safat / conductor Goto Github PK

Vulnerable Libraries - netty-codec-4.1.32.Final.jar, netty-codec-4.1.27.Final.jar, netty-codec-4.1.13.Final.jar, netty-codec-4.1.41.Final.jar

Found in base branch: master

Vulnerability Details

The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.

Publish Date: 2020-04-07

URL: CVE-2020-11612

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html

Release Date: 2020-04-07

Fix Resolution (io.netty:netty-codec): 4.1.46.Final

Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.8.0

Fix Resolution (io.netty:netty-codec): 4.1.46.Final

Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.8.0

Vulnerable Library - jetty-server-9.4.22.v20191022.jar

The core jetty server artifact.

Library home page: http://www.eclipse.org/jetty

Path to dependency file: /test-harness/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.22.v20191022/f30b9b2cd6f63b073b63c2ac5e7e7f17b63b0908/jetty-server-9.4.22.v20191022.jar,/canner/.gradle/caches/modules-2/files-2.1/org.eclipse.jetty/jetty-server/9.4.22.v20191022/f30b9b2cd6f63b073b63c2ac5e7e7f17b63b0908/jetty-server-9.4.22.v20191022.jar

Dependency Hierarchy:

• ❌ jetty-server-9.4.22.v20191022.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Eclipse Jetty versions 9.4.21.v20190926, 9.4.22.v20191022, and 9.4.23.v20191118, the generation of default unhandled Error response content (in text/html and text/json Content-Type) does not escape Exception messages in stacktraces included in error output.

Publish Date: 2019-11-25

URL: CVE-2019-17632

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17632

Release Date: 2019-11-25

Fix Resolution: 9.4.24.v20191120

Vulnerable Library - ms-0.7.1.tgz

Tiny ms conversion utility

Library home page: https://registry.npmjs.org/ms/-/ms-0.7.1.tgz

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • debug-2.2.0.tgz
    • ❌ ms-0.7.1.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS).

Publish Date: 2017-04-12

URL: WS-2017-0247

CVSS 2 Score Details (3.4)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: vercel/ms#89

Release Date: 2017-04-12

Fix Resolution: 2.1.1

Vulnerable Library - debug-2.2.0.tgz

small debugging utility

Library home page: https://registry.npmjs.org/debug/-/debug-2.2.0.tgz

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • ❌ debug-2.2.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The debug module is vulnerable to regular expression denial of service when untrusted user input is passed into the o formatter. It takes around 50k characters to block for 2 seconds making this a low severity issue.

Publish Date: 2018-06-07

URL: CVE-2017-16137

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-16137

Release Date: 2018-06-07

Fix Resolution (debug): 2.6.9

Direct dependency fix Resolution (mocha): 4.0.0

Vulnerable Library - object-path-0.9.2.tgz

Access deep properties using a path

Library home page: https://registry.npmjs.org/object-path/-/object-path-0.9.2.tgz

Dependency Hierarchy:

• browser-sync-2.26.7.tgz (Root Library)
  • eazy-logger-3.0.2.tgz
    • tfunk-3.1.0.tgz
      • ❌ object-path-0.9.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A prototype pollution vulnerability has been found in object-path <= 0.11.4 affecting the set() method. The vulnerability is limited to the includeInheritedProps mode (if version >= 0.11.0 is used), which has to be explicitly enabled by creating a new instance of object-path and setting the option includeInheritedProps: true, or by using the default withInheritedProps instance. The default operating mode is not affected by the vulnerability if version >= 0.11.0 is used. Any usage of set() in versions < 0.11.0 is vulnerable. The issue is fixed in object-path version 0.11.5 As a workaround, don't use the includeInheritedProps: true options or the withInheritedProps instance if using a version >= 0.11.0.

Publish Date: 2020-10-19

URL: CVE-2020-15256

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cwx2-736x-mf6w

Release Date: 2020-10-19

Fix Resolution (object-path): 0.11.5

Direct dependency fix Resolution (browser-sync): 2.26.9

Vulnerable Library - junit-4.12.jar

JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.

Library home page: http://junit.org

Path to dependency file: /es5-persistence/build.gradle

Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/junit/junit/4.12/2973d150c0dc1fefe998f834810d68f278ea58ec/junit-4.12.jar

Dependency Hierarchy:

• ❌ junit-4.12.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

Vulnerable Library - tomcat-embed-core-7.0.62.jar

Core Tomcat implementation

Path to dependency file: /server/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar

Dependency Hierarchy:

• gretty-runner-tomcat7-1.2.4.jar (Root Library)
  • tomcat-embed-websocket-7.0.62.jar
    • ❌ tomcat-embed-core-7.0.62.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When using Apache Tomcat versions 10.0.0-M1 to 10.0.0-M4, 9.0.0.M1 to 9.0.34, 8.5.0 to 8.5.54 and 7.0.0 to 7.0.103 if a) an attacker is able to control the contents and name of a file on the server; and b) the server is configured to use the PersistenceManager with a FileStore; and c) the PersistenceManager is configured with sessionAttributeValueClassNameFilter="null" (the default unless a SecurityManager is used) or a sufficiently lax filter to allow the attacker provided object to be deserialized; and d) the attacker knows the relative file path from the storage location used by FileStore to the file the attacker has control over; then, using a specifically crafted request, the attacker will be able to trigger remote code execution via deserialization of the file under their control. Note that all of conditions a) to d) must be true for the attack to succeed.

Publish Date: 2020-05-20

URL: CVE-2020-9484

CVSS 3 Score Details (7.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-9484

Release Date: 2020-05-20

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.104,8.5.55,9.0.35,10.0.0-M5,org.apache.tomcat:tomcat-catalina:7.0.104,8.5.55,9.0.35,10.0.0-M5

Vulnerable Libraries - tomcat-embed-core-7.0.62.jar, tomcat-embed-core-8.0.23.jar

Found in base branch: master

Vulnerability Details

Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.

Publish Date: 2016-07-19

URL: CVE-2016-5388

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5388

Release Date: 2016-07-19

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.72

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.5.5

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0

Vulnerable Library - bcprov-jdk16-1.46.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /server/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar

Dependency Hierarchy:

• gretty-starter-1.2.4.jar (Root Library)
  • gretty-core-1.2.4.jar
    • ❌ bcprov-jdk16-1.46.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Publish Date: 2018-06-04

URL: CVE-2016-1000342

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342

Release Date: 2018-06-04

Fix Resolution: 1.56

Vulnerable Libraries - tomcat-embed-core-7.0.62.jar, tomcat-embed-core-8.0.23.jar

Found in base branch: master

Vulnerability Details

The setGlobalContext method in org/apache/naming/factory/ResourceLinkFactory.java in Apache Tomcat 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M3 does not consider whether ResourceLinkFactory.setGlobalContext callers are authorized, which allows remote authenticated users to bypass intended SecurityManager restrictions and read or write to arbitrary application data, or cause a denial of service (application disruption), via a web application that sets a crafted global context.

Publish Date: 2016-02-25

URL: CVE-2016-0763

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-0763

Release Date: 2016-02-25

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.68

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.32

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0

Vulnerable Libraries - ua-parser-js-0.7.17.tgz, ua-parser-js-0.7.21.tgz

Found in base branch: master

Vulnerability Details

The package ua-parser-js before 0.7.22 are vulnerable to Regular Expression Denial of Service (ReDoS) via the regex for Redmi Phones and Mi Pad Tablets UA.

Publish Date: 2020-09-16

URL: CVE-2020-7733

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-09-16

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (browser-sync): 2.26.9

Fix Resolution (ua-parser-js): 0.7.22

Direct dependency fix Resolution (fbjs): 0.8.0

Vulnerable Library - bcprov-jdk16-1.46.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /server/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar

Dependency Hierarchy:

• gretty-starter-1.2.4.jar (Root Library)
  • gretty-core-1.2.4.jar
    • ❌ bcprov-jdk16-1.46.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.

Publish Date: 2018-06-04

URL: CVE-2016-1000345

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345

Release Date: 2018-06-04

Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56

Vulnerable Libraries - tomcat-embed-jasper-8.0.23.jar, tomcat-embed-jasper-7.0.62.jar

Found in base branch: master

Vulnerability Details

In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.

Publish Date: 2017-08-10

URL: CVE-2016-5018

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-5018

Release Date: 2016-10-27

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-jasper): 8.0.37

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat8): 2.0.0

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-jasper): 7.0.72

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0

Vulnerable Library - github.com/golang/text-v0.3.0

[mirror] Go text processing support

Library home page: https://proxy.golang.org/github.com/golang/text/@v/v0.3.0.zip

Dependency Hierarchy:

• ❌ github.com/golang/text-v0.3.0 (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The x/text package before 0.3.3 for Go has a vulnerability in encoding/unicode that could lead to the UTF-16 decoder entering an infinite loop, causing the program to crash or run out of memory. An attacker could provide a single byte to a UTF16 decoder instantiated with UseBOM or ExpectBOM to trigger an infinite loop if the String function on the Decoder is called, or the Decoder is passed to golang.org/x/text/transform.String.

Publish Date: 2020-06-17

URL: CVE-2020-14040

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://osv.dev/vulnerability/GO-2020-0015

Release Date: 2020-06-17

Fix Resolution: v0.3.3

Vulnerable Libraries - log4j-1.2.16.jar, log4j-core-2.9.1.jar, log4j-1.2.17.jar

Found in base branch: master

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: 2.12.2

Vulnerable Library - libthrift-0.9.2.jar

Thrift is a software framework for scalable cross-language services development.

Library home page: http://thrift.apache.org

Path to dependency file: /cassandra-persistence/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.thrift/libthrift/0.9.2/9b067e2e2c5291e9f0d8b3561b1654286e6d81ee/libthrift-0.9.2.jar

Dependency Hierarchy:

• cassandra-unit-3.5.0.1.jar (Root Library)
  • ❌ libthrift-0.9.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Apache Thrift all versions up to and including 0.12.0, a server or client may run into an endless loop when feed with specific input data. Because the issue had already been partially fixed in version 0.11.0, depending on the installed version it affects only certain language bindings.

Publish Date: 2019-10-29

URL: CVE-2019-0205

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0205

Release Date: 2019-10-29

Fix Resolution: org.apache.thrift:libthrift:0.13.0

Vulnerable Library - ant-1.7.0.jar

Apache Ant

Library home page: http://ant.apache.org/

Path to dependency file: /cassandra-persistence/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.7.0/9746af1a485e50cf18dcb232489032a847067066/ant-1.7.0.jar

Dependency Hierarchy:

• cassandra-unit-3.5.0.1.jar (Root Library)
  • cassandra-all-3.11.2.jar
    • cassandra-thrift-3.11.2.jar
      • jflex-1.6.0.jar
        • ❌ ant-1.7.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.

Publish Date: 2012-06-29

URL: CVE-2012-2098

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098

Release Date: 2012-06-29

Fix Resolution: org.apache.ant🐜1.8.4,org.apache.commons:commons-compress:1.4.1

Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz

XMLHttpRequest for Node

Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz

Dependency Hierarchy:

• browser-sync-2.26.7.tgz (Root Library)
  • browser-sync-ui-2.26.4.tgz
    • socket.io-client-2.3.0.tgz
      • engine.io-client-3.4.1.tgz
        • ❌ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.

Publish Date: 2021-03-05

URL: CVE-2020-28502

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h4j5-c7cj-74xg

Release Date: 2021-03-05

Fix Resolution (xmlhttprequest-ssl): 1.6.1

Direct dependency fix Resolution (browser-sync): 2.26.14-y.1

Vulnerable Library - diff-1.4.0.tgz

A javascript text diff implementation.

Library home page: https://registry.npmjs.org/diff/-/diff-1.4.0.tgz

Dependency Hierarchy:

• mocha-2.5.3.tgz (Root Library)
  • ❌ diff-1.4.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A vulnerability was found in diff before v3.5.0, the affected versions of this package are vulnerable to Regular Expression Denial of Service (ReDoS) attacks.

Publish Date: 2018-03-05

URL: WS-2018-0590

CVSS 3 Score Details (7.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2018-03-05

Fix Resolution (diff): 3.5.0

Direct dependency fix Resolution (mocha): 5.0.3

Vulnerable Libraries - tomcat-embed-core-7.0.62.jar, tomcat-embed-core-8.0.23.jar

Found in base branch: master

Vulnerability Details

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Publish Date: 2017-08-10

URL: CVE-2016-0762

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009@%3Cannounce.tomcat.apache.org%3E

Release Date: 2016-10-27

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.72

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.37

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0

Vulnerable Library - jackson-mapper-asl-1.9.2.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Path to dependency file: /cassandra-persistence/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.2/95400a7922ce75383866eb72f6ef4a7897923945/jackson-mapper-asl-1.9.2.jar

Dependency Hierarchy:

• cassandra-unit-3.5.0.1.jar (Root Library)
  • cassandra-all-3.11.2.jar
    • ❌ jackson-mapper-asl-1.9.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A flaw was found in org.codehaus.jackson:jackson-mapper-asl:1.9.x libraries. XML external entity vulnerabilities similar CVE-2016-3720 also affects codehaus jackson-mapper-asl libraries but in different classes.

Publish Date: 2019-11-18

URL: CVE-2019-10172

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10172

Release Date: 2019-11-18

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0-RC1

Vulnerable Library - bcprov-jdk16-1.46.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /server/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar

Dependency Hierarchy:

• gretty-starter-1.2.4.jar (Root Library)
  • gretty-core-1.2.4.jar
    • ❌ bcprov-jdk16-1.46.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."

Publish Date: 2015-11-09

URL: CVE-2015-7940

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-7940

Release Date: 2015-11-09

Fix Resolution: org.bouncycastle:bcprov-ext-jdk15on:1.51,org.bouncycastle:bcprov-jdk14:1.51,org.bouncycastle:bcprov-jdk15on:1.51

Vulnerable Library - elasticsearch-5.6.8.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /es5-persistence/build.gradle

Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.6.8/447296d279216635ea8e0f0be7c9d7bc7d640ea8/elasticsearch-5.6.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.6.8/447296d279216635ea8e0f0be7c9d7bc7d640ea8/elasticsearch-5.6.8.jar

Dependency Hierarchy:

• ❌ elasticsearch-5.6.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. Users with manage_ml permissions could create jobs containing malicious data as part of their configuration that could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of other ML users viewing the results of the jobs.

Publish Date: 2018-09-19

URL: CVE-2018-3823

CVSS 3 Score Details (5.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://discuss.elastic.co/t/elastic-stack-6-2-4-and-5-6-9-security-update/128422

Release Date: 2018-09-19

Fix Resolution: 5.6.9

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /test-harness/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.10/dfecae23647abc9d9fd0416629a4213a3882b101/xstream-1.4.10.jar

Dependency Hierarchy:

• dyno-queues-redis-2.0.13.jar (Root Library)
  • dyno-jedis-1.7.2-rc2.jar
    • dyno-contrib-1.7.2-rc2.jar
      • eureka-client-1.8.6.jar
        • ❌ xstream-1.4.10.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

Publish Date: 2019-07-23

URL: CVE-2019-10173

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10173

Release Date: 2019-07-23

Fix Resolution: 1.4.11

Vulnerable Library - tomcat-embed-core-7.0.62.jar

Core Tomcat implementation

Path to dependency file: /server/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar

Dependency Hierarchy:

• gretty-runner-tomcat7-1.2.4.jar (Root Library)
  • tomcat-embed-websocket-7.0.62.jar
    • ❌ tomcat-embed-core-7.0.62.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When using a VirtualDirContext with Apache Tomcat 7.0.0 to 7.0.80 it was possible to bypass security constraints and/or view the source code of JSPs for resources served by the VirtualDirContext using a specially crafted request.

Publish Date: 2017-09-19

URL: CVE-2017-12616

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12616

Release Date: 2017-09-19

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.81,org.apache.tomcat:tomcat-catalina:7.0.81

Vulnerable Library - xstream-1.4.10.jar

XStream is a serialization library from Java objects to XML and back.

Library home page: http://x-stream.github.io

Path to dependency file: /test-harness/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.thoughtworks.xstream/xstream/1.4.10/dfecae23647abc9d9fd0416629a4213a3882b101/xstream-1.4.10.jar

Dependency Hierarchy:

• dyno-queues-redis-2.0.13.jar (Root Library)
  • dyno-jedis-1.7.2-rc2.jar
    • dyno-contrib-1.7.2-rc2.jar
      • eureka-client-1.8.6.jar
        • ❌ xstream-1.4.10.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Publish Date: 2020-11-16

URL: CVE-2020-26217

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-mw36-7c6c-q4q2

Release Date: 2020-11-16

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.14

Vulnerable Library - bcprov-jdk16-1.46.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /server/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar

Dependency Hierarchy:

• gretty-starter-1.2.4.jar (Root Library)
  • gretty-core-1.2.4.jar
    • ❌ bcprov-jdk16-1.46.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.

Publish Date: 2018-06-04

URL: CVE-2016-1000346

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346

Release Date: 2018-06-04

Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56

Vulnerable Libraries - tomcat-embed-websocket-8.0.23.jar, tomcat-embed-websocket-7.0.62.jar

Found in base branch: master

Vulnerability Details

The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.

Publish Date: 2018-08-01

URL: CVE-2018-8034

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034

Release Date: 2018-07-22

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-websocket:9.0.10,8.5.32,8.0.53,7.0.90,org.apache.tomcat:tomcat-catalina:9.0.10,8.5.32,8.0.53,7.0.90

Vulnerable Library - bunyan-1.8.12.tgz

a JSON logging library for node.js services

Library home page: https://registry.npmjs.org/bunyan/-/bunyan-1.8.12.tgz

Dependency Hierarchy:

• ❌ bunyan-1.8.12.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A Remote Command Execution (RCE) vulnerability was found in bunyan before 1.8.13 and 2.x before 2.0.3. The issue occurs because a user input is formatted inside a command that will be executed without any check.

Publish Date: 2020-06-27

URL: WS-2020-0217

CVSS 3 Score Details (6.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-06-27

Fix Resolution: 1.8.13

Vulnerable Library - groovy-all-2.3.10.jar

Groovy: A powerful, dynamic language for the JVM

Path to dependency file: /server/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154024/groovy-all-2.3.10.jar

Dependency Hierarchy:

• gretty-runner-jetty7-1.2.4.jar (Root Library)
  • gretty-runner-jetty-1.2.4.jar
    • gretty-runner-1.2.4.jar
      • ❌ groovy-all-2.3.10.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The MethodClosure class in runtime/MethodClosure.java in Apache Groovy 1.7.0 through 2.4.3 allows remote attackers to execute arbitrary code or cause a denial of service via a crafted serialized object.

Publish Date: 2015-08-13

URL: CVE-2015-3253

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://groovy-lang.org/security.html

Release Date: 2015-08-13

Fix Resolution (org.codehaus.groovy:groovy-all): 2.4.4

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-jetty7): 1.4.0

Vulnerable Library - elasticsearch-5.6.8.jar

Elasticsearch subproject :core

Library home page: https://github.com/elastic/elasticsearch

Path to dependency file: /es5-persistence/build.gradle

Path to vulnerable library: /canner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.6.8/447296d279216635ea8e0f0be7c9d7bc7d640ea8/elasticsearch-5.6.8.jar,/home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.elasticsearch/elasticsearch/5.6.8/447296d279216635ea8e0f0be7c9d7bc7d640ea8/elasticsearch-5.6.8.jar

Dependency Hierarchy:

• ❌ elasticsearch-5.6.8.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

X-Pack Machine Learning versions before 6.2.4 and 5.6.9 had a cross-site scripting (XSS) vulnerability. If an attacker is able to inject data into an index that has a ML job running against it, then when another user views the results of the ML job it could allow the attacker to obtain sensitive information from or perform destructive actions on behalf of that other ML user.

Publish Date: 2018-09-19

URL: CVE-2018-3824

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-3824

Release Date: 2018-09-19

Fix Resolution: 5.6.9

Vulnerable Library - spring-core-3.0.2.RELEASE.jar

Spring Framework Parent

Path to dependency file: /postgres-persistence/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/3.0.2.RELEASE/3d81822d0759a190cb6e11d80c2c020a9775206b/spring-core-3.0.2.RELEASE.jar

Dependency Hierarchy:

• all-matchers-1.8.jar (Root Library)
  • spring-matchers-1.8.jar
    • spring-context-3.0.2.RELEASE.jar
      • ❌ spring-core-3.0.2.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Publish Date: 2018-03-16

URL: CVE-2018-1199

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199

Release Date: 2018-01-29

Fix Resolution: org.springframework.security:spring-security-web:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE;org.springframework.security:spring-security-config:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE;org.springframework:spring-core:4.3.14.RELEASE,5.0.3.RELEASE

Vulnerable Library - spring-core-3.0.2.RELEASE.jar

Spring Framework Parent

Path to dependency file: /postgres-persistence/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/3.0.2.RELEASE/3d81822d0759a190cb6e11d80c2c020a9775206b/spring-core-3.0.2.RELEASE.jar

Dependency Hierarchy:

• all-matchers-1.8.jar (Root Library)
  • spring-matchers-1.8.jar
    • spring-context-3.0.2.RELEASE.jar
      • ❌ spring-core-3.0.2.RELEASE.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Publish Date: 2015-02-19

URL: CVE-2014-3578

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3578

Release Date: 2015-02-19

Fix Resolution: 3.2.9,4.0.5

Vulnerable Library - jcommander-1.48.jar

A Java framework to parse command line options with annotations.

Library home page: http://beust.com/

Path to dependency file: /client/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.beust/jcommander/1.48/bfcb96281ea3b59d626704f74bc6d625ff51cbce/jcommander-1.48.jar

Dependency Hierarchy:

• pmd-java-5.6.1.jar (Root Library)
  • pmd-core-5.6.1.jar
    • ❌ jcommander-1.48.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.

Publish Date: 2019-02-19

URL: WS-2019-0490

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-19

Fix Resolution (com.beust:jcommander): 1.75

Direct dependency fix Resolution (net.sourceforge.pmd:pmd-java): 5.8.0

Vulnerable Library - jbcrypt-0.3m.jar

jBCrypt is a Java implementation of OpenBSD's Blowfish password hashing code, as described in A Future-Adaptable Password Scheme by Niels Provos and David Mazières, by Damien Miller.

Library home page: http://www.mindrot.org/

Path to dependency file: /cassandra-persistence/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.mindrot/jbcrypt/0.3m/fe2d9c5f23767d681a7e38fc8986b812400ec583/jbcrypt-0.3m.jar

Dependency Hierarchy:

• cassandra-unit-3.5.0.1.jar (Root Library)
  • cassandra-all-3.11.2.jar
    • ❌ jbcrypt-0.3m.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent.

Publish Date: 2015-02-28

URL: CVE-2015-0886

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-0886

Release Date: 2015-02-28

Fix Resolution: 0.4

Vulnerable Library - bcprov-jdk16-1.46.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.6.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /server/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.bouncycastle/bcprov-jdk16/1.46/ce091790943599535cbb4de8ede84535b0c1260c/bcprov-jdk16-1.46.jar

Dependency Hierarchy:

• gretty-starter-1.2.4.jar (Root Library)
  • gretty-core-1.2.4.jar
    • ❌ bcprov-jdk16-1.46.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

Publish Date: 2018-06-04

URL: CVE-2016-1000341

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341

Release Date: 2018-06-04

Fix Resolution: org.bouncycastle:bcprov-debug-jdk15on:1.56,org.bouncycastle:bcprov-debug-jdk14:1.56,org.bouncycastle:bcprov-ext-jdk15on:1.56,org.bouncycastle:bcprov-jdk14:1.56,org.bouncycastle:bcprov-jdk15on:1.56,org.bouncycastle:bcprov-ext-debug-jdk15on:1.56

Vulnerable Library - jackson-mapper-asl-1.9.2.jar

Data Mapper package is a high-performance data binding package built on Jackson JSON processor

Path to dependency file: /cassandra-persistence/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.codehaus.jackson/jackson-mapper-asl/1.9.2/95400a7922ce75383866eb72f6ef4a7897923945/jackson-mapper-asl-1.9.2.jar

Dependency Hierarchy:

• cassandra-unit-3.5.0.1.jar (Root Library)
  • cassandra-all-3.11.2.jar
    • ❌ jackson-mapper-asl-1.9.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4

Release Date: 2019-10-01

Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.0.0

Vulnerable Libraries - netty-handler-4.1.27.Final.jar, netty-handler-4.1.13.Final.jar, netty-handler-4.0.56.Final.jar, netty-handler-4.1.32.Final.jar, netty-codec-http-4.1.32.Final.jar, netty-codec-http-4.1.13.Final.jar, netty-codec-http-4.1.27.Final.jar

Found in base branch: master

Vulnerability Details

Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.

Publish Date: 2021-02-08

URL: CVE-2021-21290

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-5mcr-gq6c-3hq2

Release Date: 2021-02-08

Fix Resolution (io.netty:netty-handler): 4.1.59.Final

Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.15.0

Fix Resolution (io.netty:netty-handler): 4.1.59.Final

Direct dependency fix Resolution (com.datastax.cassandra:cassandra-driver-core): 3.11.2

Fix Resolution (io.netty:netty-handler): 4.1.59.Final

Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.15.0

Fix Resolution (io.netty:netty-codec-http): 4.1.59.Final

Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.15.0

Fix Resolution (io.netty:netty-codec-http): 4.1.59.Final

Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.15.0

Vulnerable Libraries - tomcat-embed-core-7.0.62.jar, tomcat-embed-core-8.0.23.jar

Found in base branch: master

Vulnerability Details

When running Apache Tomcat versions 9.0.0.M1 to 9.0.0, 8.5.0 to 8.5.22, 8.0.0.RC1 to 8.0.46 and 7.0.0 to 7.0.81 with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default servlet to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Publish Date: 2017-10-04

URL: CVE-2017-12617

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12617

Release Date: 2017-10-03

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.47

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0

Vulnerable Libraries - tomcat-embed-core-7.0.62.jar, tomcat-embed-core-8.0.23.jar

Found in base branch: master

Vulnerability Details

The error page mechanism of the Java Servlet Specification requires that, when an error occurs and an error page is configured for the error that occurred, the original request and response are forwarded to the error page. This means that the request is presented to the error page with the original HTTP method. If the error page is a static file, expected behaviour is to serve content of the file as if processing a GET request, regardless of the actual HTTP method. The Default Servlet in Apache Tomcat 9.0.0.M1 to 9.0.0.M20, 8.5.0 to 8.5.14, 8.0.0.RC1 to 8.0.43 and 7.0.0 to 7.0.77 did not do this. Depending on the original request this could lead to unexpected and undesirable results for static error pages including, if the DefaultServlet is configured to permit writes, the replacement or removal of the custom error page. Notes for other user provided error pages: (1) Unless explicitly coded otherwise, JSPs ignore the HTTP method. JSPs used as error pages must must ensure that they handle any error dispatch as a GET request, regardless of the actual method. (2) By default, the response generated by a Servlet does depend on the HTTP method. Custom Servlets used as error pages must ensure that they handle any error dispatch as a GET request, regardless of the actual method.

Publish Date: 2017-06-06

URL: CVE-2017-5664

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5664

Release Date: 2017-06-06

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.78

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.44

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0

Vulnerable Libraries - netty-codec-http-4.1.32.Final.jar, netty-codec-http-4.1.13.Final.jar, netty-codec-http-4.1.27.Final.jar

Found in base branch: master

Vulnerability Details

Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.

Publish Date: 2020-01-27

URL: CVE-2020-7238

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-27

Fix Resolution (io.netty:netty-codec-http): 4.1.44.Final

Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.7.0

Fix Resolution (io.netty:netty-codec-http): 4.1.44.Final

Direct dependency fix Resolution (org.elasticsearch.client:transport): 7.7.0

Vulnerable Library - zookeeper-3.4.5.jar

Path to dependency file: /test-harness/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.zookeeper/zookeeper/3.4.5/c0f69fb36526552a8f0bc548a6c33c49cf08e562/zookeeper-3.4.5.jar

Dependency Hierarchy:

• curator-recipes-2.4.0.jar (Root Library)
  • ❌ zookeeper-3.4.5.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper’s getACL() command doesn’t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Publish Date: 2019-05-23

URL: CVE-2019-0201

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://zookeeper.apache.org/security.html

Release Date: 2019-05-23

Fix Resolution (org.apache.zookeeper:zookeeper): 3.4.14

Direct dependency fix Resolution (org.apache.curator:curator-recipes): 2.11.1

Vulnerable Library - axios-0.19.0.tgz

Promise based HTTP client for the browser and node.js

Library home page: https://registry.npmjs.org/axios/-/axios-0.19.0.tgz

Dependency Hierarchy:

• browser-sync-2.26.7.tgz (Root Library)
  • localtunnel-1.9.2.tgz
    • ❌ axios-0.19.0.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Axios NPM package 0.21.0 contains a Server-Side Request Forgery (SSRF) vulnerability where an attacker is able to bypass a proxy by providing a URL that responds with a redirect to a restricted host or IP address.

Publish Date: 2020-11-06

URL: CVE-2020-28168

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-11-06

Fix Resolution (axios): 0.21.1

Direct dependency fix Resolution (browser-sync): 2.26.9

Vulnerable Library - tomcat-embed-core-7.0.62.jar

Core Tomcat implementation

Path to dependency file: /server/build.gradle

Path to vulnerable library: /tmp/ws-ua_20210204145620_PGHWOB/downloadResource_PPJIVJ/20210204154026/tomcat-embed-core-7.0.62.jar

Dependency Hierarchy:

• gretty-runner-tomcat7-1.2.4.jar (Root Library)
  • tomcat-embed-websocket-7.0.62.jar
    • ❌ tomcat-embed-core-7.0.62.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

When running Apache Tomcat 7.0.0 to 7.0.79 on Windows with HTTP PUTs enabled (e.g. via setting the readonly initialisation parameter of the Default to false) it was possible to upload a JSP file to the server via a specially crafted request. This JSP could then be requested and any code it contained would be executed by the server.

Publish Date: 2017-09-19

URL: CVE-2017-12615

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12615

Release Date: 2017-09-19

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:7.0.81,org.apache.tomcat:tomcat-catalina:7.0.81

Vulnerable Library - lodash.template-3.6.2.tgz

The modern build of lodash’s `_.template` as a module.

Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz

Dependency Hierarchy:

• gulp-notify-2.2.0.tgz (Root Library)
  • ❌ lodash.template-3.6.2.tgz (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.

Publish Date: 2019-07-26

URL: CVE-2019-10744

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jf85-cpcp-j695

Release Date: 2019-07-26

Fix Resolution (lodash.template): 4.5.0

Direct dependency fix Resolution (gulp-notify): 3.1.0

Vulnerable Libraries - commons-codec-1.11.jar, commons-codec-1.9.jar, commons-codec-1.10.jar

Found in base branch: master

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

Vulnerable Library - mysql-connector-java-8.0.11.jar

JDBC Type 4 driver for MySQL

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /test-harness/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/mysql/mysql-connector-java/8.0.11/2c3d25fe1dfdd6496e0bbe47d67809f67487cfba/mysql-connector-java-8.0.11.jar,/canner/.gradle/caches/modules-2/files-2.1/mysql/mysql-connector-java/8.0.11/2c3d25fe1dfdd6496e0bbe47d67809f67487cfba/mysql-connector-java-8.0.11.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-8.0.11.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2019-04-23

URL: CVE-2019-2692

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jcq3-cprp-m333

Release Date: 2019-04-23

Fix Resolution: 8.0.16

Vulnerable Libraries - minimist-0.0.10.tgz, minimist-0.0.8.tgz

Found in base branch: master

Vulnerability Details

minimist before 1.2.2 could be tricked into adding or modifying properties of Object.prototype using a "constructor" or "proto" payload.

Publish Date: 2020-03-11

URL: CVE-2020-7598

CVSS 3 Score Details (5.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Release Date: 2020-03-11

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (webpack): 2.2.0

Fix Resolution (minimist): 0.2.1

Direct dependency fix Resolution (mocha): 6.2.3

Vulnerable Libraries - tomcat-embed-core-7.0.62.jar, tomcat-embed-core-8.0.23.jar

Found in base branch: master

Vulnerability Details

A bug in the error handling of the send file code for the NIO HTTP connector in Apache Tomcat 9.0.0.M1 to 9.0.0.M13, 8.5.0 to 8.5.8, 8.0.0.RC1 to 8.0.39, 7.0.0 to 7.0.73 and 6.0.16 to 6.0.48 resulted in the current Processor object being added to the Processor cache multiple times. This in turn meant that the same Processor could be used for concurrent requests. Sharing a Processor can result in information leakage between requests including, not not limited to, session ID and the response body. The bug was first noticed in 8.5.x onwards where it appears the refactoring of the Connector code for 8.5.x onwards made it more likely that the bug was observed. Initially it was thought that the 8.5.x refactoring introduced the bug but further investigation has shown that the bug is present in all currently supported Tomcat versions.

Publish Date: 2017-08-10

URL: CVE-2016-8745

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-8745

Release Date: 2017-01-05

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 7.0.75

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 2.0.0

Fix Resolution (org.apache.tomcat.embed:tomcat-embed-core): 8.0.41

Direct dependency fix Resolution (org.akhikhl.gretty:gretty-runner-tomcat7): 1.4.0

Vulnerable Library - ant-1.7.0.jar

Apache Ant

Library home page: http://ant.apache.org/

Path to dependency file: /cassandra-persistence/build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.7.0/9746af1a485e50cf18dcb232489032a847067066/ant-1.7.0.jar

Dependency Hierarchy:

• cassandra-unit-3.5.0.1.jar (Root Library)
  • cassandra-all-3.11.2.jar
    • cassandra-thrift-3.11.2.jar
      • jflex-1.6.0.jar
        • ❌ ant-1.7.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.

Publish Date: 2020-10-01

URL: CVE-2020-11979

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://ant.apache.org/security.html

Release Date: 2020-10-01

Fix Resolution: org.apache.ant:ant:1.10.9