0.7.RELEASE

org.springframework:spring-test 5.0.7.RELEASE

org.springframework:spring-core 5.0.11.RELEASE

org.springframework:spring-mock 2.0.8

com.github.fakemongo:fongo 2.0.6

org.springframework:spring-context 5.1.1.RELEASE

org.springframework.data:spring-data-mongodb 2.1.1.RELEASE

org.junit.jupiter:junit-jupiter-api 5.0.1

org.junit.jupiter:junit-jupiter-engine 5.0.1

org.hamcrest:hamcrest-junit 2.0.0.0

org.mockito:mockito-core 2.23.0

org.apache.maven.plugins:maven-clean-plugin 3.1.0

org.apache.maven.plugins:maven-resources-plugin 3.1.0

org.apache.maven.plugins:maven-resources-plugin 3.1.0

org.codehaus.mojo:exec-maven-plugin 1.6.0

org.codehaus.mojo:keytool-maven-plugin 1.5

io.fabric8:docker-maven-plugin 0.26.0

org.codehaus.mojo:properties-maven-plugin 1.0.0

org.apache.maven.plugins:maven-compiler-plugin 3.5.1

org.apache.maven.plugins:maven-war-plugin 3.0.0

org.apache.maven.plugins:maven-resources-plugin 3.1.0

org.apache.maven.plugins:maven-surefire-plugin 2.19.1

org.apache.maven.plugins:maven-failsafe-plugin 2.19.1

org.codehaus.mojo:build-helper-maven-plugin 3.0.0

CVE-2021-29425 (Medium) detected in commons-io-2.5.jar - autoclosed

CVE-2021-29425 - Medium Severity Vulnerability

Vulnerable Library - commons-io-2.5.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/proper/commons-io/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/commons-io/commons-io/2.5/commons-io-2.5.jar

Dependency Hierarchy:

❌ commons-io-2.5.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution: commons-io:commons-io:2.7

⛑️ Automatic Remediation is available for this issue

commons-io-2.5.jar: 1 vulnerabilities (highest severity is: 4.8)

Vulnerable Library - commons-io-2.5.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/proper/commons-io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (commons-io version)	Remediation Possible**	Reachability
CVE-2021-29425	Medium	4.8	commons-io-2.5.jar	Direct	2.7	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-29425

Vulnerable Library - commons-io-2.5.jar

The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

Library home page: http://commons.apache.org/proper/commons-io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.5/commons-io-2.5.jar

Dependency Hierarchy:

❌ commons-io-2.5.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution: 2.7

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

CVE-2021-40690 (High) detected in xmlsec-2.1.4.jar - autoclosed

CVE-2021-40690 - High Severity Vulnerability

Vulnerable Library - xmlsec-2.1.4.jar

Library home page: https://santuario.apache.org/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.1.4/xmlsec-2.1.4.jar

Dependency Hierarchy:

java-saml-2.5.0.jar (Root Library)
- ❌ xmlsec-2.1.4.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Publish Date: 2021-09-19

URL: CVE-2021-40690

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690

Release Date: 2021-09-19

Fix Resolution: org.apache.santuario:xmlsec:2.1.7, 2.2.3

jquery-ui-1.11.4.min.js: 5 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /src/main/webapp/js/jquery-ui.min.js

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jquery-ui version)	Remediation Possible**
CVE-2021-41184	Medium	6.1	jquery-ui-1.11.4.min.js	Direct	jquery-ui - 1.13.0	❌
CVE-2021-41183	Medium	6.1	jquery-ui-1.11.4.min.js	Direct	jquery-ui - 1.13.0	❌
CVE-2021-41182	Medium	6.1	jquery-ui-1.11.4.min.js	Direct	jquery-ui - 1.13.0	❌
CVE-2022-31160	Medium	6.1	jquery-ui-1.11.4.min.js	Direct	jquery-ui - 1.13.2	❌
CVE-2016-7103	Medium	6.1	jquery-ui-1.11.4.min.js	Direct	katello - 4.7.2	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-41184

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

❌ jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2021-10-26

URL: CVE-2021-41184

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41184

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2021-41183

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

❌ jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2021-10-26

URL: CVE-2021-41183

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41183

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2021-41182

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

❌ jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2021-10-26

URL: CVE-2021-41182

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41182

Release Date: 2021-10-26

Fix Resolution: jquery-ui - 1.13.0

CVE-2022-31160

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

❌ jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2022-07-20

URL: CVE-2022-31160

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-31160

Release Date: 2022-07-20

Fix Resolution: jquery-ui - 1.13.2

CVE-2016-7103

Vulnerable Library - jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

❌ jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Publish Date: 2017-03-15

URL: CVE-2016-7103

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-03-15

Fix Resolution: katello - 4.7.2

spring-context-5.1.1.RELEASE.jar: 4 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - spring-context-5.1.1.RELEASE.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.1.1.RELEASE/spring-context-5.1.1.RELEASE.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (spring-context version)	Remediation Possible**
CVE-2022-22950	Medium	6.5	spring-expression-5.1.1.RELEASE.jar	Transitive	5.2.20.RELEASE	✅
CVE-2023-20861	Medium	6.5	spring-expression-5.1.1.RELEASE.jar	Transitive	5.2.23.RELEASE	✅
CVE-2023-20863	Medium	6.5	spring-expression-5.1.1.RELEASE.jar	Transitive	5.2.24.RELEASE	✅
CVE-2022-22968	Medium	5.3	spring-context-5.1.1.RELEASE.jar	Direct	5.2.21.RELEASE	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-22950

Vulnerable Library - spring-expression-5.1.1.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar

Dependency Hierarchy:

spring-context-5.1.1.RELEASE.jar (Root Library)
- ❌ spring-expression-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.20.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2023-20861

Vulnerable Library - spring-expression-5.1.1.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar

Dependency Hierarchy:

spring-context-5.1.1.RELEASE.jar (Root Library)
- ❌ spring-expression-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution (org.springframework:spring-expression): 5.2.23.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.23.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2023-20863

Vulnerable Library - spring-expression-5.1.1.RELEASE.jar

Spring Expression Language (SpEL)

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/5.1.1.RELEASE/spring-expression-5.1.1.RELEASE.jar

Dependency Hierarchy:

spring-context-5.1.1.RELEASE.jar (Root Library)
- ❌ spring-expression-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution (org.springframework:spring-expression): 5.2.24.RELEASE

Direct dependency fix Resolution (org.springframework:spring-context): 5.2.24.RELEASE

In order to enable automatic remediation, please create workflow rules

CVE-2022-22968

Vulnerable Library - spring-context-5.1.1.RELEASE.jar

Spring Context

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/5.1.1.RELEASE/spring-context-5.1.1.RELEASE.jar

Dependency Hierarchy:

❌ spring-context-5.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution: 5.2.21.RELEASE

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

WS-2019-0379 (Medium) detected in commons-codec-1.6.jar - autoclosed

WS-2019-0379 - Medium Severity Vulnerability

Vulnerable Library - commons-codec-1.6.jar

Library home page: http://commons.apache.org/codec/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/commons-codec/commons-codec/1.6/commons-codec-1.6.jar

Dependency Hierarchy:

❌ commons-codec-1.6.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: apache/commons-codec@48b6157

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

⛑️ Automatic Remediation is available for this issue

CVE-2017-3586 (Medium) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2017-3586 - Medium Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Publish Date: 2017-04-24

URL: CVE-2017-3586

CVSS 3 Score Details (6.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406

Release Date: 2017-04-24

Fix Resolution: 5.1.42

⛑️ Automatic Remediation is available for this issue

json-20180130.jar: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - json-20180130.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20180130/json-20180130.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (json version)	Remediation Possible**	Reachability
CVE-2022-45688	High	7.5	json-20180130.jar	Direct	20230227	✅
CVE-2023-5072	High	7.5	json-20180130.jar	Direct	org.json:json:20231013	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-45688

Vulnerable Library - json-20180130.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20180130/json-20180130.jar

Dependency Hierarchy:

❌ json-20180130.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A stack overflow in the XML.toJSONObject component of hutool-json v5.8.10 allows attackers to cause a Denial of Service (DoS) via crafted JSON or XML data.

Publish Date: 2022-12-13

URL: CVE-2022-45688

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-3vqj-43w4-2q58

Release Date: 2022-12-13

Fix Resolution: 20230227

In order to enable automatic remediation, please create workflow rules

CVE-2023-5072

Vulnerable Library - json-20180130.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/json/json/20180130/json-20180130.jar

Dependency Hierarchy:

❌ json-20180130.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Denial of Service in JSON-Java versions up to and including 20230618. A bug in the parser means that an input string of modest size can lead to indefinite amounts of memory being used.

Publish Date: 2023-10-12

URL: CVE-2023-5072

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-rm7j-f5g5-27vv

Release Date: 2023-10-12

Fix Resolution: org.json:json:20231013

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

WS-2018-0629 (High) detected in woodstox-core-5.0.3.jar - autoclosed

WS-2018-0629 - High Severity Vulnerability

Vulnerable Library - woodstox-core-5.0.3.jar

Woodstox is a high-performance XML processor that implements Stax (JSR-173), SAX2 and Stax2 APIs

Library home page: https://github.com/FasterXML/woodstox

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/woodstox/woodstox-core/5.0.3/woodstox-core-5.0.3.jar

Dependency Hierarchy:

java-saml-2.5.0.jar (Root Library)
- xmlsec-2.1.4.jar
  - ❌ woodstox-core-5.0.3.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

The woodstox-core package is vulnerable to improper restriction of XXE reference.

Publish Date: 2018-08-23

URL: WS-2018-0629

CVSS 3 Score Details (9.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: FasterXML/woodstox#61

Release Date: 2018-08-23

Fix Resolution: com.fasterxml.woodstox:woodstox-core:5.3.0

CVE-2019-17571 (High) detected in log4j-1.2.7.jar - autoclosed

CVE-2019-17571 - High Severity Vulnerability

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

❌ log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

json-simple-1.1.1.jar: 1 vulnerabilities (highest severity is: 5.5)

Vulnerable Library - json-simple-1.1.1.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.10/junit-4.10.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (json-simple version)	Remediation Possible**	Reachability
CVE-2020-15250	Medium	5.5	junit-4.10.jar	Transitive	N/A*	❌

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-15250

Vulnerable Library - junit-4.10.jar

JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.10/junit-4.10.jar

Dependency Hierarchy:

json-simple-1.1.1.jar (Root Library)
- ❌ junit-4.10.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: junit:junit:4.13.1

log4j-1.2.7.jar: 8 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (log4j version)	Remediation Possible**
CVE-2022-23305	Critical	9.8	log4j-1.2.7.jar	Direct	ch.qos.reload4j:reload4j:1.2.18.2	✅
CVE-2019-17571	Critical	9.8	log4j-1.2.7.jar	Direct	log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16	✅
CVE-2020-9493	Critical	9.8	log4j-1.2.7.jar	Direct	ch.qos.reload4j:reload4j:1.2.18.1	✅
CVE-2022-23307	High	8.8	log4j-1.2.7.jar	Direct	ch.qos.reload4j:reload4j:1.2.18.1	✅
CVE-2022-23302	High	8.8	log4j-1.2.7.jar	Direct	ch.qos.reload4j:reload4j:1.2.18.1	✅
CVE-2021-4104	High	7.5	log4j-1.2.7.jar	Direct	uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module	✅
CVE-2023-26464	High	7.5	log4j-1.2.7.jar	Direct	org.apache.logging.log4j:log4j-core:2.0	✅
CVE-2020-9488	Low	3.7	log4j-1.2.7.jar	Direct	ch.qos.reload4j:reload4j:1.2.18.3	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-23305

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

❌ log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

In order to enable automatic remediation, please create workflow rules

CVE-2019-17571

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

❌ log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

In order to enable automatic remediation, please create workflow rules

CVE-2020-9493

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

❌ log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

In order to enable automatic remediation, please create workflow rules

CVE-2022-23307

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

❌ log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

In order to enable automatic remediation, please create workflow rules

CVE-2022-23302

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

❌ log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

In order to enable automatic remediation, please create workflow rules

CVE-2021-4104

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

❌ log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

In order to enable automatic remediation, please create workflow rules

CVE-2023-26464

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

❌ log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-10

URL: CVE-2023-26464

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vp98-w2p3-mv35

Release Date: 2023-03-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

In order to enable automatic remediation, please create workflow rules

CVE-2020-9488

Vulnerable Library - log4j-1.2.7.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.7/log4j-1.2.7.jar

Dependency Hierarchy:

❌ log4j-1.2.7.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

CVE-2016-7103 (Medium) detected in jquery-ui-1.8.19.min.js, jquery-ui-1.11.4.min.js - autoclosed

CVE-2016-7103 - Medium Severity Vulnerability

Vulnerable Libraries - jquery-ui-1.8.19.min.js, jquery-ui-1.11.4.min.js

jquery-ui-1.8.19.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.8.19/jquery-ui.min.js

Path to dependency file: SecurityShepherd/src/main/webapp/index.jsp

Path to vulnerable library: /src/main/webapp/js/jqueryUI.js,/src/main/webapp/js/jqueryUI.js

Dependency Hierarchy:

❌ jquery-ui-1.8.19.min.js (Vulnerable Library)

jquery-ui-1.11.4.min.js

A curated set of user interface interactions, effects, widgets, and themes built on top of the jQuery JavaScript Library.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jqueryui/1.11.4/jquery-ui.min.js

Path to vulnerable library: /src/main/webapp/js/jquery-ui.min.js

Dependency Hierarchy:

❌ jquery-ui-1.11.4.min.js (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jQuery UI before 1.12.0 might allow remote attackers to inject arbitrary web script or HTML via the closeText parameter of the dialog function.

Publish Date: 2017-03-15

URL: CVE-2016-7103

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-7103

Release Date: 2017-03-15

Fix Resolution: 1.12.0

jtidy-r938.jar: 1 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - jtidy-r938.jar

JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.

Library home page: http://jtidy.sourceforge.net

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sf/jtidy/jtidy/r938/jtidy-r938.jar

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (jtidy-r938.jar version)	Remediation Possible**	Reachability
CVE-2023-34623	High	7.5	jtidy-r938.jar	Direct	com.github.jtidy:jtidy:1.0.4	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2023-34623

Vulnerable Library - jtidy-r938.jar

Library home page: http://jtidy.sourceforge.net

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sf/jtidy/jtidy/r938/jtidy-r938.jar

Dependency Hierarchy:

❌ jtidy-r938.jar (Vulnerable Library)

Found in HEAD commit: 03896393b1cf2be1535903109be773ec2c346239

Found in base branch: dev

Vulnerability Details

An issue was discovered jtidy thru r938 allows attackers to cause a denial of service or other unspecified impacts via crafted object that uses cyclic dependencies.

Publish Date: 2023-06-14

URL: CVE-2023-34623

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-06-14

Fix Resolution: com.github.jtidy:jtidy:1.0.4

In order to enable automatic remediation, please create workflow rules

In order to enable automatic remediation for this issue, please create workflow rules

CVE-2019-2692 (Medium) detected in mysql-connector-java-5.1.24.jar - autoclosed

CVE-2019-2692 - Medium Severity Vulnerability

Vulnerable Library - mysql-connector-java-5.1.24.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: SecurityShepherd/pom.xml

Path to vulnerable library: tory/mysql/mysql-connector-java/5.1.24/mysql-connector-java-5.1.24.jar

Dependency Hierarchy:

❌ mysql-connector-java-5.1.24.jar (Vulnerable Library)

Found in HEAD commit: 49a6d1a447d175c942eb353c1cb5c54ad52b5a7b

Found in base branch: dev

Vulnerability Details

Publish Date: 2019-04-23

URL: CVE-2019-2692

CVSS 3 Score Details (6.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jcq3-cprp-m333

Release Date: 2020-08-24

Fix Resolution: mysql:mysql-connector-java:8.0.16

⛑️ Automatic Remediation is available for this issue