mohib-hub / jwala Goto Github PK
View Code? Open in Web Editor NEWThis project forked from cerner/jwala
A web application that provides management for a group of Tomcat servers
License: Apache License 2.0
This project forked from cerner/jwala
A web application that provides management for a group of Tomcat servers
License: Apache License 2.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.js
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.min.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/commons-codec-1.9.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
⛑️ Automatic Remediation is available for this issue
Spring Web
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-web-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Publish Date: 2016-07-12
URL: CVE-2015-3192
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3192
Release Date: 2016-07-12
Fix Resolution: org.springframework:spring-web:3.2.14.RELEASE,4.1.7.RELEASE,org.springframework:spring-oxm:3.2.14.RELEASE,4.1.7.RELEASE
⛑️ Automatic Remediation is available for this issue
Spring Web MVC
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-webmvc-3.2.6.RELEASE.jar
Dependency Hierarchy:
Spring Web
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-web-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.
Publish Date: 2017-05-25
URL: CVE-2015-5211
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5211
Release Date: 2017-05-25
Fix Resolution: org.springframework:spring-web:4.2.2.RELEASE,4.1.8.RELEASE,3.2.15.RELEASE,org.springframework:spring-webmvc:4.2.2.RELEASE,4.1.8.RELEASE,3.2.15.RELEASE,org.springframework:spring-websocket:4.2.2.RELEASE,4.1.8.RELEASE,3.2.15.RELEASE
Apache CXF Runtime HTTP Transport
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/cxf-rt-transports-http-3.0.0-milestone2.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.
Publish Date: 2018-07-02
URL: CVE-2018-8039
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8039
Release Date: 2018-07-02
Fix Resolution: 3.2.5,3.1.16
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
Publish Date: 2020-11-16
URL: CVE-2020-26217
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mw36-7c6c-q4q2
Release Date: 2020-11-16
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.14
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21344
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-59jw-jqf4-3wq3
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
Publish Date: 2020-12-16
URL: CVE-2020-26259
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jfvx-7wrx-43fh
Release Date: 2020-12-16
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.15
⛑️ Automatic Remediation is available for this issue
Spring Web
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-web-3.2.6.RELEASE.jar
Dependency Hierarchy:
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Publish Date: 2020-09-19
URL: CVE-2020-5421
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2020-5421
Release Date: 2020-07-21
Fix Resolution: org.springframework:spring-web:5.2.9,org.springframework:spring-web:5.1.18,org.springframework:spring-web:5.0.19,org.springframework:spring-web:4.3.29
⛑️ Automatic Remediation is available for this issue
Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xmlsec-2.0.0-rc1.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Apache Santuario XML Security for Java 2.0.x before 2.0.3 allows remote attackers to bypass the streaming XML signature protection mechanism via a crafted XML document.
Publish Date: 2015-01-21
URL: CVE-2014-8152
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-8152
Release Date: 2015-01-21
Fix Resolution: 2.0.3
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.
Publish Date: 2017-04-29
URL: CVE-2017-7957
Base Score Metrics:
Type: Upgrade version
Origin: http://x-stream.github.io/CVE-2017-7957.html
Release Date: 2017-04-29
Fix Resolution: 1.4.10
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21350
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-43gc-mjxg-gvrq
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21341
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2p3x-qw9c-25hh
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.
Publish Date: 2016-05-17
URL: CVE-2016-3674
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674
Release Date: 2016-05-17
Fix Resolution: 1.4.9
⛑️ Automatic Remediation is available for this issue
Apache CXF Runtime HTTP Transport
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/cxf-rt-transports-http-3.0.0-milestone2.jar
Dependency Hierarchy:
By default, Apache CXF creates a /services page containing a listing of the available endpoint names and addresses. This webpage is vulnerable to a reflected Cross-Site Scripting (XSS) attack via the styleSheetPath, which allows a malicious actor to inject javascript into the web page. This vulnerability affects all versions of Apache CXF prior to 3.4.1 and 3.3.8. Please note that this is a separate issue to CVE-2019-17573.
Publish Date: 2020-11-12
URL: CVE-2020-13954
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-11-12
Fix Resolution: org.apache.cxf:cxf-rt-transports-http:3.3.8, org.apache.cxf:cxf-rt-transports-http:3.4.1
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Publish Date: 2019-05-15
URL: CVE-2013-7285
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285
Release Date: 2019-05-15
Fix Resolution: 1.4.7,1.4.11
⛑️ Automatic Remediation is available for this issue
Spring Web MVC
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-webmvc-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Directory traversal vulnerability in Pivotal Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.
Publish Date: 2014-11-20
URL: CVE-2014-3625
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3625
Release Date: 2014-11-20
Fix Resolution: 3.2.12,4.0.8,4.1.2
⛑️ Automatic Remediation is available for this issue
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.js
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/resources/js/jquery/jquery-1.11.0.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: jwala/jwala-integration-test/src/test/resources/postman/hello-world/index.jsp
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/index.jsp,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/index.jsp,jwala/jwala-webapp/src/test/webapp/../../main/webapp/resources/ext/js/jquery/jquery-1.12.4.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
Apache Log4j 1.2
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/log4j-1.2.17.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17571
Release Date: 2019-12-20
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.
Publish Date: 2020-12-16
URL: CVE-2020-26258
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4cch-wxpw-8p28
Release Date: 2020-12-16
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.15
⛑️ Automatic Remediation is available for this issue
Apache WSS4J parent pom
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/wss4j-ws-security-dom-2.0.0-rc1.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Apache WSS4J before 1.6.17 and 2.x before 2.0.2 allows remote attackers to bypass the requireSignedEncryptedDataElements configuration via a vectors related to "wrapping attacks."
Publish Date: 2015-02-12
URL: CVE-2015-0227
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-0227
Release Date: 2015-02-12
Fix Resolution: 1.6.17,2.0.2
⛑️ Automatic Remediation is available for this issue
Spring Web
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-web-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Publish Date: 2014-04-17
URL: CVE-2014-0054
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0054
Release Date: 2014-04-17
Fix Resolution: org.springframework:spring-web:3.2.8.RELEASE,4.0.2.RELEASE,org.springframework:spring-oxm:4.0.2.RELEASE,3.2.8.RELEASE
⛑️ Automatic Remediation is available for this issue
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.js
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/resources/js/jquery/jquery-1.11.0.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: jwala/jwala-integration-test/src/test/resources/postman/hello-world/index.jsp
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/index.jsp,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/index.jsp,jwala/jwala-webapp/src/test/webapp/../../main/webapp/resources/ext/js/jquery/jquery-1.12.4.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Apache CXF Runtime HTTP Transport
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/cxf-rt-transports-http-3.0.0-milestone2.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.
Publish Date: 2017-08-10
URL: CVE-2016-6812
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-6812
Release Date: 2017-08-10
Fix Resolution: 3.0.12,3.1.9
⛑️ Automatic Remediation is available for this issue
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/jackson-mapper-asl-1.4.2.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
Base Score Metrics:
Type: Upgrade version
Origin: https://access.redhat.com/errata/RHSA-2019:2938
Release Date: 2019-10-01
Fix Resolution: JBoss Enterprise Application Platform - 7.2.4;com.fasterxml.jackson.core:jackson-databind:2.9.9
Spring Core
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-core-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Publish Date: 2018-03-16
URL: CVE-2018-1199
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1199
Release Date: 2018-03-16
Fix Resolution: org.springframework.security:spring-security-web:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,org.springframework.security:spring-security-config:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,org.springframework:spring-core:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,4.3.14.RELEASE
⛑️ Automatic Remediation is available for this issue
Apache CXF Runtime WS Security
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/cxf-rt-ws-security-3.0.0-milestone2.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Apache CXF's STSClient before 3.1.11 and 3.0.13 uses a flawed way of caching tokens that are associated with delegation tokens, which means that an attacker could craft a token which would return an identifer corresponding to a cached token for another user.
Publish Date: 2017-04-18
URL: CVE-2017-5656
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-5656
Release Date: 2017-04-18
Fix Resolution: 3.1.11
⛑️ Automatic Remediation is available for this issue
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.js
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.min.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#20184
Release Date: 2019-01-09
Fix Resolution: 3.4.0
Apache WSS4J parent pom
Library home page: http://ws.apache.org/wss4j/
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/wss4j-ws-security-stax-2.0.0-rc1.jar
Dependency Hierarchy:
Apache WSS4J parent pom
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/wss4j-ws-security-dom-2.0.0-rc1.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does not properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vectors.
Publish Date: 2014-10-30
URL: CVE-2014-3623
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3623
Release Date: 2014-10-30
Fix Resolution: org.apache.wss4j:wss4j-ws-security-stax:2.0.3,org.apache.wss4j:wss4j-ws-security-dom:2.0.3,org.apache.ws.security:wss4j:2.0.3
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21347
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qpfq-ph7r-qv6f
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
⛑️ Automatic Remediation is available for this issue
Java library which enables encryption in java apps with minimum effort.
Library home page: http://www.jasypt.org
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/jasypt-1.9.0.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
jasypt before 1.9.2 allows a timing attack against the password hash comparison.
Publish Date: 2017-05-21
URL: CVE-2014-9970
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9970
Release Date: 2017-05-21
Fix Resolution: 1.9.2
⛑️ Automatic Remediation is available for this issue
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.js
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/resources/js/jquery/jquery-1.11.0.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: jwala/jwala-integration-test/src/test/resources/postman/hello-world/index.jsp
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/index.jsp,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/index.jsp,jwala/jwala-webapp/src/test/webapp/../../main/webapp/resources/ext/js/jquery/jquery-1.12.4.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21343
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-74cv-f58x-f9wf
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
⛑️ Automatic Remediation is available for this issue
Apache Log4j 1.2
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/log4j-1.2.17.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
Publish Date: 2020-04-27
URL: CVE-2020-9488
Base Score Metrics:
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/LOG4J2-2819
Release Date: 2020-04-27
Fix Resolution: org.apache.logging.log4j:log4j-core:2.13.2
⛑️ Automatic Remediation is available for this issue
Spring Web MVC
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-webmvc-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Publish Date: 2018-04-06
URL: CVE-2018-1271
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271
Release Date: 2018-04-06
Fix Resolution: org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21351
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hrcp-8f3q-4w2c
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
⛑️ Automatic Remediation is available for this issue
Spring Web MVC
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-webmvc-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Both Spring Security 3.2.x, 4.0.x, 4.1.0 and the Spring Framework 3.2.x, 4.0.x, 4.1.x, 4.2.x rely on URL pattern mappings for authorization and for mapping requests to controllers respectively. Differences in the strictness of the pattern matching mechanisms, for example with regards to space trimming in path segments, can lead Spring Security to not recognize certain paths as not protected that are in fact mapped to Spring MVC controllers that should be protected. The problem is compounded by the fact that the Spring Framework provides richer features with regards to pattern matching as well as by the fact that pattern matching in each Spring Security and the Spring Framework can easily be customized creating additional differences.
Publish Date: 2017-05-25
URL: CVE-2016-5007
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2016-5007
Release Date: 2017-05-25
Fix Resolution: org.springframework:spring-webmvc:4.3.0.RELEASE,org.springframework.security:spring-security-web:4.1.1.RELEASE,org.springframework.security:spring-security-config:4.1.1.RELEASE
⛑️ Automatic Remediation is available for this issue
Spring Web MVC
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-webmvc-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
An issue was discovered in Pivotal Spring Framework before 3.2.18, 4.2.x before 4.2.9, and 4.3.x before 4.3.5. Paths provided to the ResourceServlet were not properly sanitized and as a result exposed to directory traversal attacks.
Publish Date: 2016-12-29
URL: CVE-2016-9878
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-9878
Release Date: 2016-12-29
Fix Resolution: 3.2.18,4.2.9,4.3.5.
⛑️ Automatic Remediation is available for this issue
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.js
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.min.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21342
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hvv8-336g-rx3m
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
⛑️ Automatic Remediation is available for this issue
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21349
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f6hm-88x3-mfjv
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
⛑️ Automatic Remediation is available for this issue
Spring Web
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-web-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
Publish Date: 2017-05-25
URL: CVE-2014-0225
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225
Release Date: 2017-05-25
Fix Resolution: org.springframework:spring-web:4.0.5.RELEASE,3.2.9.RELEASE,org.springframework:spring-oxm:4.0.5.RELEASE,3.2.9.RELEASE
⛑️ Automatic Remediation is available for this issue
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.js
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.min.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.js
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.min.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
Spring Core
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-core-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
Publish Date: 2015-02-19
URL: CVE-2014-3578
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3578
Release Date: 2015-02-19
Fix Resolution: 3.2.9,4.0.5
⛑️ Automatic Remediation is available for this issue
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.js
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/js/bootstrap.min.js,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.js
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/resources/js/jquery/jquery-1.11.0.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: jwala/jwala-integration-test/src/test/resources/postman/hello-world/index.jsp
Path to vulnerable library: jwala/jwala-integration-test/src/test/resources/postman/hello-world/index.jsp,jwala/jwala-integration-test/src/test/resources/jwala-ui-integ-test-support-files/resources/hello-world/index.jsp,jwala/jwala-webapp/src/test/webapp/../../main/webapp/resources/ext/js/jquery/jquery-1.12.4.min.js
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Spring Web
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-web-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Publish Date: 2018-04-06
URL: CVE-2018-1272
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2018-1272
Release Date: 2018-04-06
Fix Resolution: org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE
XStream is a serialization library from Java objects to XML and back.
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/xstream-1.4.7.jar
Dependency Hierarchy:
XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.
Publish Date: 2021-03-23
URL: CVE-2021-21348
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-56p8-3fh9-4cvq
Release Date: 2021-03-23
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16
⛑️ Automatic Remediation is available for this issue
Spring Web MVC
Library home page: https://github.com/SpringSource/spring-framework
Path to vulnerable library: jwala/jwala-services/src/test/resources/get-resource-mime-type-test-files/war/WEB-INF/lib/spring-webmvc-3.2.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: d8fb926264467022c2579c0b8ae59ef0b5ca5b87
Cross-site scripting (XSS) vulnerability in web/servlet/tags/form/FormTag.java in Spring MVC in Spring Framework 3.0.0 before 3.2.8 and 4.0.0 before 4.0.2 allows remote attackers to inject arbitrary web script or HTML via the requested URI in a default action.
Publish Date: 2014-03-20
URL: CVE-2014-1904
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-1904
Release Date: 2014-03-20
Fix Resolution: 3.2.8,4.0.2
⛑️ Automatic Remediation is available for this issue
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.