safat / conductor Goto Github PK
View Code? Open in Web Editor NEWThis project forked from netflix/conductor
Conductor is a microservices orchestration engine - https://netflix.github.io/conductor/
License: Apache License 2.0
This project forked from netflix/conductor
Conductor is a microservices orchestration engine - https://netflix.github.io/conductor/
License: Apache License 2.0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /es6-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.32.Final/8f32bd79c5a16f014a4372ed979dc62b39ede33a/netty-codec-4.1.32.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /grpc/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.27.Final/d2653d78ebaa650064768fb26b10051f5c8efb2c/netty-codec-4.1.27.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.13.Final/370eeb6e9d92495a2a3be096ab6102755af76730/netty-codec-4.1.13.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /redis-lock/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.41.Final/d2dceabcd4097d068a318e24542897d455b0729b/netty-codec-4.1.41.Final.jar
Dependency Hierarchy:
Found in base branch: master
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Publish Date: 2020-04-07
URL: CVE-2020-11612
Base Score Metrics:
Type: Upgrade version
Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html
Release Date: 2020-04-07
Fix Resolution (io.netty:netty-codec): 4.1.46.Final
Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.8.0
Fix Resolution (io.netty:netty-codec): 4.1.46.Final
Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.8.0
Step up your Open Source Security Game with Mend here
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /test-harness/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.22.v20191022/f30b9b2cd6f63b073b63c2ac5e7e7f17b63b0908/jetty-server-9.4.22.v20191022.jar,/canner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.22.v20191022/f30b9b2cd6f63b073b63c2ac5e7e7f17b63b0908/jetty-server-9.4.22.v20191022.jar
Dependency Hierarchy:
Found in base branch: master
In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.
Publish Date: 2019-11-25
URL: CVE-2019-17632
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17632
Release Date: 2019-11-25
Fix Resolution: 9.4.24.v20191120
Step up your Open Source Security Game with Mend here
Tiny ms conversion utility
Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz
Dependency Hierarchy:
Found in base branch: master
Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).
Publish Date: 2017-04-12
URL: WS-2017-0247
Type: Upgrade version
Origin: vercel/ms#89
Release Date: 2017-04-12
Fix Resolution: 2.1.1
Step up your Open Source Security Game with WhiteSource here
small debugging utility
Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz
Dependency Hierarchy:
Found in base branch: master
The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.
Publish Date: 2018-06-07
URL: CVE-2017-16137
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137
Release Date: 2018-06-07
Fix Resolution (debug): 2.6.9
Direct dependency fix Resolution (mocha): 4.0.0
Step up your Open Source Security Game with Mend here
Access deep properties using a path
Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz
Dependency Hierarchy:
Found in base branch: master
A prototype pollution vulnerability has been found in object-path
<= 0.11.4 affecting the set()
method. The vulnerability is limited to the includeInheritedProps
mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path
and setting the option includeInheritedProps: true
, or by using the default withInheritedProps
instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set()
in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true
options or the withInheritedProps
instance if using a version >= 0.11.0.
Publish Date: 2020-10-19
URL: CVE-2020-15256
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cwx2-736x-mf6w
Release Date: 2020-10-19
Fix Resolution (object-path): 0.11.5
Direct dependency fix Resolution (browser-sync): 2.26.9
Step up your Open Source Security Game with Mend here
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Library home page: http://junit.org
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar
Dependency Hierarchy:
Found in base branch: master
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: 4.13.1
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar
Dependency Hierarchy:
Found in base branch: master
When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.
Publish Date: 2020-05-20
URL: CVE-2020-9484
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484
Release Date: 2020-05-20
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.104,8.5.55,9.0.35,10.0.0-M5,org.apache.tomcat:tomcat-catalina:7.0.104,8.5.55,9.0.35,10.0.0-M5
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar
Dependency Hierarchy:
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-8.0.23.jar
Dependency Hierarchy:
Found in base branch: master
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Publish Date: 2016-07-19
URL: CVE-2016-5388
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388
Release Date: 2016-07-19
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.72
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.5
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0
Step up your Open Source Security Game with Mend here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /server/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar
Dependency Hierarchy:
Found in base branch: master
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-04
URL: CVE-2016-1000342
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342
Release Date: 2018-06-04
Fix Resolution: 1.56
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar
Dependency Hierarchy:
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-8.0.23.jar
Dependency Hierarchy:
Found in base branch: master
The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.
Publish Date: 2016-02-25
URL: CVE-2016-0763
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763
Release Date: 2016-02-25
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.68
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.32
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0
Step up your Open Source Security Game with Mend here
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.17.tgz
Dependency Hierarchy:
Lightweight JavaScript-based user-agent string parser
Library home page: https://registry.npmjs.org/ua-parser-js/-/ua-parser-js-0.7.21.tgz
Dependency Hierarchy:
Found in base branch: master
The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.
Publish Date: 2020-09-16
URL: CVE-2020-7733
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-09-16
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (browser-sync): 2.26.9
Fix Resolution (ua-parser-js): 0.7.22
Direct dependency fix Resolution (fbjs): 0.8.0
Step up your Open Source Security Game with Mend here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /server/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar
Dependency Hierarchy:
Found in base branch: master
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
Publish Date: 2018-06-04
URL: CVE-2016-1000345
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345
Release Date: 2018-06-04
Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-jasper-8.0.23.jar
Dependency Hierarchy:
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-jasper-7.0.62.jar
Dependency Hierarchy:
Found in base branch: master
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
Publish Date: 2017-08-10
URL: CVE-2016-5018
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018
Release Date: 2016-10-27
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-jasper): 8.0.37
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat8): 2.0.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-jasper): 7.0.72
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0
Step up your Open Source Security Game with Mend here
[mirror] Go text processing support
Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.0.zip
Dependency Hierarchy:
Found in base branch: master
The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.
Publish Date: 2020-06-17
URL: CVE-2020-14040
Base Score Metrics:
Type: Upgrade version
Origin: https://osv.dev/vulnerability/GO-2020-0015
Release Date: 2020-06-17
Fix Resolution: v0.3.3
Step up your Open Source Security Game with Mend here
Apache Log4j 1.2
Path to dependency file: /zookeeper-lock/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.16/7999a63bfccbc7c247a9aea10d83d4272bd492c6/log4j-1.2.16.jar
Dependency Hierarchy:
The Apache Log4j Implementation
Library home page: https://logging.apache.org/log4j/2.x/
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.9.1/c041978c686866ee8534f538c6220238db3bb6be/log4j-core-2.9.1.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.logging.log4j/log4j-core/2.9.1/c041978c686866ee8534f538c6220238db3bb6be/log4j-core-2.9.1.jar
Dependency Hierarchy:
Apache Log4j 1.2
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar,/canner/.gradle/caches/modules-2/files-2.1/log4j/log4j/1.2.17/5af35056b4d257e4b64b9e8069c0746e8b08629f/log4j-1.2.17.jar
Dependency Hierarchy:
Found in base branch: master
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: 2.12.2
Step up your Open Source Security Game with Mend here
Thrift is a software framework for scalable cross-language services development.
Library home page: http://thrift.apache.org
Path to dependency file: /cassandra-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.thrift/libthrift/0.9.2/9b067e2e2c5291e9f0d8b3561b1654286e6d81ee/libthrift-0.9.2.jar
Dependency Hierarchy:
Found in base branch: master
In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.
Publish Date: 2019-10-29
URL: CVE-2019-0205
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205
Release Date: 2019-10-29
Fix Resolution: org.apache.thrift:libthrift:0.13.0
Step up your Open Source Security Game with Mend here
Apache Ant
Library home page: http://ant.apache.org/
Path to dependency file: /cassandra-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.7.0/9746af1a485e50cf18dcb232489032a847067066/ant-1.7.0.jar
Dependency Hierarchy:
Found in base branch: master
Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
Publish Date: 2012-06-29
URL: CVE-2012-2098
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098
Release Date: 2012-06-29
Fix Resolution: org.apache.ant
Step up your Open Source Security Game with Mend here
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Dependency Hierarchy:
Found in base branch: master
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (browser-sync): 2.26.14-y.1
Step up your Open Source Security Game with Mend here
A javascript text diff implementation.
Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz
Dependency Hierarchy:
Found in base branch: master
A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.
Publish Date: 2018-03-05
URL: WS-2018-0590
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-03-05
Fix Resolution (diff): 3.5.0
Direct dependency fix Resolution (mocha): 5.0.3
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar
Dependency Hierarchy:
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-8.0.23.jar
Dependency Hierarchy:
Found in base branch: master
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
Publish Date: 2017-08-10
URL: CVE-2016-0762
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-10-27
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.72
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.37
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0
Step up your Open Source Security Game with Mend here
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to dependency file: /cassandra-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.2/95400a7922ce75383866eb72f6ef4a7897923945/jackson-mapper-asl-1.9.2.jar
Dependency Hierarchy:
Found in base branch: master
A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.
Publish Date: 2019-11-18
URL: CVE-2019-10172
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172
Release Date: 2019-11-18
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0-RC1
Step up your Open Source Security Game with Mend here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /server/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar
Dependency Hierarchy:
Found in base branch: master
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Publish Date: 2015-11-09
URL: CVE-2015-7940
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940
Release Date: 2015-11-09
Fix Resolution: org.bouncycastle:bcprov-ext-jdk15on:1.51,org.bouncycastle:bcprov-jdk14:1.51,org.bouncycastle:bcprov-jdk15on:1.51
Step up your Open Source Security Game with Mend here
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.6.8/447296d279216635ea8e0f0be7c9d7bc7d640ea8/elasticsearch-5.6.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.6.8/447296d279216635ea8e0f0be7c9d7bc7d640ea8/elasticsearch-5.6.8.jar
Dependency Hierarchy:
Found in base branch: master
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.
Publish Date: 2018-09-19
URL: CVE-2018-3823
Base Score Metrics:
Type: Upgrade version
Origin: https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422
Release Date: 2018-09-19
Fix Resolution: 5.6.9
Step up your Open Source Security Game with Mend here
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /test-harness/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.10/dfecae23647abc9d9fd0416629a4213a3882b101/xstream-1.4.10.jar
Dependency Hierarchy:
Found in base branch: master
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
Publish Date: 2019-07-23
URL: CVE-2019-10173
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10173
Release Date: 2019-07-23
Fix Resolution: 1.4.11
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar
Dependency Hierarchy:
Found in base branch: master
When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.
Publish Date: 2017-09-19
URL: CVE-2017-12616
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12616
Release Date: 2017-09-19
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.81,org.apache.tomcat:tomcat-catalina:7.0.81
Step up your Open Source Security Game with Mend here
XStream is a serialization library from Java objects to XML and back.
Library home page: http://x-stream.github.io
Path to dependency file: /test-harness/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.10/dfecae23647abc9d9fd0416629a4213a3882b101/xstream-1.4.10.jar
Dependency Hierarchy:
Found in base branch: master
XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.
Publish Date: 2020-11-16
URL: CVE-2020-26217
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-mw36-7c6c-q4q2
Release Date: 2020-11-16
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.14
Step up your Open Source Security Game with Mend here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /server/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar
Dependency Hierarchy:
Found in base branch: master
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
Publish Date: 2018-06-04
URL: CVE-2016-1000346
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346
Release Date: 2018-06-04
Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154027/tomcat-embed-websocket-8.0.23.jar
Dependency Hierarchy:
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-websocket-7.0.62.jar
Dependency Hierarchy:
Found in base branch: master
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
Publish Date: 2018-08-01
URL: CVE-2018-8034
Base Score Metrics:
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034
Release Date: 2018-07-22
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-websocket:9.0.10,8.5.32,8.0.53,7.0.90,org.apache.tomcat:tomcat-catalina:9.0.10,8.5.32,8.0.53,7.0.90
Step up your Open Source Security Game with Mend here
a JSON logging library for node.js services
Library home page: https://registry.npmjs.org/bunyan/-/bunyan-1.8.12.tgz
Dependency Hierarchy:
Found in base branch: master
A Remote Command Execution (RCE) vulnerability was found in bunyan before 1.8.13 and 2.x before 2.0.3. The issue occurs because a user input is formatted inside a command that will be executed without any check.
Publish Date: 2020-06-27
URL: WS-2020-0217
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Groovy: A powerful, dynamic language for the JVM
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154024/groovy-all-2.3.10.jar
Dependency Hierarchy:
Found in base branch: master
The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.
Publish Date: 2015-08-13
URL: CVE-2015-3253
Base Score Metrics:
Type: Upgrade version
Origin: http://groovy-lang.org/security.html
Release Date: 2015-08-13
Fix Resolution (org.codehaus.groovy:groovy-all): 2.4.4
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-jetty7): 1.4.0
Step up your Open Source Security Game with Mend here
Elasticsearch subproject :core
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.6.8/447296d279216635ea8e0f0be7c9d7bc7d640ea8/elasticsearch-5.6.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.6.8/447296d279216635ea8e0f0be7c9d7bc7d640ea8/elasticsearch-5.6.8.jar
Dependency Hierarchy:
Found in base branch: master
X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.
Publish Date: 2018-09-19
URL: CVE-2018-3824
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3824
Release Date: 2018-09-19
Fix Resolution: 5.6.9
Step up your Open Source Security Game with Mend here
Spring Framework Parent
Path to dependency file: /postgres-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/3.0.2.RELEASE/3d81822d0759a190cb6e11d80c2c020a9775206b/spring-core-3.0.2.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Publish Date: 2018-03-16
URL: CVE-2018-1199
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199
Release Date: 2018-01-29
Fix Resolution: org.springframework.security:spring-security-web:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE;org.springframework.security:spring-security-config:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE;org.springframework:spring-core:4.3.14.RELEASE,5.0.3.RELEASE
Step up your Open Source Security Game with Mend here
Spring Framework Parent
Path to dependency file: /postgres-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/3.0.2.RELEASE/3d81822d0759a190cb6e11d80c2c020a9775206b/spring-core-3.0.2.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
Publish Date: 2015-02-19
URL: CVE-2014-3578
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3578
Release Date: 2015-02-19
Fix Resolution: 3.2.9,4.0.5
Step up your Open Source Security Game with Mend here
A Java framework to parse command line options with annotations.
Library home page: http://beust.com/
Path to dependency file: /client/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.beust/jcommander/1.48/bfcb96281ea3b59d626704f74bc6d625ff51cbce/jcommander-1.48.jar
Dependency Hierarchy:
Found in base branch: master
Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.
Publish Date: 2019-02-19
URL: WS-2019-0490
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-02-19
Fix Resolution (com.beust:jcommander): 1.75
Direct dependency fix Resolution (net.sourceforge.pmd:pmd-java): 5.8.0
Step up your Open Source Security Game with Mend here
jBCrypt is a Java implementation of OpenBSD's Blowfish password hashing code, as described in A Future-Adaptable Password Scheme by Niels Provos and David Mazières, by Damien Miller.
Library home page: http://www.mindrot.org/
Path to dependency file: /cassandra-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.mindrot/jbcrypt/0.3m/fe2d9c5f23767d681a7e38fc8986b812400ec583/jbcrypt-0.3m.jar
Dependency Hierarchy:
Found in base branch: master
Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent.
Publish Date: 2015-02-28
URL: CVE-2015-0886
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0886
Release Date: 2015-02-28
Fix Resolution: 0.4
Step up your Open Source Security Game with Mend here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /server/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar
Dependency Hierarchy:
Found in base branch: master
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
Publish Date: 2018-06-04
URL: CVE-2016-1000341
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341
Release Date: 2018-06-04
Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56
Step up your Open Source Security Game with Mend here
Data Mapper package is a high-performance data binding package built on Jackson JSON processor
Path to dependency file: /cassandra-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.2/95400a7922ce75383866eb72f6ef4a7897923945/jackson-mapper-asl-1.9.2.jar
Dependency Hierarchy:
Found in base branch: master
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
Base Score Metrics:
Type: Upgrade version
Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0
Step up your Open Source Security Game with Mend here
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /grpc/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.27.Final/21bd9cf565390a8d72579b8664303e3c175dfc6a/netty-handler-4.1.27.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.13.Final/85847aa81a98d29948731befb4784d141046fa0e/netty-handler-4.1.13.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /cassandra-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.0.56.Final/bf3ee7d214897d3968c1d29a28ee6d5f964876ae/netty-handler-4.0.56.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /es6-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-handler/4.1.32.Final/b4e3fa13f219df14a9455cc2111f133374428be0/netty-handler-4.1.32.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /es6-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.32.Final/b9218adba7353ad5a75fcb639e4755d64bd6ddf/netty-codec-http-4.1.32.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.13.Final/ee87368766e6b900cf6be8ac9cdce27156e9411/netty-codec-http-4.1.13.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /test-harness/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.27.Final/a1722d6bcbbef1c4c7877e8bf38b07a3db5ed07f/netty-codec-http-4.1.27.Final.jar
Dependency Hierarchy:
Found in base branch: master
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
Publish Date: 2021-02-08
URL: CVE-2021-21290
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5mcr-gq6c-3hq2
Release Date: 2021-02-08
Fix Resolution (io.netty:netty-handler): 4.1.59.Final
Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.15.0
Fix Resolution (io.netty:netty-handler): 4.1.59.Final
Direct dependency fix Resolution (com.datastax.cassandra:cassandra-driver-core): 3.11.2
Fix Resolution (io.netty:netty-handler): 4.1.59.Final
Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.15.0
Fix Resolution (io.netty:netty-codec-http): 4.1.59.Final
Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.15.0
Fix Resolution (io.netty:netty-codec-http): 4.1.59.Final
Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.15.0
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar
Dependency Hierarchy:
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-8.0.23.jar
Dependency Hierarchy:
Found in base branch: master
When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Publish Date: 2017-10-04
URL: CVE-2017-12617
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617
Release Date: 2017-10-03
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.47
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar
Dependency Hierarchy:
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-8.0.23.jar
Dependency Hierarchy:
Found in base branch: master
The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.
Publish Date: 2017-06-06
URL: CVE-2017-5664
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664
Release Date: 2017-06-06
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.78
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.44
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0
Step up your Open Source Security Game with Mend here
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /es6-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.32.Final/b9218adba7353ad5a75fcb639e4755d64bd6ddf/netty-codec-http-4.1.32.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.13.Final/ee87368766e6b900cf6be8ac9cdce27156e9411/netty-codec-http-4.1.13.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /test-harness/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec-http/4.1.27.Final/a1722d6bcbbef1c4c7877e8bf38b07a3db5ed07f/netty-codec-http-4.1.27.Final.jar
Dependency Hierarchy:
Found in base branch: master
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
Publish Date: 2020-01-27
URL: CVE-2020-7238
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-01-27
Fix Resolution (io.netty:netty-codec-http): 4.1.44.Final
Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.7.0
Fix Resolution (io.netty:netty-codec-http): 4.1.44.Final
Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.7.0
Step up your Open Source Security Game with Mend here
Path to dependency file: /test-harness/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.5/c0f69fb36526552a8f0bc548a6c33c49cf08e562/zookeeper-3.4.5.jar
Dependency Hierarchy:
Found in base branch: master
An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.
Publish Date: 2019-05-23
URL: CVE-2019-0201
Base Score Metrics:
Type: Upgrade version
Origin: https://zookeeper.apache.org/security.html
Release Date: 2019-05-23
Fix Resolution (org.apache.zookeeper:zookeeper): 3.4.14
Direct dependency fix Resolution (org.apache.curator:curator-recipes): 2.11.1
Step up your Open Source Security Game with Mend here
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz
Dependency Hierarchy:
Found in base branch: master
Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.
Publish Date: 2020-11-06
URL: CVE-2020-28168
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-11-06
Fix Resolution (axios): 0.21.1
Direct dependency fix Resolution (browser-sync): 2.26.9
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar
Dependency Hierarchy:
Found in base branch: master
When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.
Publish Date: 2017-09-19
URL: CVE-2017-12615
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615
Release Date: 2017-09-19
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.81,org.apache.tomcat:tomcat-catalina:7.0.81
Step up your Open Source Security Game with Mend here
The modern build of lodash’s `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Dependency Hierarchy:
Found in base branch: master
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (gulp-notify): 3.1.0
Step up your Open Source Security Game with Mend here
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /test-harness/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar
Dependency Hierarchy:
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /redis-lock/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.9/9ce04e34240f674bc72680f8b843b1457383161a/commons-codec-1.9.jar
Dependency Hierarchy:
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /es5-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.10/4b95f4897fa13f2cd904aee711aeafc0c5295cd8/commons-codec-1.10.jar
Dependency Hierarchy:
Found in base branch: master
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Step up your Open Source Security Game with Mend here
JDBC Type 4 driver for MySQL
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /test-harness/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/mysql/mysql-connector-java/8.0.11/2c3d25fe1dfdd6496e0bbe47d67809f67487cfba/mysql-connector-java-8.0.11.jar,/canner/.gradle/caches/modules-2/files-2.1/mysql/mysql-connector-java/8.0.11/2c3d25fe1dfdd6496e0bbe47d67809f67487cfba/mysql-connector-java-8.0.11.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Publish Date: 2019-04-23
URL: CVE-2019-2692
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jcq3-cprp-m333
Release Date: 2019-04-23
Fix Resolution: 8.0.16
Step up your Open Source Security Game with Mend here
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.10.tgz
Dependency Hierarchy:
parse argument options
Library home page: https://registry.npmjs.org/minimist/-/minimist-0.0.8.tgz
Dependency Hierarchy:
Found in base branch: master
minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.
Publish Date: 2020-03-11
URL: CVE-2020-7598
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-03-11
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (webpack): 2.2.0
Fix Resolution (minimist): 0.2.1
Direct dependency fix Resolution (mocha): 6.2.3
Step up your Open Source Security Game with Mend here
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar
Dependency Hierarchy:
Core Tomcat implementation
Path to dependency file: /server/build.gradle
Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-8.0.23.jar
Dependency Hierarchy:
Found in base branch: master
A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.
Publish Date: 2017-08-10
URL: CVE-2016-8745
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745
Release Date: 2017-01-05
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.75
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0
Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.41
Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0
Step up your Open Source Security Game with Mend here
Apache Ant
Library home page: http://ant.apache.org/
Path to dependency file: /cassandra-persistence/build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.7.0/9746af1a485e50cf18dcb232489032a847067066/ant-1.7.0.jar
Dependency Hierarchy:
Found in base branch: master
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
Publish Date: 2020-10-01
URL: CVE-2020-11979
Base Score Metrics:
Type: Upgrade version
Origin: https://ant.apache.org/security.html
Release Date: 2020-10-01
Fix Resolution: org.apache.ant:ant:1.10.9
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.