Online JSP Compiler is a free to use, open source project which helps user to test their standalone jsp pages.
Home Page: http://www.onlinejspcompiler.com/
License: MIT License
๐ญ Iโm currently working as a Development Team Lead on Java and Spring framework based projects.
๐ Created online jsp compiler visit here: Online JSP Compiler
๐ฑ Iโm currently learning Spring-Boot and exploring System Design.
๐คโ Let's share our experiences and grow together.
![dependabot-preview[bot] avatar](https://avatars.githubusercontent.com/in/2141?v=4 "dependabot-preview[bot]")
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - spring-core-4.3.6.RELEASE.jarSpring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/pom.xml
Path to vulnerable library: canner/.m2/repository/org/springframework/spring-core/4.3.6.RELEASE/spring-core-4.3.6.RELEASE.jar,/online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-core-4.3.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Publish Date: 2018-04-06
URL: CVE-2018-1272
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2018-1272
Release Date: 2018-04-06
Fix Resolution: org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (browser-sync): 2.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - async-0.2.10.tgz, async-1.5.2.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-0.2.10.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/gulp-uglify/node_modules/async/package.json
Dependency Hierarchy:
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/async/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (gulp-uglify): 2.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - spring-core-4.3.27.RELEASE.jar, spring-beans-4.3.27.RELEASE.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-core/4.3.27.RELEASE/spring-core-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-core-4.3.27.RELEASE.jar
Dependency Hierarchy:
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-beans/4.3.27.RELEASE/spring-beans-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-beans-4.3.27.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution: 5.2.22.RELEASE
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-4.3.6.RELEASE.jarSpring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-web-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-web/4.3.6.RELEASE/spring-web-4.3.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Publish Date: 2018-10-18
URL: CVE-2018-15756
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2018-15756
Release Date: 2018-10-18
Fix Resolution: 4.3.20,5.0.10,5.1.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - axios-0.21.1.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/axios/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.
Publish Date: 2022-05-03
URL: CVE-2022-1214
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
Release Date: 2022-05-03
Fix Resolution: axios - v0.26.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - jquery-1.12.4.js, jquery-1.12.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js
Path to vulnerable library: /resources/vendor/jquery/jquery.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /src/main/webapp/index.jsp
Path to vulnerable library: /resources/vendor/jquery/jquery.min.js,/src/main/webapp/resources/vendor/jquery/jquery.min.js,/resources/vendor/jquery/jquery.min.js
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-4.3.6.RELEASE.jarSpring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-web-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-web/4.3.6.RELEASE/spring-web-4.3.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Publish Date: 2018-06-25
URL: CVE-2018-11039
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11039
Release Date: 2018-06-25
Fix Resolution: org.springframework:spring-web:5.0.7.RELEASE,4.3.18.RELEASE,org.apache.servicemix.bundles:org.apache.servicemix.bundles.spring-web:5.0.7.RELEASE,4.3.18.RELEASE
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (3.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - io.jsv6.11.1
Node.js JavaScript runtime โจ๐ข๐โจ
Library home page: https://github.com/iojs/io.js.git
Found in HEAD commit: b26b16fdb97fb017c423e6ac1eb0a1551aa707b0
Library Source Files (426)* The source files were matched to this source library based on a best effort match. Source libraries are selected from a list of probable public libraries.
Vulnerability Details
ctorName in index.js in kind-of v6.0.2 allows external user input to overwrite certain internal attributes via a conflicting name, as demonstrated by 'constructor': {'name':'Symbol'}. Hence, a crafted payload can overwrite this builtin attribute to manipulate the type detection result.
Publish Date: 2019-12-30
URL: CVE-2019-20149
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-20149
Release Date: 2019-12-30
Fix Resolution: 6.0.3
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - lodash-4.17.20.tgz, lodash-1.0.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/lodash/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (browser-sync): 2.27.1
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-4.3.27.RELEASE.jarSpring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-web-4.3.27.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Publish Date: 2020-09-19
URL: CVE-2020-5421
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2020-5421
Release Date: 2020-09-19
Fix Resolution: 4.3.29.RELEASE
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-1.0.2.tgzA utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-07-17
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/target/online-jsp-compiler/index.jsp
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/resources/vendor/bootstrap/js/bootstrap.min.js,/online-jsp-compiler/target/online-jsp-compiler/resources/vendor/bootstrap/js/bootstrap.min.js,/online-jsp-compiler/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
XSS in data-target in bootstrap (3.3.7 and before)
Publish Date: 2017-09-29
URL: WS-2018-0021
CVSS 2 Score Details (6.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#20184
Release Date: 2019-06-12
Fix Resolution: 3.4.0
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - lodash-1.0.2.tgzA utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1067
Release Date: 2018-06-07
Fix Resolution (lodash): 4.17.5
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ua-parser-0.7.17.jsLightweight JavaScript-based user-agent string parser
Library home page: https://cdnjs.cloudflare.com/ajax/libs/UAParser.js/0.7.17/ua-parser.js
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/resources/node_modules/ua-parser-js/src/ua-parser.js
Dependency Hierarchy:
Found in HEAD commit: b26b16fdb97fb017c423e6ac1eb0a1551aa707b0
Vulnerability Details
ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.
Publish Date: 2018-06-07
URL: CVE-2017-16086
CVSS 3 Score Details (7.5)
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - spring-beans-4.3.27.RELEASE.jarSpring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-beans/4.3.27.RELEASE/spring-beans-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-beans-4.3.27.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution: 5.2.20.RELEASE
Step up your Open Source Security Game with Mend here
Vulnerable Library - qs-6.2.3.tgzA querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/qs/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Change files
Origin: ljharb/qs@c709f6e
Release Date: 2017-03-06
Fix Resolution: Replace or update the following file: v6.0.4
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - glob-parent-5.1.1.tgzExtract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgzXMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (browser-sync): 2.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - spring-web-4.3.6.RELEASE.jar, spring-webmvc-4.3.6.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-web-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-web/4.3.6.RELEASE/spring-web-4.3.6.RELEASE.jar
Dependency Hierarchy:
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-webmvc-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-webmvc/4.3.6.RELEASE/spring-webmvc-4.3.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Publish Date: 2018-06-25
URL: CVE-2018-11040
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11040
Release Date: 2018-06-25
Fix Resolution: org.springframework:spring-web:5.0.7.RELEASE,4.3.18.RELEASE,org.springframework:spring-webmvc:5.0.7.RELEASE,4.3.18.RELEASE,org.springframework:spring-websocket:5.0.7.RELEASE,4.3.18.RELEASE
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - axios-0.21.1.tgzPromise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/axios/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.21.2
Direct dependency fix Resolution (browser-sync): 2.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - minimatch-0.2.14.tgz, minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/glob/node_modules/minimatch/package.json,/src/main/webapp/resources/node_modules/glob-stream/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp objects. The primary function, minimatch(path, pattern) in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern parameter.
Publish Date: 2018-04-26
URL: CVE-2016-10540
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540
Release Date: 2018-04-26
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - jquery-1.12.4.js, jquery-1.12.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js
Path to vulnerable library: /resources/vendor/jquery/jquery.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /src/main/webapp/index.jsp
Path to vulnerable library: /resources/vendor/jquery/jquery.min.js,/src/main/webapp/resources/vendor/jquery/jquery.min.js,/resources/vendor/jquery/jquery.min.js
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-1.0.2.tgzA utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-web-4.3.27.RELEASE.jarSpring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-web-4.3.27.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-4wrc-f8pq-fpqp
Release Date: 2020-01-02
Fix Resolution: 4.3.28.RELEASE
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - minimatch-3.0.4.tgz, minimatch-0.2.14.tgz, minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/glob/node_modules/minimatch/package.json,/src/main/webapp/resources/node_modules/glob-stream/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - hoek-2.16.3.tgzGeneral purpose node utilities
Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/hoek/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto, causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2018-03-30
Fix Resolution (hoek): 4.2.0
Direct dependency fix Resolution (gulp-less): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - lodash-4.17.20.tgz, lodash-1.0.2.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/lodash/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (browser-sync): 2.27.1
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - yargs-parser-4.2.1.tgzthe mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-4.2.1.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/yargs-parser/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto" payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - hawk-3.1.3.tgzHTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/hawk/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host HTTP header (Hawk.utils.parseHost()), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost() was patched in 9.0.1 to use built-in URL class to parse hostname instead. Hawk.authenticate() accepts options argument. If that contains host and port, those would be used instead of a call to utils.parseHost().
Publish Date: 2022-05-05
URL: CVE-2022-29167
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-44pw-h2cw-w3vq
Release Date: 2022-05-05
Fix Resolution (hawk): 9.0.1
Direct dependency fix Resolution (gulp-less): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-webmvc-4.3.6.RELEASE.jarSpring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-webmvc-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-webmvc/4.3.6.RELEASE/spring-webmvc-4.3.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Publish Date: 2018-04-06
URL: CVE-2018-1271
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271
Release Date: 2018-04-06
Fix Resolution: org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - engine.io-3.5.0.tgzThe realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/engine.io/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 3.6.0
Direct dependency fix Resolution (browser-sync): 2.27.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-1.0.2.tgzA utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/380873
Release Date: 2019-02-01
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - spring-core-4.3.27.RELEASE.jar, spring-web-4.3.27.RELEASE.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-core/4.3.27.RELEASE/spring-core-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-core-4.3.27.RELEASE.jar
Dependency Hierarchy:
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-web-4.3.27.RELEASE.jar
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution: 5.2.18.RELEASE
Step up your Open Source Security Game with Mend here
Vulnerable Library - cryptiles-2.0.5.tgzGeneral purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/cryptiles/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (gulp-less): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - glob-parent-5.1.1.tgzExtract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (browser-sync): 2.27.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - jquery-1.12.4.js, jquery-1.12.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js
Path to vulnerable library: /resources/vendor/jquery/jquery.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /src/main/webapp/index.jsp
Path to vulnerable library: /resources/vendor/jquery/jquery.min.js,/src/main/webapp/resources/vendor/jquery/jquery.min.js,/resources/vendor/jquery/jquery.min.js
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ajv-4.11.8.tgzAnother JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-4.11.8.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/ajv/package.json
Dependency Hierarchy:
Found in base branch: master
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (gulp-less): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - http-proxy-1.15.2.tgzHTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.15.2.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/http-proxy/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-26
Fix Resolution: http-proxy - 1.18.1
Step up your Open Source Security Game with WhiteSource here
Vulnerable Libraries - jquery-1.12.4.js, jquery-1.12.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js
Path to vulnerable library: /resources/vendor/jquery/jquery.js
Dependency Hierarchy:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /src/main/webapp/index.jsp
Path to vulnerable library: /resources/vendor/jquery/jquery.min.js,/src/main/webapp/resources/vendor/jquery/jquery.min.js,/resources/vendor/jquery/jquery.min.js
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - clean-css-3.4.28.tgzA well-tested CSS minifier
Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/clean-css/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2018-03-06
URL: WS-2019-0017
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-wxhq-pm8v-cw75
Release Date: 2018-03-06
Fix Resolution (clean-css): 4.1.11
Direct dependency fix Resolution (gulp-clean-css): 2.4.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - lodash-1.0.2.tgz, lodash-4.17.15.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1)
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.
This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.
Vulnerable Libraries - lodash.template-3.6.2.tgz, lodash-1.0.2.tgz
The modern build of lodashโs `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/lodash.template/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (lodash): 4.5.0
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - bootstrap-3.3.7.min.jsThe most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
