katerinaorg / webgoat Goto Github PK
View Code? Open in Web Editor NEWThis project forked from webgoat/webgoat
WebGoat is a deliberately insecure application
Home Page: https://webgoat.github.io/WebGoat/
License: Other
This project forked from webgoat/webgoat
WebGoat is a deliberately insecure application
Home Page: https://webgoat.github.io/WebGoat/
License: Other
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39144
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j9h8-phrw-h4fh
Release Date: 2021-08-23
Fix Resolution: 1.4.18
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21342
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hvv8-336g-rx3m
Release Date: 2021-03-23
Fix Resolution: 1.4.16
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39154
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6w62-hx7r-mw68
Release Date: 2021-08-23
Fix Resolution: 1.4.18
spring-security-web
Library home page: https://spring.io/spring-security
Path to dependency file: /webgoat-lessons/html-tampering/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar,/home/wss-scanner/.m2/repository/org/springframework/security/spring-security-web/5.4.5/spring-security-web-5.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
CSRF tokens in Spring Security are vulnerable to a breach attack. Spring Security always returns the same CSRF token to the browser.
Publish Date: 2016-08-02
URL: WS-2016-7107
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2016-7107
Release Date: 2016-08-02
Fix Resolution: org.springframework.security:spring-security-web - 5.2.14.RELEASE,5.3.13.RELEASE,5.5.4,5.4.10
WebJar for Bootstrap
Library home page: http://webjars.org
Path to dependency file: /webwolf/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar,/home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/js/bootstrap.min.js
Path to vulnerable library: /webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js,/webgoat-container/src/main/resources/static/js/libs/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
Publish Date: 2020-11-16
URL: CVE-2020-26217
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mw36-7c6c-q4q2
Release Date: 2020-11-16
Fix Resolution: 1.4.13-java7
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21351
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hrcp-8f3q-4w2c
Release Date: 2021-03-23
Fix Resolution: 1.4.16
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/libs/jquery-2.1.4.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/jquery/jquery-1.10.2.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39146
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p8pq-r894-fm8f
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Jakarta Expression Language provides a specification document, API, reference implementation and TCK that describes an expression language for Java applications.
Library home page: https://projects.eclipse.org/projects/ee4j.el
Path to dependency file: /webgoat-lessons/chrome-dev-tools/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar,/home/wss-scanner/.m2/repository/org/glassfish/jakarta.el/3.0.3/jakarta.el-3.0.3.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In the Jakarta Expression Language implementation 3.0.3 and earlier, a bug in the ELParserTokenManager enables invalid EL expressions to be evaluated as if they were valid.
Publish Date: 2021-05-26
URL: CVE-2021-28170
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2021-28170
Release Date: 2021-05-26
Fix Resolution (org.glassfish:jakarta.el): 3.0.4
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.4.11
jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.
Library home page: https://jsoup.org/
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.13.1/jsoup-1.13.1.jar,/home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.13.1/jsoup-1.13.1.jar,/home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.13.1/jsoup-1.13.1.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
Publish Date: 2021-08-18
URL: CVE-2021-37714
Base Score Metrics:
Type: Upgrade version
Origin: https://jsoup.org/news/release-1.14.2
Release Date: 2021-08-18
Fix Resolution: 1.14.2
Command line parsing
Library home page: http://jcommander.org
Path to dependency file: /webgoat-lessons/insecure-deserialization/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar,/home/wss-scanner/.m2/repository/com/beust/jcommander/1.72/jcommander-1.72.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.
Publish Date: 2019-02-19
URL: WS-2019-0490
Base Score Metrics:
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21348
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-56p8-3fh9-4cvq
Release Date: 2021-03-23
Fix Resolution: 1.4.16
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.
Publish Date: 2017-04-29
URL: CVE-2017-7957
Base Score Metrics:
Type: Upgrade version
Origin: http://x-stream.github.io/CVE-2017-7957.html
Release Date: 2017-04-29
Fix Resolution: 1.4.10
Path to dependency file: /webgoat-lessons/xxe/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-websockets-jsr/2.2.4.Final/undertow-websockets-jsr-2.2.4.Final.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
A flaw was found in Undertow. A buffer leak on the incoming WebSocket PONG message may lead to memory exhaustion. This flaw allows an attacker to cause a denial of service. The highest threat from this vulnerability is availability.
Publish Date: 2022-08-23
URL: CVE-2021-3690
Base Score Metrics:
Type: Upgrade version
Origin: https://issues.redhat.com/browse/UNDERTOW-1935
Release Date: 2022-08-23
Fix Resolution (io.undertow:undertow-websockets-jsr): 2.2.10.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.4.10
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/jquery/jquery-1.10.2.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/libs/jquery-2.1.4.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/libs/jquery.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
WebJar for Bootstrap
Library home page: http://webjars.org
Path to dependency file: /webwolf/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar,/home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/js/bootstrap.min.js
Path to vulnerable library: /webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js,/webgoat-container/src/main/resources/static/js/libs/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: 3.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/libs/jquery-2.1.4.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/jquery/jquery-1.10.2.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
WebJar for Bootstrap
Library home page: http://webjars.org
Path to dependency file: /webwolf/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar,/home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/js/bootstrap.min.js
Path to vulnerable library: /webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js,/webgoat-container/src/main/resources/static/js/libs/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39149
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3ccq-5vw3-2p6x
Release Date: 2021-08-23
Fix Resolution: 1.4.18
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39139
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-64xx-cq4q-mf44
Release Date: 2021-08-23
Fix Resolution: 1.4.18
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39145
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8jrj-525p-826v
Release Date: 2021-08-23
Fix Resolution: 1.4.18
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is software for serializing Java objects to XML and back again. A vulnerability in XStream versions prior to 1.4.17 may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types is affected. The vulnerability is patched in version 1.4.17.
Publish Date: 2021-05-28
URL: CVE-2021-29505
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7chv-rrw6-w6fc
Release Date: 2021-05-28
Fix Resolution: 1.4.17
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Publish Date: 2019-05-15
URL: CVE-2013-7285
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
Release Date: 2019-05-15
Fix Resolution: 1.4.10-java7
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39153
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Path to dependency file: /webgoat-lessons/vulnerable-components/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar,/home/wss-scanner/.m2/repository/io/undertow/undertow-core/2.2.4.Final/undertow-core-2.2.4.Final.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
A flaw was found in undertow. The HTTP2SourceChannel fails to write the final frame under some circumstances, resulting in a denial of service. The highest threat from this vulnerability is availability. This flaw affects Undertow versions prior to 2.0.35.SP1, prior to 2.2.6.SP1, prior to 2.2.7.SP1, prior to 2.0.36.SP1, prior to 2.2.9.Final and prior to 2.0.39.Final.
Publish Date: 2022-05-24
URL: CVE-2021-3597
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1970930
Release Date: 2022-05-24
Fix Resolution (io.undertow:undertow-core): 2.2.9.Final
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-undertow): 2.4.9
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39147
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h7v4-7xg3-hxcc
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /webgoat-lessons/html-tampering/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/5.3.4/spring-web-5.3.4.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In Spring Framework, versions 5.2.x prior to 5.2.15 and versions 5.3.x prior to 5.3.7, a WebFlux application is vulnerable to a privilege escalation: by (re)creating the temporary storage directory, a locally authenticated malicious user can read or modify files that have been uploaded to the WebFlux application, or overwrite arbitrary files with multipart request data.
Publish Date: 2021-05-27
URL: CVE-2021-22118
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22118
Release Date: 2021-05-27
Fix Resolution (org.springframework:spring-web): 5.3.7
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.4.6
WebJar for Bootstrap
Library home page: http://webjars.org
Path to dependency file: /webwolf/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar,/home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/js/bootstrap.min.js
Path to vulnerable library: /webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js,/webgoat-container/src/main/resources/static/js/libs/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: 3.4.0
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39140
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6wf9-jmg9-vxcc
Release Date: 2021-08-23
Fix Resolution: 1.4.18
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21347
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qpfq-ph7r-qv6f
Release Date: 2021-03-23
Fix Resolution: 1.4.16
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ant/ant/1.6.5/ant-1.6.5.jar,/home/wss-scanner/.m2/repository/ant/ant/1.6.5/ant-1.6.5.jar,/home/wss-scanner/.m2/repository/ant/ant/1.6.5/ant-1.6.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
Publish Date: 2012-06-29
URL: CVE-2012-2098
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098
Release Date: 2012-06-29
Fix Resolution: org.apache.ant:ant:1.8.4,org.apache.commons:commons-compress:1.4.1
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21350
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43gc-mjxg-gvrq
Release Date: 2021-03-23
Fix Resolution: 1.4.16
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Publish Date: 2016-05-17
URL: CVE-2016-3674
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674
Release Date: 2016-05-17
Fix Resolution: 1.4.9
The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/proper/commons-io/
Path to dependency file: /webwolf/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.6/commons-io-2.6.jar
Dependency Hierarchy:
The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/io/
Path to dependency file: /webgoat-lessons/xxe/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.2/commons-io-2.2.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: 2.7
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21349
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f6hm-88x3-mfjv
Release Date: 2021-03-23
Fix Resolution: 1.4.16
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21344
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-59jw-jqf4-3wq3
Release Date: 2021-03-23
Fix Resolution: 1.4.16
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
Publish Date: 2020-12-16
URL: CVE-2020-26259
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jfvx-7wrx-43fh
Release Date: 2020-12-16
Fix Resolution: 1.4.14-jdk7
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39151
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hph2-m3g5-xxv4
Release Date: 2021-08-23
Fix Resolution: 1.4.18
WebJar for Bootstrap
Library home page: http://webjars.org
Path to dependency file: /webwolf/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar,/home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/js/bootstrap.min.js
Path to vulnerable library: /webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js,/webgoat-container/src/main/resources/static/js/libs/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Mend Note: Converted from WS-2018-0021, on 2022-11-08.
Publish Date: 2019-01-09
URL: CVE-2016-10735
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: 3.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/libs/jquery.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/jquery/jquery-1.10.2.min.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/2.1.4/jquery.min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/libs/jquery-2.1.4.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Path to dependency file: /webgoat-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ant/ant/1.6.5/ant-1.6.5.jar,/home/wss-scanner/.m2/repository/ant/ant/1.6.5/ant-1.6.5.jar,/home/wss-scanner/.m2/repository/ant/ant/1.6.5/ant-1.6.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Publish Date: 2021-07-14
URL: CVE-2021-36373
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373
Release Date: 2021-07-14
Fix Resolution: org.apache.ant:ant:1.9.16,1.10.11
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21343
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-74cv-f58x-f9wf
Release Date: 2021-03-23
Fix Resolution: 1.4.16
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21346
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4hrm-m67v-5cxr
Release Date: 2021-03-23
Fix Resolution: 1.4.16
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21341
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2p3x-qw9c-25hh
Release Date: 2021-03-23
Fix Resolution: 1.4.16
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
Publish Date: 2020-12-16
URL: CVE-2020-26258
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4cch-wxpw-8p28
Release Date: 2020-12-16
Fix Resolution: 1.4.14-jdk7
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39148
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qrx8-8545-4wg2
Release Date: 2021-08-23
Fix Resolution: 1.4.18
JavaScript's functional programming helper library.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/underscore.js/1.10.2/underscore-min.js
Path to vulnerable library: /webgoat-container/src/main/resources/static/js/libs/underscore-min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
The package underscore from 1.13.0-0 and before 1.13.0-2, from 1.3.2 and before 1.12.1 are vulnerable to Arbitrary Code Injection via the template function, particularly when a variable property is passed as an argument as it is not sanitized.
Publish Date: 2021-03-29
URL: CVE-2021-23358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23358
Release Date: 2021-03-29
Fix Resolution: underscore - 1.12.1,1.13.0-2
WebJar for Bootstrap
Library home page: http://webjars.org
Path to dependency file: /webwolf/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar,/home/wss-scanner/.m2/repository/org/webjars/bootstrap/3.3.7/bootstrap-3.3.7.jar
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.1.1/js/bootstrap.min.js
Path to vulnerable library: /webgoat-lessons/challenge/src/main/resources/js/bootstrap.min.js,/webgoat-container/src/main/resources/static/js/libs/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
XStream is a serialization library from Java objects to XML and back.
Path to dependency file: /webgoat-integration-tests/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar,/home/wss-scanner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.5/xstream-1.4.5.jar
Dependency Hierarchy:
Found in HEAD commit: f18e43fbc2d56c28b38b6d440d202f7327efd240
Found in base branch: develop
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39141
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g5w6-mrj7-75h2
Release Date: 2021-08-23
Fix Resolution: 1.4.18
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.