levyforchh / argus Goto Github PK

This project forked from salesforce/argus

Time series monitoring and alerting platform.

License: BSD 3-Clause "New" or "Revised" License

Shell 0.08% Dockerfile 0.02% Java 87.19% JavaScript 10.11% CSS 0.37% HTML 2.10% Makefile 0.02% Python 0.11%

argus's Introduction

Argus

Argus is a time-series monitoring and alerting platform. It consists of discrete services to configure alerts, ingest and transform metrics & events, send notifications, create namespaces, and to both establish and enforce policies and quotas for usage.

Its architecture allows any and all of these services to be retargeted to new technology as it becomes available, with little to no impact on the users.

To find out more see the wiki and check out the release notes.

Building Argus

Installing The Resource Filters

Argus uses the argus-build.properties file as a resource filter for the build and all the module builds. After you clone the project for the first time, or after you change this file, you must create and install the dependency jars which will contain these filters. Those dependency jars are then pulled in by the modules, expanded and have their values applied to the module specific builds. Luckily, it's a straightforward operation. Just execute the following command from within the parent project, after you first clone the project or after you update the argus-build.properties file.

mvn -DskipTests=true -DskipDockerBuild --non-recursive install

Running The Unit Tests

Once the resource filters are installed, you can run unit tests. Running the unit tests doesn't require any changes to the argus-build.properties file. Just install the resource filters and execute the test goal.

mvn test

Only the unit tests are run by codecov.io and as such, the coverage reported by it is significantly less than the coverage obtained by running the full test suite.

Running The Integration Tests

The integration tests for Argus use the LDAPAuthService implementation of the AuthService interface and the DefaultTSDBService implementation of the TSDBService interface (which targets OpenTSDB). Additionally it uses the RedisCacheService implementation of the CacheService interface to facilitate integration testing of the BatchService. In order to run the integration tests you must update the argus-build.properties file to correctly setup the external LDAP you'll be testing against and the OpenTSDB endpoints to use as well as the Redis cluster. The snippet below shows the specific properties that should be modified in the argus-build.properties file. Of course, after you make these updates, you must re-install the resource filter dependencies as described above and execute the clean goal, before running the integration tests.

# The LDAP endpoint to use
service.property.auth.ldap.endpoint=ldaps://ldaps.yourdomain.com:636
# A list of comma separated search paths used to query the DN of users attempting to authenticate.
# This example lists two separate search bases.  One for users and one for service accounts.
service.property.auth.ldap.searchbase=OU=active,OU=user,DC=yourdomain,DC=com:OU=active,OU=robot,DC=yourdomain,DC=com
# This specifies of the DN for the privileged user that is used to bind and subsequently execute the search for user DN's
service.property.auth.ldap.searchdn=CN=argus_admin,OU=active,OU=user,DC=yourdomain,DC=com
# The password for the privileged user above.
service.property.auth.ldap.searchpwd=Argu5R0cks!
# The LDAP field with which the username provided during a login attempt, will be matched.
# This is used so Argus can obtain the DN for the user attempting to login, and subsequently attempt to bind as that user.
service.property.auth.ldap.usernamefield=sAMAccountName
# The TSDB read endpoint
service.property.tsdb.endpoint.read=http://readtsdb.yourdomain.com:4466
# The TSDB write endpoint
service.property.tsdb.endpoint.write=http://writetsdb.yourdomain.com:4477
# The Redis cache cluster information
service.property.cache.redis.cluster=redis0.mycompany.com:6379,redis1.mycompany.com:6389

Once the modifications have been made and the resource filters re-installed, you're ready to run the complete suite of tests, including the integration tests.

mvn verify

Generating Coverage Reports

Coverage is calculated everytime tests are run for all modules with the exception of ArgusWeb. In order to generate a coverage report for a module, just cd into the module subdirectory and run the report generation target.

mvn jacoco:report

Coverage reports are generated in the target/site/jacoco directory.

Deploying & Running Argus

Please see the wiki for information on how to deploy, configure and run Argus.

argus's People

Contributors

Watchers

argus's Issues

WS-2019-0047 (Medium) detected in tar-2.2.1.tgz

WS-2019-0047 - Medium Severity Vulnerability

Vulnerable Library - tar-2.2.1.tgz

tar for node

Library home page: https://registry.npmjs.org/tar/-/tar-2.2.1.tgz

Dependency Hierarchy:

babel-cli-6.26.0.tgz (Root Library)
- chokidar-1.7.0.tgz
  - fsevents-1.1.2.tgz
    - node-pre-gyp-0.6.36.tgz
      - ❌ tar-2.2.1.tgz (Vulnerable Library)

Vulnerability Details

Versions of node-tar prior to 4.4.2 are vulnerable to Arbitrary File Overwrite. Extracting tarballs containing a hardlink to a file that already exists in the system, and a file that matches the hardlink will overwrite the system's file with the contents of the extracted file.

Publish Date: 2019-04-05

URL: WS-2019-0047

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/803

Release Date: 2019-04-05

Fix Resolution: 4.4.2

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16118 (High) detected in forwarded-0.1.0.tgz

CVE-2017-16118 - High Severity Vulnerability

Vulnerable Library - forwarded-0.1.0.tgz

Parse HTTP X-Forwarded-For header

Library home page: https://registry.npmjs.org/forwarded/-/forwarded-0.1.0.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/forwarded/package.json

Dependency Hierarchy:

webpack-dev-server-2.7.1.tgz (Root Library)
- express-4.15.4.tgz
  - proxy-addr-1.1.5.tgz
    - ❌ forwarded-0.1.0.tgz (Vulnerable Library)

Vulnerability Details

The forwarded module is used by the Express.js framework to handle the X-Forwarded-For header. It is vulnerable to a regular expression denial of service when it's passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16118

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/527/versions

Release Date: 2018-06-07

Fix Resolution: 0.1.2

CVE-2018-13797 (High) detected in macaddress-0.2.8.tgz

CVE-2018-13797 - High Severity Vulnerability

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/macaddress/package.json

Dependency Hierarchy:

css-loader-0.28.5.tgz (Root Library)
- cssnano-3.10.0.tgz
  - postcss-filter-plugins-2.0.2.tgz
    - uniqid-4.1.1.tgz
      - ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Vulnerability Details

The macaddress module before 0.2.9 for Node.js is prone to an arbitrary command injection flaw, due to allowing unsanitized input to an exec (rather than execFile) call.

Publish Date: 2018-07-10

URL: CVE-2018-13797

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-13797

Release Date: 2018-07-10

Fix Resolution: 0.2.9

CVE-2018-14721 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14721 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.5/jackson-databind-2.9.5.jar

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16137 (Medium) detected in debug-2.6.8.tgz

CVE-2017-16137 - Medium Severity Vulnerability

Vulnerable Library - debug-2.6.8.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.6.8.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/app/node_modules/debug/package.json,Argus/ArgusWeb/app/node_modules/debug/package.json

Dependency Hierarchy:

eslint-3.19.0.tgz (Root Library)
- ❌ debug-2.6.8.tgz (Vulnerable Library)

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution: 2.6.9

CVE-2016-5001 (Medium) detected in hadoop-hdfs-2.2.0.jar

CVE-2016-5001 - Medium Severity Vulnerability

Vulnerable Library - hadoop-hdfs-2.2.0.jar

Apache Hadoop HDFS

Path to dependency file: /Argus/ArgusCore/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.2.0/hadoop-hdfs-2.2.0.jar,/root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.2.0/hadoop-hdfs-2.2.0.jar,/root/.m2/repository/org/apache/hadoop/hadoop-hdfs/2.2.0/hadoop-hdfs-2.2.0.jar

Dependency Hierarchy:

phoenix-core-4.13.1-HBase-0.98.jar (Root Library)
- hbase-server-0.98.23-hadoop2.jar
  - ❌ hadoop-hdfs-2.2.0.jar (Vulnerable Library)

Vulnerability Details

This is an information disclosure vulnerability in Apache Hadoop before 2.6.4 and 2.7.x before 2.7.2 in the short-circuit reads feature of HDFS. A local user on an HDFS DataNode may be able to craft a block token that grants unauthorized read access to random files by guessing certain fields in the token.

Publish Date: 2017-08-30

URL: CVE-2016-5001

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-5001

Release Date: 2017-08-30

Fix Resolution: 2.6.4,2.7.2

Step up your Open Source Security Game with WhiteSource here

WS-2019-0063 (High) detected in multiple libraries

WS-2019-0063 - High Severity Vulnerability

Vulnerable Libraries - js-yaml-3.9.1.tgz, js-yaml-2.0.5.tgz, js-yaml-3.7.0.tgz

js-yaml-3.9.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz

Path to dependency file: Argus/ArgusWeb/app/package.json

Path to vulnerable library: Argus/ArgusWeb/app/node_modules/js-yaml/package.json

Dependency Hierarchy:

eslint-3.19.0.tgz (Root Library)
- ❌ js-yaml-3.9.1.tgz (Vulnerable Library)

js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/grunt/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ js-yaml-2.0.5.tgz (Vulnerable Library)

js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-replace-0.8.0.tgz (Root Library)
- applause-0.3.4.tgz
  - ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Vulnerability Details

Js-yaml prior to 3.13.1 are vulnerable to Code Injection. The load() function may execute arbitrary code injected through a malicious YAML file.

Publish Date: 2019-04-05

URL: WS-2019-0063

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/813

Release Date: 2019-04-05

Fix Resolution: js-yaml - 3.13.1

CVE-2018-19361 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-19361 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

CVE-2017-3166 (High) detected in hadoop-mapreduce-client-core-2.7.4.jar

CVE-2017-3166 - High Severity Vulnerability

Vulnerable Library - hadoop-mapreduce-client-core-2.7.4.jar

Apache Hadoop Project POM

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/hadoop/hadoop-mapreduce-client-core/2.7.4/hadoop-mapreduce-client-core-2.7.4.jar,/root/.m2/repository/org/apache/hadoop/hadoop-mapreduce-client-core/2.7.4/hadoop-mapreduce-client-core-2.7.4.jar,/root/.m2/repository/org/apache/hadoop/hadoop-mapreduce-client-core/2.7.4/hadoop-mapreduce-client-core-2.7.4.jar

Dependency Hierarchy:

hbase-client-1.4.2.jar (Root Library)
- ❌ hadoop-mapreduce-client-core-2.7.4.jar (Vulnerable Library)

Vulnerability Details

In Apache Hadoop versions 2.6.1 to 2.6.5, 2.7.0 to 2.7.3, and 3.0.0-alpha1, if a file in an encryption zone with access permissions that make it world readable is localized via YARN's localization mechanism, that file will be stored in a world-readable location and can be shared freely with any application that requests to localize that file.

Publish Date: 2017-11-13

URL: CVE-2017-3166

CVSS 3 Score Details (7.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3166

Release Date: 2017-11-13

Fix Resolution: 2.7.4,3.0.0-alpha1

Step up your Open Source Security Game with WhiteSource here

WS-2019-0019 (Medium) detected in braces-1.8.5.tgz

WS-2019-0019 - Medium Severity Vulnerability

Vulnerable Library - braces-1.8.5.tgz

Fastest brace expansion for node.js, with the most complete support for the Bash 4.3 braces specification.

Library home page: https://registry.npmjs.org/braces/-/braces-1.8.5.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/braces/package.json

Dependency Hierarchy:

jscodeshift-0.3.32.tgz (Root Library)
- micromatch-2.3.11.tgz
  - ❌ braces-1.8.5.tgz (Vulnerable Library)

Vulnerability Details

Version of braces prior to 2.3.1 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-02-16

URL: WS-2019-0019

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/786

Release Date: 2019-02-21

Fix Resolution: 2.3.1

WS-2018-0113 (High) detected in macaddress-0.2.8.tgz

WS-2018-0113 - High Severity Vulnerability

Vulnerable Library - macaddress-0.2.8.tgz

Get the MAC addresses (hardware addresses) of the hosts network interfaces.

Library home page: https://registry.npmjs.org/macaddress/-/macaddress-0.2.8.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/macaddress/package.json

Dependency Hierarchy:

css-loader-0.28.5.tgz (Root Library)
- cssnano-3.10.0.tgz
  - postcss-filter-plugins-2.0.2.tgz
    - uniqid-4.1.1.tgz
      - ❌ macaddress-0.2.8.tgz (Vulnerable Library)

Vulnerability Details

All versions of macaddress are vulnerable to command injection. For this vulnerability to be exploited an attacker needs to control the iface argument to the one method.

Publish Date: 2018-05-16

URL: WS-2018-0113

CVSS 2 Score Details (10.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/654

Release Date: 2018-05-16

Fix Resolution: No fix is currently available for this vulnerability. It is our recommendation to not install or use this module until a fix is provided.

CVE-2018-16492 (High) detected in extend-3.0.1.tgz

CVE-2018-16492 - High Severity Vulnerability

Vulnerable Library - extend-3.0.1.tgz

Port of jQuery.extend for node.js and the browser

Library home page: https://registry.npmjs.org/extend/-/extend-3.0.1.tgz

Path to dependency file: Argus/ArgusWeb/app/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/bower/lib/node_modules/extend/package.json,Argus/ArgusWeb/node_modules/bower/lib/node_modules/extend/package.json

Dependency Hierarchy:

less-2.7.2.tgz (Root Library)
- request-2.81.0.tgz
  - ❌ extend-3.0.1.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in module extend <2.0.2, ~<3.0.2 that allows an attacker to inject arbitrary properties onto Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16492

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://hackerone.com/reports/381185

Release Date: 2019-02-01

Fix Resolution: extend - v3.0.2,v2.0.2

CVE-2018-19362 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-19362 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

WS-2018-0103 (Medium) detected in stringstream-0.0.5.tgz

WS-2018-0103 - Medium Severity Vulnerability

Vulnerable Library - stringstream-0.0.5.tgz

Encode and decode streams into string streams

Library home page: https://registry.npmjs.org/stringstream/-/stringstream-0.0.5.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/app/node_modules/stringstream/package.json,Argus/ArgusWeb/app/node_modules/stringstream/package.json

Dependency Hierarchy:

less-2.7.2.tgz (Root Library)
- request-2.81.0.tgz
  - ❌ stringstream-0.0.5.tgz (Vulnerable Library)

Vulnerability Details

All versions of stringstream are vulnerable to out-of-bounds read as it allocates uninitialized Buffers when number is passed in input stream on Node.js 4.x and below.

Publish Date: 2018-05-16

URL: WS-2018-0103

CVSS 3 Score Details (4.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/664

Release Date: 2018-01-27

Fix Resolution: 0.0.6

CVE-2018-1000620 (High) detected in cryptiles-2.0.5.tgz

CVE-2018-1000620 - High Severity Vulnerability

Vulnerable Library - cryptiles-2.0.5.tgz

General purpose crypto utilities

Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz

Path to dependency file: Argus/ArgusWeb/app/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/bower/lib/node_modules/cryptiles/package.json,Argus/ArgusWeb/node_modules/bower/lib/node_modules/cryptiles/package.json

Dependency Hierarchy:

less-2.7.2.tgz (Root Library)
- request-2.81.0.tgz
  - hawk-3.1.3.tgz
    - ❌ cryptiles-2.0.5.tgz (Vulnerable Library)

Vulnerability Details

Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.

Publish Date: 2018-07-09

URL: CVE-2018-1000620

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620

Release Date: 2018-07-09

Fix Resolution: v4.1.2

CVE-2018-5968 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-5968 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

Step up your Open Source Security Game with WhiteSource here

CVE-2017-15010 (High) detected in tough-cookie-2.3.2.tgz

CVE-2017-15010 - High Severity Vulnerability

Vulnerable Library - tough-cookie-2.3.2.tgz

RFC6265 Cookies and Cookie Jar for node.js

Library home page: https://registry.npmjs.org/tough-cookie/-/tough-cookie-2.3.2.tgz

Path to dependency file: Argus/ArgusWeb/app/package.json

Path to vulnerable library: Argus/ArgusWeb/app/node_modules/tough-cookie/package.json,Argus/ArgusWeb/app/node_modules/tough-cookie/package.json

Dependency Hierarchy:

less-2.7.2.tgz (Root Library)
- request-2.81.0.tgz
  - ❌ tough-cookie-2.3.2.tgz (Vulnerable Library)

Vulnerability Details

A ReDoS (regular expression denial of service) flaw was found in the tough-cookie module before 2.3.3 for Node.js. An attacker that is able to make an HTTP request using a specially crafted cookie may cause the application to consume an excessive amount of CPU.

Publish Date: 2017-10-04

URL: CVE-2017-15010

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15010

Release Date: 2017-10-04

Fix Resolution: 2.3.3

CVE-2019-0201 (Medium) detected in zookeeper-3.4.10.jar

CVE-2019-0201 - Medium Severity Vulnerability

Vulnerable Library - zookeeper-3.4.10.jar

Path to dependency file: Argus/ArgusCore/pom.xml

Path to vulnerable library: 20200424201148/downloadResource_37d9ef67-35d3-469d-8bb1-8658535649d9/20200424204509/zookeeper-3.4.10.jar

Dependency Hierarchy:

❌ zookeeper-3.4.10.jar (Vulnerable Library)

Vulnerability Details

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper???s getACL() command doesn???t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Publish Date: 2019-05-23

URL: CVE-2019-0201

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://zookeeper.apache.org/security.html

Release Date: 2019-05-23

Fix Resolution: 3.4.14, 3.5.5

Check this box to open an automated fix PR

CVE-2017-16119 (High) detected in fresh-0.5.0.tgz

CVE-2017-16119 - High Severity Vulnerability

Vulnerable Library - fresh-0.5.0.tgz

HTTP response freshness testing

Library home page: https://registry.npmjs.org/fresh/-/fresh-0.5.0.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/fresh/package.json

Dependency Hierarchy:

webpack-dev-server-2.7.1.tgz (Root Library)
- express-4.15.4.tgz
  - ❌ fresh-0.5.0.tgz (Vulnerable Library)

Vulnerability Details

Fresh is a module used by the Express.js framework for HTTP response freshness testing. It is vulnerable to a regular expression denial of service when it is passed specially crafted input to parse. This causes the event loop to be blocked causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16119

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/526

Release Date: 2018-06-07

Fix Resolution: fresh - 0.5.2

CVE-2018-19360 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-19360 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

Step up your Open Source Security Game with WhiteSource here

WS-2009-0001 (Low) detected in commons-codec-1.9.jar

WS-2009-0001 - Low Severity Vulnerability

Vulnerable Library - commons-codec-1.9.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Library home page: http://commons.apache.org/proper/commons-codec/

Path to dependency file: /Argus/ArgusClient/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar

Dependency Hierarchy:

httpclient-4.5.3.jar (Root Library)
- ❌ commons-codec-1.9.jar (Vulnerable Library)

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Step up your Open Source Security Game with WhiteSource here

CVE-2017-3162 (High) detected in hadoop-hdfs-2.2.0.jar

CVE-2017-3162 - High Severity Vulnerability

Vulnerable Library - hadoop-hdfs-2.2.0.jar

Apache Hadoop HDFS

Path to dependency file: /Argus/ArgusCore/pom.xml

Dependency Hierarchy:

phoenix-core-4.13.1-HBase-0.98.jar (Root Library)
- hbase-server-0.98.23-hadoop2.jar
  - ❌ hadoop-hdfs-2.2.0.jar (Vulnerable Library)

Vulnerability Details

HDFS clients interact with a servlet on the DataNode to browse the HDFS namespace. The NameNode is provided as a query parameter that is not validated in Apache Hadoop before 2.7.0.

Publish Date: 2017-04-26

URL: CVE-2017-3162

CVSS 3 Score Details (7.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-3162

Release Date: 2017-04-26

Fix Resolution: 2.7.0

Step up your Open Source Security Game with WhiteSource here

CVE-2014-0114 (High) detected in commons-beanutils-1.7.0.jar

CVE-2014-0114 - High Severity Vulnerability

Vulnerable Library - commons-beanutils-1.7.0.jar

null

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/root/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar,/root/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar

Dependency Hierarchy:

hbase-client-1.4.2.jar (Root Library)
- hadoop-common-2.7.4.jar
  - commons-configuration-1.6.jar
    - commons-digester-1.8.jar
      - ❌ commons-beanutils-1.7.0.jar (Vulnerable Library)

Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201607-09

Release Date: 2016-07-20

Fix Resolution: All Commons BeanUtils users should upgrade to the latest version >= commons-beanutils-1.9.2

Step up your Open Source Security Game with WhiteSource here

CVE-2018-1320 (High) detected in libthrift-0.9.0.jar

CVE-2018-1320 - High Severity Vulnerability

Vulnerable Library - libthrift-0.9.0.jar

null

Path to dependency file: /Argus/ArgusClient/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/thrift/libthrift/0.9.0/libthrift-0.9.0.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.0/libthrift-0.9.0.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.0/libthrift-0.9.0.jar

Dependency Hierarchy:

phoenix-core-4.13.1-HBase-0.98.jar (Root Library)
- tephra-core-0.13.0-incubating.jar
  - ❌ libthrift-0.9.0.jar (Vulnerable Library)

Vulnerability Details

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

Publish Date: 2019-01-07

URL: CVE-2018-1320

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320

Release Date: 2019-01-07

Fix Resolution: 0.12.0

Step up your Open Source Security Game with WhiteSource here

CVE-2019-5427 (High) detected in c3p0-0.9.1.1.jar

CVE-2019-5427 - High Severity Vulnerability

Vulnerable Library - c3p0-0.9.1.1.jar

c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.

Library home page: http://c3p0.sourceforge.net

Path to dependency file: /Argus/ArgusClient/pom.xml

Path to vulnerable library: /root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar

Dependency Hierarchy:

quartz-2.2.2.jar (Root Library)
- ❌ c3p0-0.9.1.1.jar (Vulnerable Library)

Vulnerability Details

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Publish Date: 2019-04-22

URL: CVE-2019-5427

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427

Release Date: 2019-04-22

Fix Resolution: c3p0-0.9.5.4

Step up your Open Source Security Game with WhiteSource here

CVE-2018-14720 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14720 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2018-1313 (Medium) detected in derby-10.12.1.1.jar

CVE-2018-1313 - Medium Severity Vulnerability

Vulnerable Library - derby-10.12.1.1.jar

Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.

Library home page: http://db.apache.org/derby/derby/

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/derby/derby/10.12.1.1/derby-10.12.1.1.jar,/root/.m2/repository/org/apache/derby/derby/10.12.1.1/derby-10.12.1.1.jar,2/repository/org/apache/derby/derby/10.12.1.1/derby-10.12.1.1.jar

Dependency Hierarchy:

❌ derby-10.12.1.1.jar (Vulnerable Library)

Vulnerability Details

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.

Publish Date: 2018-05-07

URL: CVE-2018-1313

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1313

Release Date: 2018-05-07

Fix Resolution: 10.14.2.0

Step up your Open Source Security Game with WhiteSource here

CVE-2016-6796 (High) detected in jasper-compiler-5.5.23.jar

CVE-2016-6796 - High Severity Vulnerability

Vulnerable Library - jasper-compiler-5.5.23.jar

The Apache Software Foundation provides support for the Apache community of open-source software projects. The Apache projects are characterized by a collaborative, consensus based development process, an open and pragmatic software license, and a desire to create high quality software that leads the way in its field. We consider ourselves not simply a group of projects sharing a server, but rather a community of developers and users.

Library home page: http://tomcat.apache.org/jasper-compiler

Path to dependency file: /Argus/ArgusCore/pom.xml

Path to vulnerable library: /root/.m2/repository/tomcat/jasper-compiler/5.5.23/jasper-compiler-5.5.23.jar,/root/.m2/repository/tomcat/jasper-compiler/5.5.23/jasper-compiler-5.5.23.jar,/root/.m2/repository/tomcat/jasper-compiler/5.5.23/jasper-compiler-5.5.23.jar

Dependency Hierarchy:

phoenix-core-4.13.1-HBase-0.98.jar (Root Library)
- hbase-server-0.98.23-hadoop2.jar
  - ❌ jasper-compiler-5.5.23.jar (Vulnerable Library)

Vulnerability Details

A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.

Publish Date: 2017-08-11

URL: CVE-2016-6796

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6796

Release Date: 2019-04-08

Fix Resolution: 6.0.47, 7.0.72, 8.0.37, 8.5.5, 9.0.0.M10

Step up your Open Source Security Game with WhiteSource here

CVE-2018-11307 (Medium) detected in jackson-databind-2.9.5.jar

CVE-2018-11307 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

jackson-databind has a Potential information exfiltration with default typing. versions 2.7.9.x < 2.7.9.4, 2.8.x < 2.8.11.2, 2.9.x < 2.9.6

Publish Date: 2018-12-13

URL: CVE-2018-11307

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2032

Release Date: 2019-03-17

Fix Resolution: jackson-databind-2.9.6

Step up your Open Source Security Game with WhiteSource here

CVE-2018-12022 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-12022 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Step up your Open Source Security Game with WhiteSource here

WS-2018-0084 (High) detected in sshpk-1.13.1.tgz, sshpk-1.13.0.tgz

WS-2018-0084 - High Severity Vulnerability

Vulnerable Libraries - sshpk-1.13.1.tgz, sshpk-1.13.0.tgz

sshpk-1.13.1.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.1.tgz

Path to dependency file: Argus/ArgusWeb/app/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/bower/lib/node_modules/sshpk/package.json

Dependency Hierarchy:

less-2.7.2.tgz (Root Library)
- request-2.81.0.tgz
  - http-signature-1.1.1.tgz
    - ❌ sshpk-1.13.1.tgz (Vulnerable Library)

sshpk-1.13.0.tgz

A library for finding and using SSH public keys

Library home page: https://registry.npmjs.org/sshpk/-/sshpk-1.13.0.tgz

Dependency Hierarchy:

babel-cli-6.26.0.tgz (Root Library)
- chokidar-1.7.0.tgz
  - fsevents-1.1.2.tgz
    - node-pre-gyp-0.6.36.tgz
      - request-2.81.0.tgz
        
        http-signature-1.1.1.tgz
        
        ❌ sshpk-1.13.0.tgz (Vulnerable Library)

Vulnerability Details

Versions of sshpk before 1.14.1 are vulnerable to regular expression denial of service when parsing crafted invalid public keys.

Publish Date: 2018-04-25

URL: WS-2018-0084

CVSS 2 Score Details (8.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/606

Release Date: 2018-01-27

Fix Resolution: 1.14.1

CVE-2012-5783 (Medium) detected in commons-httpclient-3.1.jar

CVE-2012-5783 - Medium Severity Vulnerability

Vulnerable Library - commons-httpclient-3.1.jar

The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.

Library home page: http://jakarta.apache.org/httpcomponents/httpclient-3.x/

Path to dependency file: /Argus/ArgusClient/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/root/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/root/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar

Dependency Hierarchy:

hbase-client-1.4.2.jar (Root Library)
- hadoop-common-2.7.4.jar
  - ❌ commons-httpclient-3.1.jar (Vulnerable Library)

Vulnerability Details

Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Publish Date: 2012-11-04

URL: CVE-2012-5783

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://xforce.iss.net/xforce/xfdb/79984

Release Date: 2017-12-31

Fix Resolution: Apply the appropriate patch for your system. See References.

Step up your Open Source Security Game with WhiteSource here

CVE-2018-3721 (Medium) detected in multiple libraries

CVE-2018-3721 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-0.9.2.tgz, lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.4.tgz

lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/grunt-legacy-util/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ lodash-0.9.2.tgz (Vulnerable Library)

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/grunt-legacy-log-utils/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-replace-0.8.0.tgz (Root Library)
- applause-0.3.4.tgz
  - ❌ lodash-2.4.2.tgz (Vulnerable Library)

lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/jscodeshift/node_modules/babel-core/node_modules/lodash/package.json

Dependency Hierarchy:

jscodeshift-0.3.32.tgz (Root Library)
- babel-core-5.8.38.tgz
  - ❌ lodash-3.10.1.tgz (Vulnerable Library)

lodash-4.17.4.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/lodash/package.json,Argus/ArgusWeb/node_modules/lodash/package.json

Dependency Hierarchy:

eslint-3.19.0.tgz (Root Library)
- ❌ lodash-4.17.4.tgz (Vulnerable Library)

Vulnerability Details

lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-06-07

URL: CVE-2018-3721

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3721

Release Date: 2018-06-07

Fix Resolution: 4.17.5

CVE-2017-16138 (High) detected in mime-1.3.4.tgz, mime-1.3.6.tgz

CVE-2017-16138 - High Severity Vulnerability

Vulnerable Libraries - mime-1.3.4.tgz, mime-1.3.6.tgz

mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/mime/package.json

Dependency Hierarchy:

webpack-dev-server-2.7.1.tgz (Root Library)
- webpack-dev-middleware-1.12.0.tgz
  - ❌ mime-1.3.4.tgz (Vulnerable Library)

mime-1.3.6.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz

Path to dependency file: Argus/ArgusWeb/app/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/url-loader/node_modules/mime/package.json,Argus/ArgusWeb/node_modules/url-loader/node_modules/mime/package.json

Dependency Hierarchy:

less-2.7.2.tgz (Root Library)
- ❌ mime-1.3.6.tgz (Vulnerable Library)

Vulnerability Details

The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.

Publish Date: 2018-06-07

URL: CVE-2017-16138

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138

Release Date: 2018-06-07

Fix Resolution: 1.4.1,2.0.3

CVE-2018-14718 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14718 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2019-12086 (High) detected in jackson-databind-2.9.5.jar

CVE-2019-12086 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Step up your Open Source Security Game with WhiteSource here

CVE-2017-16099 (High) detected in no-case-2.3.1.tgz

CVE-2017-16099 - High Severity Vulnerability

Vulnerable Library - no-case-2.3.1.tgz

Remove case from a string

Library home page: https://registry.npmjs.org/no-case/-/no-case-2.3.1.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/no-case/package.json

Dependency Hierarchy:

html-loader-0.5.1.tgz (Root Library)
- html-minifier-3.5.3.tgz
  - camel-case-3.0.0.tgz
    - ❌ no-case-2.3.1.tgz (Vulnerable Library)

Vulnerability Details

The no-case module is vulnerable to regular expression denial of service. When malicious untrusted user input is passed into no-case it can block the event loop causing a denial of service condition.

Publish Date: 2018-06-07

URL: CVE-2017-16099

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/529/versions

Release Date: 2018-06-07

Fix Resolution: 2.3.2

WS-2019-0017 (Medium) detected in clean-css-4.1.7.tgz

WS-2019-0017 - Medium Severity Vulnerability

Vulnerable Library - clean-css-4.1.7.tgz

A well-tested CSS minifier

Library home page: https://registry.npmjs.org/clean-css/-/clean-css-4.1.7.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/clean-css/package.json

Dependency Hierarchy:

html-loader-0.5.1.tgz (Root Library)
- html-minifier-3.5.3.tgz
  - ❌ clean-css-4.1.7.tgz (Vulnerable Library)

Vulnerability Details

Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.

Publish Date: 2018-03-06

URL: WS-2019-0017

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/785

Release Date: 2019-02-21

Fix Resolution: v4.1.11

CVE-2017-16028 (Medium) detected in randomatic-1.1.7.tgz

CVE-2017-16028 - Medium Severity Vulnerability

Vulnerable Library - randomatic-1.1.7.tgz

Generate randomized strings of a specified length, fast. Only the length is necessary, but you can optionally generate patterns using any combination of numeric, alpha-numeric, alphabetical, special or custom characters.

Library home page: https://registry.npmjs.org/randomatic/-/randomatic-1.1.7.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/randomatic/package.json

Dependency Hierarchy:

jscodeshift-0.3.32.tgz (Root Library)
- micromatch-2.3.11.tgz
  - braces-1.8.5.tgz
    - expand-range-1.8.2.tgz
      - fill-range-2.2.3.tgz
        
        ❌ randomatic-1.1.7.tgz (Vulnerable Library)

Vulnerability Details

react-native-meteor-oauth is a library for Oauth2 login to a Meteor server in React Native. The oauth Random Token is generated using a non-cryptographically strong RNG (Math.random()).

Publish Date: 2018-06-04

URL: CVE-2017-16028

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/157/versions

Release Date: 2018-06-04

Fix Resolution: 3.0.0

WS-2017-0330 (Medium) detected in mime-1.3.4.tgz, mime-1.3.6.tgz

WS-2017-0330 - Medium Severity Vulnerability

Vulnerable Libraries - mime-1.3.4.tgz, mime-1.3.6.tgz

mime-1.3.4.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.4.tgz

Path to dependency file: /Argus/ArgusWeb/package.json

Path to vulnerable library: /tmp/git/Argus/ArgusWeb/node_modules/mime/package.json

Dependency Hierarchy:

webpack-dev-server-2.7.1.tgz (Root Library)
- webpack-dev-middleware-1.12.0.tgz
  - ❌ mime-1.3.4.tgz (Vulnerable Library)

mime-1.3.6.tgz

A comprehensive library for mime-type mapping

Library home page: https://registry.npmjs.org/mime/-/mime-1.3.6.tgz

Path to dependency file: /Argus/ArgusWeb/package.json

Path to vulnerable library: /tmp/git/Argus/ArgusWeb/node_modules/url-loader/node_modules/mime/package.json

Dependency Hierarchy:

url-loader-0.5.9.tgz (Root Library)
- ❌ mime-1.3.6.tgz (Vulnerable Library)

Vulnerability Details

Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.

Publish Date: 2017-09-27

URL: WS-2017-0330

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: broofa/mime@1df903f

Release Date: 2019-04-03

Fix Resolution: 1.4.1,2.0.3

Step up your Open Source Security Game with WhiteSource here

CVE-2018-3750 (High) detected in deep-extend-0.4.2.tgz

CVE-2018-3750 - High Severity Vulnerability

Vulnerable Library - deep-extend-0.4.2.tgz

Recursive object extending

Library home page: https://registry.npmjs.org/deep-extend/-/deep-extend-0.4.2.tgz

Path to dependency file: Argus/ArgusWeb/app/package.json

Path to vulnerable library: Argus/ArgusWeb/app/node_modules/deep-extend/package.json,Argus/ArgusWeb/app/node_modules/deep-extend/package.json

Dependency Hierarchy:

selectize-0.12.4.tgz (Root Library)
- sifter-0.5.2.tgz
  - microtime-2.1.6.tgz
    - prebuild-install-2.2.1.tgz
      - rc-1.2.1.tgz
        
        ❌ deep-extend-0.4.2.tgz (Vulnerable Library)

Vulnerability Details

The utilities function in all versions <= 0.5.0 of the deep-extend node module can be tricked into modifying the prototype of Object when the attacker can control part of the structure passed to this function. This can let an attacker add or modify existing properties that will exist on all objects.

Publish Date: 2018-07-03

URL: CVE-2018-3750

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3750

Release Date: 2019-01-24

Fix Resolution: 0.5.1

CVE-2018-3728 (High) detected in hoek-2.16.3.tgz

CVE-2018-3728 - High Severity Vulnerability

Vulnerable Library - hoek-2.16.3.tgz

General purpose node utilities

Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/bower/lib/node_modules/boom/node_modules/hoek/package.json,Argus/ArgusWeb/node_modules/bower/lib/node_modules/boom/node_modules/hoek/package.json

Dependency Hierarchy:

less-2.7.2.tgz (Root Library)
- request-2.81.0.tgz
  - hawk-3.1.3.tgz
    - ❌ hoek-2.16.3.tgz (Vulnerable Library)

Vulnerability Details

hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.

Publish Date: 2018-03-30

URL: CVE-2018-3728

CVSS 3 Score Details (8.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3728

Release Date: 2018-03-30

Fix Resolution: 4.2.1,5.0.3

CVE-2018-14719 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-14719 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14719

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719

Release Date: 2019-01-02

Fix Resolution: 2.9.7

Step up your Open Source Security Game with WhiteSource here

CVE-2018-12023 (High) detected in jackson-databind-2.9.5.jar

CVE-2018-12023 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.9.5.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /Argus/ArgusWebServices/pom.xml

Dependency Hierarchy:

jersey-media-json-jackson-2.26.jar (Root Library)
- ❌ jackson-databind-2.9.5.jar (Vulnerable Library)

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

Step up your Open Source Security Game with WhiteSource here

CVE-2018-3774 (High) detected in url-parse-1.0.5.tgz, url-parse-1.1.9.tgz

CVE-2018-3774 - High Severity Vulnerability

Vulnerable Libraries - url-parse-1.0.5.tgz, url-parse-1.1.9.tgz

url-parse-1.0.5.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.0.5.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/original/node_modules/url-parse/package.json

Dependency Hierarchy:

webpack-dev-server-2.7.1.tgz (Root Library)
- sockjs-client-1.1.4.tgz
  - eventsource-0.1.6.tgz
    - original-1.0.0.tgz
      - ❌ url-parse-1.0.5.tgz (Vulnerable Library)

url-parse-1.1.9.tgz

Small footprint URL parser that works seamlessly across Node.js and browser environments

Library home page: https://registry.npmjs.org/url-parse/-/url-parse-1.1.9.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/url-parse/package.json

Dependency Hierarchy:

webpack-dev-server-2.7.1.tgz (Root Library)
- sockjs-client-1.1.4.tgz
  - ❌ url-parse-1.1.9.tgz (Vulnerable Library)

Vulnerability Details

Incorrect parsing in url-parse <1.4.3 returns wrong hostname which leads to multiple vulnerabilities such as SSRF, Open Redirect, Bypass Authentication Protocol.

Publish Date: 2018-08-12

URL: CVE-2018-3774

CVSS 3 Score Details (10.0)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3774

Release Date: 2018-08-12

Fix Resolution: 1.4.3

CVE-2018-16487 (Medium) detected in multiple libraries

CVE-2018-16487 - Medium Severity Vulnerability

Vulnerable Libraries - lodash-0.9.2.tgz, lodash-2.4.2.tgz, lodash-3.10.1.tgz, lodash-4.17.4.tgz

lodash-0.9.2.tgz

A utility library delivering consistency, customization, performance, and extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-0.9.2.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/grunt-legacy-util/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ lodash-0.9.2.tgz (Vulnerable Library)

lodash-2.4.2.tgz

A utility library delivering consistency, customization, performance, & extras.

Library home page: https://registry.npmjs.org/lodash/-/lodash-2.4.2.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/grunt-legacy-log-utils/node_modules/lodash/package.json

Dependency Hierarchy:

grunt-replace-0.8.0.tgz (Root Library)
- applause-0.3.4.tgz
  - ❌ lodash-2.4.2.tgz (Vulnerable Library)

lodash-3.10.1.tgz

The modern build of lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-3.10.1.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/jscodeshift/node_modules/babel-core/node_modules/lodash/package.json

Dependency Hierarchy:

jscodeshift-0.3.32.tgz (Root Library)
- babel-core-5.8.38.tgz
  - ❌ lodash-3.10.1.tgz (Vulnerable Library)

lodash-4.17.4.tgz

Lodash modular utilities.

Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.4.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/lodash/package.json,Argus/ArgusWeb/node_modules/lodash/package.json

Dependency Hierarchy:

eslint-3.19.0.tgz (Root Library)
- ❌ lodash-4.17.4.tgz (Vulnerable Library)

Vulnerability Details

A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.

Publish Date: 2019-02-01

URL: CVE-2018-16487

CVSS 3 Score Details (5.6)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2018-16487

Release Date: 2019-02-01

Fix Resolution: 4.17.11

WS-2019-0032 (Medium) detected in multiple libraries

WS-2019-0032 - Medium Severity Vulnerability

Vulnerable Libraries - js-yaml-3.9.1.tgz, js-yaml-2.0.5.tgz, js-yaml-3.7.0.tgz

js-yaml-3.9.1.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.9.1.tgz

Path to dependency file: Argus/ArgusWeb/app/package.json

Path to vulnerable library: Argus/ArgusWeb/app/node_modules/js-yaml/package.json

Dependency Hierarchy:

eslint-3.19.0.tgz (Root Library)
- ❌ js-yaml-3.9.1.tgz (Vulnerable Library)

js-yaml-2.0.5.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-2.0.5.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/grunt/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ js-yaml-2.0.5.tgz (Vulnerable Library)

js-yaml-3.7.0.tgz

YAML 1.2 parser and serializer

Library home page: https://registry.npmjs.org/js-yaml/-/js-yaml-3.7.0.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/js-yaml/package.json

Dependency Hierarchy:

grunt-replace-0.8.0.tgz (Root Library)
- applause-0.3.4.tgz
  - ❌ js-yaml-3.7.0.tgz (Vulnerable Library)

Vulnerability Details

Versions js-yaml prior to 3.13.0 are vulnerable to Denial of Service. By parsing a carefully-crafted YAML file, the node process stalls and may exhaust system resources leading to a Denial of Service.

Publish Date: 2019-03-20

URL: WS-2019-0032

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.npmjs.com/advisories/788/versions

Release Date: 2019-03-20

Fix Resolution: js-yaml - 3.13.0

CVE-2018-10237 (Medium) detected in guava-23.0.jar

CVE-2018-10237 - Medium Severity Vulnerability

Vulnerable Library - guava-23.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Library home page: https://github.com/google/guava

Path to dependency file: Argus/ArgusCore/pom.xml

Path to vulnerable library: 20200424201148/downloadResource_37d9ef67-35d3-469d-8bb1-8658535649d9/20200424204509/guava-23.0.jar

Dependency Hierarchy:

❌ guava-23.0.jar (Vulnerable Library)

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1-jre, 24.1.1-android

Check this box to open an automated fix PR

CVE-2016-10540 (High) detected in multiple libraries

CVE-2016-10540 - High Severity Vulnerability

Vulnerable Libraries - minimatch-0.3.0.tgz, minimatch-2.0.10.tgz, minimatch-0.2.14.tgz

minimatch-0.3.0.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/findup-sync/node_modules/minimatch/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- findup-sync-0.1.3.tgz
  - glob-3.2.11.tgz
    - ❌ minimatch-0.3.0.tgz (Vulnerable Library)

minimatch-2.0.10.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/bower/lib/node_modules/glob/node_modules/minimatch/package.json

Dependency Hierarchy:

jscodeshift-0.3.32.tgz (Root Library)
- babel-core-5.8.38.tgz
  - ❌ minimatch-2.0.10.tgz (Vulnerable Library)

minimatch-0.2.14.tgz

a glob matcher in javascript

Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz

Path to dependency file: Argus/ArgusWeb/package.json

Path to vulnerable library: Argus/ArgusWeb/node_modules/grunt/node_modules/minimatch/package.json

Dependency Hierarchy:

grunt-0.4.5.tgz (Root Library)
- ❌ minimatch-0.2.14.tgz (Vulnerable Library)

Vulnerability Details

Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.

Publish Date: 2018-05-31

URL: CVE-2016-10540

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nodesecurity.io/advisories/118

Release Date: 2016-06-20

Fix Resolution: Update to version 3.0.2 or later.

CVE-2017-3161 (Medium) detected in hadoop-hdfs-2.2.0.jar

CVE-2017-3161 - Medium Severity Vulnerability

Vulnerable Library - hadoop-hdfs-2.2.0.jar

Apache Hadoop HDFS

Path to dependency file: /Argus/ArgusCore/pom.xml

Dependency Hierarchy:

phoenix-core-4.13.1-HBase-0.98.jar (Root Library)
- hbase-server-0.98.23-hadoop2.jar
  - ❌ hadoop-hdfs-2.2.0.jar (Vulnerable Library)

Vulnerability Details

The HDFS web UI in Apache Hadoop before 2.7.0 is vulnerable to a cross-site scripting (XSS) attack through an unescaped query parameter.

Publish Date: 2017-04-26

URL: CVE-2017-3161

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-3161

Release Date: 2017-04-26

Fix Resolution: 2.7.0

Step up your Open Source Security Game with WhiteSource here

levyforchh / argus Goto Github PK

argus's Introduction

Argus

Building Argus

Installing The Resource Filters

Running The Unit Tests

Running The Integration Tests

Generating Coverage Reports

Deploying & Running Argus

argus's People

Contributors

Watchers

argus's Issues

WS-2019-0047 - Medium Severity Vulnerability

CVE-2017-16118 - High Severity Vulnerability

CVE-2018-13797 - High Severity Vulnerability

CVE-2018-14721 - High Severity Vulnerability

CVE-2017-16137 - Medium Severity Vulnerability

CVE-2016-5001 - Medium Severity Vulnerability

WS-2019-0063 - High Severity Vulnerability

CVE-2018-19361 - High Severity Vulnerability

CVE-2017-3166 - High Severity Vulnerability

WS-2019-0019 - Medium Severity Vulnerability

WS-2018-0113 - High Severity Vulnerability

CVE-2018-16492 - High Severity Vulnerability

CVE-2018-19362 - High Severity Vulnerability

WS-2018-0103 - Medium Severity Vulnerability

CVE-2018-1000620 - High Severity Vulnerability

CVE-2018-5968 - High Severity Vulnerability

CVE-2017-15010 - High Severity Vulnerability

CVE-2019-0201 - Medium Severity Vulnerability

CVE-2017-16119 - High Severity Vulnerability

CVE-2018-19360 - High Severity Vulnerability

WS-2009-0001 - Low Severity Vulnerability

CVE-2017-3162 - High Severity Vulnerability

CVE-2014-0114 - High Severity Vulnerability

CVE-2018-1320 - High Severity Vulnerability

CVE-2019-5427 - High Severity Vulnerability

CVE-2018-14720 - High Severity Vulnerability

CVE-2018-1313 - Medium Severity Vulnerability

CVE-2016-6796 - High Severity Vulnerability

CVE-2018-11307 - Medium Severity Vulnerability

CVE-2018-12022 - High Severity Vulnerability

WS-2018-0084 - High Severity Vulnerability

CVE-2012-5783 - Medium Severity Vulnerability

CVE-2018-3721 - Medium Severity Vulnerability

CVE-2017-16138 - High Severity Vulnerability

CVE-2018-14718 - High Severity Vulnerability

CVE-2019-12086 - High Severity Vulnerability

CVE-2017-16099 - High Severity Vulnerability

WS-2019-0017 - Medium Severity Vulnerability

CVE-2017-16028 - Medium Severity Vulnerability

WS-2017-0330 - Medium Severity Vulnerability

CVE-2018-3750 - High Severity Vulnerability

CVE-2018-3728 - High Severity Vulnerability

CVE-2018-14719 - High Severity Vulnerability

CVE-2018-12023 - High Severity Vulnerability

CVE-2018-3774 - High Severity Vulnerability

CVE-2018-16487 - Medium Severity Vulnerability

WS-2019-0032 - Medium Severity Vulnerability

CVE-2018-10237 - Medium Severity Vulnerability

CVE-2016-10540 - High Severity Vulnerability

CVE-2017-3161 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org