View Code? Open in Web Editor
NEW
Online JSP Compiler is a free to use, open source project which helps user to test their standalone jsp pages.
Home Page: http://www.onlinejspcompiler.com/
License: MIT License
Java 55.45%
HTML 6.48%
JavaScript 8.27%
CSS 2.11%
Less 27.69%
online-jsp-compiler's Introduction
online-jsp-compiler's People
online-jsp-compiler's Issues
CVE-2018-1272 - High Severity Vulnerability
Vulnerable Library - spring-core-4.3.6.RELEASE.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/pom.xml
Path to vulnerable library: canner/.m2/repository/org/springframework/spring-core/4.3.6.RELEASE/spring-core-4.3.6.RELEASE.jar,/online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-core-4.3.6.RELEASE.jar
Dependency Hierarchy:
โ spring-core-4.3.6.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Publish Date: 2018-04-06
URL: CVE-2018-1272
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2018-1272
Release Date: 2018-04-06
Fix Resolution: org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE
Step up your Open Source Security Game with WhiteSource here
CVE-2020-28502 - High Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
browser-sync-ui-2.26.14.tgz
socket.io-client-2.4.0.tgz
engine.io-client-3.5.0.tgz
โ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
This affects the package xmlhttprequest before 1.7.0; all versions of package xmlhttprequest-ssl. Provided requests are sent synchronously (async=False on xhr.open), malicious user input flowing into xhr.send could result in arbitrary code being injected and run.
Publish Date: 2021-03-05
URL: CVE-2020-28502
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-h4j5-c7cj-74xg
Release Date: 2021-03-05
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (browser-sync): 2.27.1
Step up your Open Source Security Game with Mend here
CVE-2021-43138 - High Severity Vulnerability
Vulnerable Libraries - async-0.2.10.tgz , async-1.5.2.tgz
async-0.2.10.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-0.2.10.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/gulp-uglify/node_modules/async/package.json
Dependency Hierarchy:
gulp-uglify-1.5.4.tgz (Root Library)
uglify-js-2.6.4.tgz
โ async-0.2.10.tgz (Vulnerable Library)
async-1.5.2.tgz
Higher-order functions and common patterns for asynchronous code
Library home page: https://registry.npmjs.org/async/-/async-1.5.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/async/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
portscanner-2.1.1.tgz
โ async-1.5.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Async before 2.6.4 and 3.x before 3.2.2, a malicious user can obtain privileges via the mapValues() method, aka lib/internal/iterator.js createObjectIterator prototype pollution.
Publish Date: 2022-04-06
URL: CVE-2021-43138
CVSS 3 Score Details (7.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-43138
Release Date: 2022-04-06
Fix Resolution (async): 2.6.4
Direct dependency fix Resolution (gulp-uglify): 2.1.0
Step up your Open Source Security Game with Mend here
CVE-2022-22970 - Medium Severity Vulnerability
Vulnerable Libraries - spring-core-4.3.27.RELEASE.jar , spring-beans-4.3.27.RELEASE.jar
spring-core-4.3.27.RELEASE.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-core/4.3.27.RELEASE/spring-core-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-core-4.3.27.RELEASE.jar
Dependency Hierarchy:
โ spring-core-4.3.27.RELEASE.jar (Vulnerable Library)
spring-beans-4.3.27.RELEASE.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-beans/4.3.27.RELEASE/spring-beans-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-beans-4.3.27.RELEASE.jar
Dependency Hierarchy:
โ spring-beans-4.3.27.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution: 5.2.22.RELEASE
Step up your Open Source Security Game with Mend here
CVE-2018-15756 - High Severity Vulnerability
Vulnerable Library - spring-web-4.3.6.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-web-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-web/4.3.6.RELEASE/spring-web-4.3.6.RELEASE.jar
Dependency Hierarchy:
โ spring-web-4.3.6.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Publish Date: 2018-10-18
URL: CVE-2018-15756
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2018-15756
Release Date: 2018-10-18
Fix Resolution: 4.3.20,5.0.10,5.1.1
Step up your Open Source Security Game with WhiteSource here
CVE-2022-1214 - High Severity Vulnerability
Vulnerable Library - axios-0.21.1.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/axios/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
localtunnel-2.0.1.tgz
โ axios-0.21.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository axios/axios prior to 0.26.
Publish Date: 2022-05-03
URL: CVE-2022-1214
CVSS 3 Score Details (8.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/ef7b4ab6-a3f6-4268-a21a-e7104d344607/
Release Date: 2022-05-03
Fix Resolution: axios - v0.26.0
Step up your Open Source Security Game with WhiteSource here
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.12.4.js , jquery-1.12.4.min.js
jquery-1.12.4.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js
Path to vulnerable library: /resources/vendor/jquery/jquery.js
Dependency Hierarchy:
โ jquery-1.12.4.js (Vulnerable Library)
jquery-1.12.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /src/main/webapp/index.jsp
Path to vulnerable library: /resources/vendor/jquery/jquery.min.js,/src/main/webapp/resources/vendor/jquery/jquery.min.js,/resources/vendor/jquery/jquery.min.js
Dependency Hierarchy:
โ jquery-1.12.4.min.js (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Step up your Open Source Security Game with Mend here
CVE-2018-11039 - Medium Severity Vulnerability
Vulnerable Library - spring-web-4.3.6.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-web-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-web/4.3.6.RELEASE/spring-web-4.3.6.RELEASE.jar
Dependency Hierarchy:
โ spring-web-4.3.6.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Publish Date: 2018-06-25
URL: CVE-2018-11039
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11039
Release Date: 2018-06-25
Fix Resolution: org.springframework:spring-web:5.0.7.RELEASE,4.3.18.RELEASE,org.apache.servicemix.bundles:org.apache.servicemix.bundles.spring-web:5.0.7.RELEASE,4.3.18.RELEASE
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14040 - Low Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
โ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (3.7 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here
CVE-2021-23337 - High Severity Vulnerability
Vulnerable Libraries - lodash-4.17.20.tgz , lodash-1.0.2.tgz
lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/lodash/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
easy-extender-2.3.4.tgz
โ lodash-4.17.20.tgz (Vulnerable Library)
lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ lodash-1.0.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
CVSS 3 Score Details (7.2 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: High
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-35jh-r3h4-6jhm
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (browser-sync): 2.27.1
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-5421 - Medium Severity Vulnerability
Vulnerable Library - spring-web-4.3.27.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-web-4.3.27.RELEASE.jar
Dependency Hierarchy:
โ spring-web-4.3.27.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Publish Date: 2020-09-19
URL: CVE-2020-5421
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: Low
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2020-5421
Release Date: 2020-09-19
Fix Resolution: 4.3.29.RELEASE
Step up your Open Source Security Game with Mend here
Vulnerable Library - lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ lodash-1.0.2.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
lodash prior to 4.17.11 is affected by: CWE-400: Uncontrolled Resource Consumption. The impact is: Denial of service. The component is: Date handler. The attack vector is: Attacker provides very long strings, which the library attempts to match using a regular expression. The fixed version is: 4.17.11.
Publish Date: 2019-07-17
URL: CVE-2019-1010266
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2019-07-17
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
WS-2018-0021 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/target/online-jsp-compiler/index.jsp
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/resources/vendor/bootstrap/js/bootstrap.min.js,/online-jsp-compiler/target/online-jsp-compiler/resources/vendor/bootstrap/js/bootstrap.min.js,/online-jsp-compiler/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
โ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
XSS in data-target in bootstrap (3.3.7 and before)
Publish Date: 2017-09-29
URL: WS-2018-0021
CVSS 2 Score Details (6.5 )
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#20184
Release Date: 2019-06-12
Fix Resolution: 3.4.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-3721 - Medium Severity Vulnerability
Vulnerable Library - lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ lodash-1.0.2.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
lodash node module before 4.17.5 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via defaultsDeep, merge, and mergeWith functions, which allows a malicious user to modify the prototype of "Object" via proto , causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-06-07
URL: CVE-2018-3721
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1067
Release Date: 2018-06-07
Fix Resolution (lodash): 4.17.5
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-20676 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
โ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Step up your Open Source Security Game with Mend here
CVE-2017-16086 - High Severity Vulnerability
Vulnerable Library - ua-parser-0.7.17.js
Lightweight JavaScript-based user-agent string parser
Library home page: https://cdnjs.cloudflare.com/ajax/libs/UAParser.js/0.7.17/ua-parser.js
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/resources/node_modules/ua-parser-js/src/ua-parser.js
Dependency Hierarchy:
โ ua-parser-0.7.17.js (Vulnerable Library)
Found in HEAD commit: b26b16fdb97fb017c423e6ac1eb0a1551aa707b0
Vulnerability Details
ua-parser is a port of Browserscope's user agent parser. ua-parser is vulnerable to a ReDoS (Regular Expression Denial of Service) attack when given a specially crafted UserAgent header.
Publish Date: 2018-06-07
URL: CVE-2017-16086
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
CVE-2022-22965 - Critical Severity Vulnerability
Vulnerable Library - spring-beans-4.3.27.RELEASE.jar
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-beans/4.3.27.RELEASE/spring-beans-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-beans-4.3.27.RELEASE.jar
Dependency Hierarchy:
โ spring-beans-4.3.27.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution: 5.2.20.RELEASE
Step up your Open Source Security Game with Mend here
Vulnerable Library - qs-6.2.3.tgz
A querystring parser that supports nesting and arrays, with a depth limit
Library home page: https://registry.npmjs.org/qs/-/qs-6.2.3.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/qs/package.json
Dependency Hierarchy:
browser-sync-2.26.7.tgz (Root Library)
โ qs-6.2.3.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
the web framework using ljharb's qs module older than v6.3.2, v6.2.3, v6.1.2, and v6.0.4 is vulnerable to a DoS. A malicious user can send a evil request to cause the web framework crash.
Publish Date: 2017-07-17
URL: CVE-2017-1000048
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Change files
Origin: ljharb/qs@c709f6e
Release Date: 2017-03-06
Fix Resolution: Replace or update the following file: v6.0.4
Step up your Open Source Security Game with WhiteSource here
CVE-2021-35065 - High Severity Vulnerability
Vulnerable Library - glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/glob-parent/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
chokidar-3.5.1.tgz
โ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The package glob-parent before 6.0.1 are vulnerable to Regular Expression Denial of Service (ReDoS)
Publish Date: 2021-06-22
URL: CVE-2021-35065
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-cj88-88mr-972w
Release Date: 2021-06-22
Fix Resolution: glob-parent - 6.0.1
Step up your Open Source Security Game with Mend here
CVE-2021-31597 - Critical Severity Vulnerability
Vulnerable Library - xmlhttprequest-ssl-1.5.5.tgz
XMLHttpRequest for Node
Library home page: https://registry.npmjs.org/xmlhttprequest-ssl/-/xmlhttprequest-ssl-1.5.5.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/xmlhttprequest-ssl/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
browser-sync-ui-2.26.14.tgz
socket.io-client-2.4.0.tgz
engine.io-client-3.5.0.tgz
โ xmlhttprequest-ssl-1.5.5.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
The xmlhttprequest-ssl package before 1.6.1 for Node.js disables SSL certificate validation by default, because rejectUnauthorized (when the property exists but is undefined) is considered to be false within the https.request function of Node.js. In other words, no certificate is ever rejected.
Publish Date: 2021-04-23
URL: CVE-2021-31597
CVSS 3 Score Details (9.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31597
Release Date: 2021-04-23
Fix Resolution (xmlhttprequest-ssl): 1.6.1
Direct dependency fix Resolution (browser-sync): 2.27.1
Step up your Open Source Security Game with Mend here
CVE-2018-11040 - Medium Severity Vulnerability
Vulnerable Libraries - spring-web-4.3.6.RELEASE.jar , spring-webmvc-4.3.6.RELEASE.jar
spring-web-4.3.6.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-web-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-web/4.3.6.RELEASE/spring-web-4.3.6.RELEASE.jar
Dependency Hierarchy:
โ spring-web-4.3.6.RELEASE.jar (Vulnerable Library)
spring-webmvc-4.3.6.RELEASE.jar
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-webmvc-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-webmvc/4.3.6.RELEASE/spring-webmvc-4.3.6.RELEASE.jar
Dependency Hierarchy:
โ spring-webmvc-4.3.6.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Publish Date: 2018-06-25
URL: CVE-2018-11040
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11040
Release Date: 2018-06-25
Fix Resolution: org.springframework:spring-web:5.0.7.RELEASE,4.3.18.RELEASE,org.springframework:spring-webmvc:5.0.7.RELEASE,4.3.18.RELEASE,org.springframework:spring-websocket:5.0.7.RELEASE,4.3.18.RELEASE
Step up your Open Source Security Game with WhiteSource here
CVE-2021-3749 - High Severity Vulnerability
Vulnerable Library - axios-0.21.1.tgz
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/axios/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
localtunnel-2.0.1.tgz
โ axios-0.21.1.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/1e8f07fc-c384-4ff9-8498-0690de2e8c31/
Release Date: 2021-08-31
Fix Resolution (axios): 0.21.2
Direct dependency fix Resolution (browser-sync): 2.27.1
Step up your Open Source Security Game with Mend here
CVE-2016-10540 - High Severity Vulnerability
Vulnerable Libraries - minimatch-0.2.14.tgz , minimatch-2.0.10.tgz
minimatch-0.2.14.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ minimatch-0.2.14.tgz (Vulnerable Library)
minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/glob/node_modules/minimatch/package.json,/src/main/webapp/resources/node_modules/glob-stream/node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-stream-3.1.18.tgz
โ minimatch-2.0.10.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-04-26
URL: CVE-2016-10540
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540
Release Date: 2018-04-26
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (minimatch): 3.0.2
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.12.4.js , jquery-1.12.4.min.js
jquery-1.12.4.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js
Path to vulnerable library: /resources/vendor/jquery/jquery.js
Dependency Hierarchy:
โ jquery-1.12.4.js (Vulnerable Library)
jquery-1.12.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /src/main/webapp/index.jsp
Path to vulnerable library: /resources/vendor/jquery/jquery.min.js,/src/main/webapp/resources/vendor/jquery/jquery.min.js,/resources/vendor/jquery/jquery.min.js
Dependency Hierarchy:
โ jquery-1.12.4.min.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Step up your Open Source Security Game with Mend here
CVE-2020-8203 - High Severity Vulnerability
Vulnerable Library - lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ lodash-1.0.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Prototype pollution attack when using _.zipObjectDeep in lodash before 4.17.20.
Publish Date: 2020-07-15
URL: CVE-2020-8203
CVSS 3 Score Details (7.4 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1523
Release Date: 2020-07-15
Fix Resolution (lodash): 4.17.9
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2016-1000027 - Critical Severity Vulnerability
Vulnerable Library - spring-web-4.3.27.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-web-4.3.27.RELEASE.jar
Dependency Hierarchy:
โ spring-web-4.3.27.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-4wrc-f8pq-fpqp
Release Date: 2020-01-02
Fix Resolution: 4.3.28.RELEASE
Step up your Open Source Security Game with Mend here
CVE-2022-3517 - High Severity Vulnerability
Vulnerable Libraries - minimatch-3.0.4.tgz , minimatch-0.2.14.tgz , minimatch-2.0.10.tgz
minimatch-3.0.4.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-3.0.4.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/minimatch/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
resp-modifier-6.0.2.tgz
โ minimatch-3.0.4.tgz (Vulnerable Library)
minimatch-0.2.14.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ minimatch-0.2.14.tgz (Vulnerable Library)
minimatch-2.0.10.tgz
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/glob/node_modules/minimatch/package.json,/src/main/webapp/resources/node_modules/glob-stream/node_modules/minimatch/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-stream-3.1.18.tgz
โ minimatch-2.0.10.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A vulnerability was found in the minimatch package. This flaw allows a Regular Expression Denial of Service (ReDoS) when calling the braceExpand function with specific arguments, resulting in a Denial of Service.
Publish Date: 2022-10-17
URL: CVE-2022-3517
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2022-10-17
Fix Resolution: minimatch - 3.0.5
Step up your Open Source Security Game with Mend here
CVE-2018-3728 - High Severity Vulnerability
Vulnerable Library - hoek-2.16.3.tgz
General purpose node utilities
Library home page: https://registry.npmjs.org/hoek/-/hoek-2.16.3.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/hoek/package.json
Dependency Hierarchy:
gulp-less-3.5.0.tgz (Root Library)
less-2.7.3.tgz
request-2.81.0.tgz
hawk-3.1.3.tgz
โ hoek-2.16.3.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
hoek node module before 4.2.0 and 5.0.x before 5.0.3 suffers from a Modification of Assumed-Immutable Data (MAID) vulnerability via 'merge' and 'applyToDefaults' functions, which allows a malicious user to modify the prototype of "Object" via proto , causing the addition or modification of an existing property that will exist on all objects.
Publish Date: 2018-03-30
URL: CVE-2018-3728
CVSS 3 Score Details (8.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16082
Release Date: 2018-03-30
Fix Resolution (hoek): 4.2.0
Direct dependency fix Resolution (gulp-less): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-28500 - Medium Severity Vulnerability
Vulnerable Libraries - lodash-4.17.20.tgz , lodash-1.0.2.tgz
lodash-4.17.20.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.20.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/lodash/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
easy-extender-2.3.4.tgz
โ lodash-4.17.20.tgz (Vulnerable Library)
lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ lodash-1.0.2.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Lodash versions prior to 4.17.21 are vulnerable to Regular Expression Denial of Service (ReDoS) via the toNumber, trim and trimEnd functions.
Publish Date: 2021-02-15
URL: CVE-2020-28500
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28500
Release Date: 2021-02-15
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (browser-sync): 2.27.1
Fix Resolution (lodash): 4.17.21
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-7608 - Medium Severity Vulnerability
Vulnerable Library - yargs-parser-4.2.1.tgz
the mighty option parser used by yargs
Library home page: https://registry.npmjs.org/yargs-parser/-/yargs-parser-4.2.1.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/yargs-parser/package.json
Dependency Hierarchy:
browser-sync-2.26.7.tgz (Root Library)
yargs-6.4.0.tgz
โ yargs-parser-4.2.1.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
yargs-parser could be tricked into adding or modifying properties of Object.prototype using a "proto " payload.
Publish Date: 2020-03-16
URL: CVE-2020-7608
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Local
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7608
Release Date: 2020-03-16
Fix Resolution: v18.1.1;13.1.2;15.0.1
Step up your Open Source Security Game with WhiteSource here
CVE-2022-29167 - High Severity Vulnerability
Vulnerable Library - hawk-3.1.3.tgz
HTTP Hawk Authentication Scheme
Library home page: https://registry.npmjs.org/hawk/-/hawk-3.1.3.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/hawk/package.json
Dependency Hierarchy:
gulp-less-3.5.0.tgz (Root Library)
less-2.7.3.tgz
request-2.81.0.tgz
โ hawk-3.1.3.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Hawk is an HTTP authentication scheme providing mechanisms for making authenticated HTTP requests with partial cryptographic verification of the request and response, covering the HTTP method, request URI, host, and optionally the request payload. Hawk used a regular expression to parse Host
HTTP header (Hawk.utils.parseHost()
), which was subject to regular expression DoS attack - meaning each added character in the attacker's input increases the computation time exponentially. parseHost()
was patched in 9.0.1
to use built-in URL
class to parse hostname instead. Hawk.authenticate()
accepts options
argument. If that contains host
and port
, those would be used instead of a call to utils.parseHost()
.
Publish Date: 2022-05-05
URL: CVE-2022-29167
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-44pw-h2cw-w3vq
Release Date: 2022-05-05
Fix Resolution (hawk): 9.0.1
Direct dependency fix Resolution (gulp-less): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-1271 - Medium Severity Vulnerability
Vulnerable Library - spring-webmvc-4.3.6.RELEASE.jar
Spring Web MVC
Library home page: https://github.com/spring-projects/spring-framework
Path to vulnerable library: /online-jsp-compiler/target/online-jsp-compiler/WEB-INF/lib/spring-webmvc-4.3.6.RELEASE.jar,canner/.m2/repository/org/springframework/spring-webmvc/4.3.6.RELEASE/spring-webmvc-4.3.6.RELEASE.jar
Dependency Hierarchy:
โ spring-webmvc-4.3.6.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, allow applications to configure Spring MVC to serve static resources (e.g. CSS, JS, images). When static resources are served from a file system on Windows (as opposed to the classpath, or the ServletContext), a malicious user can send a request using a specially crafted URL that can lead a directory traversal attack.
Publish Date: 2018-04-06
URL: CVE-2018-1271
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1271
Release Date: 2018-04-06
Fix Resolution: org.springframework:spring-webflux:5.0.5.RELEASE,org.springframework:spring-webmvc:4.3.15.RELEASE,5.0.5.RELEASE
Step up your Open Source Security Game with WhiteSource here
CVE-2020-36048 - High Severity Vulnerability
Vulnerable Library - engine.io-3.5.0.tgz
The realtime engine behind Socket.IO. Provides the foundation of a bidirectional connection between client and server
Library home page: https://registry.npmjs.org/engine.io/-/engine.io-3.5.0.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/engine.io/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
socket.io-2.4.0.tgz
โ engine.io-3.5.0.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Engine.IO before 4.0.0 allows attackers to cause a denial of service (resource consumption) via a POST request to the long polling transport.
Publish Date: 2021-01-08
URL: CVE-2020-36048
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-36048
Release Date: 2021-01-08
Fix Resolution (engine.io): 3.6.0
Direct dependency fix Resolution (browser-sync): 2.27.8
Step up your Open Source Security Game with Mend here
CVE-2018-16487 - Medium Severity Vulnerability
Vulnerable Library - lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ lodash-1.0.2.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
A prototype pollution vulnerability was found in lodash <4.17.11 where the functions merge, mergeWith, and defaultsDeep can be tricked into adding or modifying properties of Object.prototype.
Publish Date: 2019-02-01
URL: CVE-2018-16487
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://hackerone.com/reports/380873
Release Date: 2019-02-01
Fix Resolution (lodash): 4.17.11
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2021-22096 - Medium Severity Vulnerability
Vulnerable Libraries - spring-core-4.3.27.RELEASE.jar , spring-web-4.3.27.RELEASE.jar
spring-core-4.3.27.RELEASE.jar
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-core/4.3.27.RELEASE/spring-core-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-core-4.3.27.RELEASE.jar
Dependency Hierarchy:
โ spring-core-4.3.27.RELEASE.jar (Vulnerable Library)
spring-web-4.3.27.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/springframework/spring-web/4.3.27.RELEASE/spring-web-4.3.27.RELEASE.jar,/WEB-INF/lib/spring-web-4.3.27.RELEASE.jar
Dependency Hierarchy:
โ spring-web-4.3.27.RELEASE.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
CVSS 3 Score Details (4.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: Low
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution: 5.2.18.RELEASE
Step up your Open Source Security Game with Mend here
CVE-2018-1000620 - Critical Severity Vulnerability
Vulnerable Library - cryptiles-2.0.5.tgz
General purpose crypto utilities
Library home page: https://registry.npmjs.org/cryptiles/-/cryptiles-2.0.5.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/cryptiles/package.json
Dependency Hierarchy:
gulp-less-3.5.0.tgz (Root Library)
less-2.7.3.tgz
request-2.81.0.tgz
hawk-3.1.3.tgz
โ cryptiles-2.0.5.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Eran Hammer cryptiles version 4.1.1 earlier contains a CWE-331: Insufficient Entropy vulnerability in randomDigits() method that can result in An attacker is more likely to be able to brute force something that was supposed to be random.. This attack appear to be exploitable via Depends upon the calling application.. This vulnerability appears to have been fixed in 4.1.2.
Publish Date: 2018-07-09
URL: CVE-2018-1000620
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2018-1000620
Release Date: 2018-07-09
Fix Resolution (cryptiles): 4.1.2
Direct dependency fix Resolution (gulp-less): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2020-28469 - High Severity Vulnerability
Vulnerable Library - glob-parent-5.1.1.tgz
Extract the non-magic parent path from a glob string.
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-5.1.1.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/glob-parent/package.json
Dependency Hierarchy:
browser-sync-2.26.14.tgz (Root Library)
chokidar-3.5.1.tgz
โ glob-parent-5.1.1.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution (glob-parent): 5.1.2
Direct dependency fix Resolution (browser-sync): 2.27.1
Step up your Open Source Security Game with Mend here
CVE-2016-10735 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
โ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041 .
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
Step up your Open Source Security Game with Mend here
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.12.4.js , jquery-1.12.4.min.js
jquery-1.12.4.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js
Path to vulnerable library: /resources/vendor/jquery/jquery.js
Dependency Hierarchy:
โ jquery-1.12.4.js (Vulnerable Library)
jquery-1.12.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /src/main/webapp/index.jsp
Path to vulnerable library: /resources/vendor/jquery/jquery.min.js,/src/main/webapp/resources/vendor/jquery/jquery.min.js,/resources/vendor/jquery/jquery.min.js
Dependency Hierarchy:
โ jquery-1.12.4.min.js (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
Step up your Open Source Security Game with Mend here
CVE-2020-15366 - Medium Severity Vulnerability
Vulnerable Library - ajv-4.11.8.tgz
Another JSON Schema Validator
Library home page: https://registry.npmjs.org/ajv/-/ajv-4.11.8.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/ajv/package.json
Dependency Hierarchy:
gulp-less-3.5.0.tgz (Root Library)
less-2.7.3.tgz
request-2.81.0.tgz
har-validator-4.2.1.tgz
โ ajv-4.11.8.tgz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
An issue was discovered in ajv.validate() in Ajv (aka Another JSON Schema Validator) 6.12.2. A carefully crafted JSON schema could be provided that allows execution of other code by prototype pollution. (While untrusted schemas are recommended against, the worst case of an untrusted schema should be a denial of service, not execution of code.)
Publish Date: 2020-07-15
URL: CVE-2020-15366
CVSS 3 Score Details (5.6 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2020-07-15
Fix Resolution (ajv): 6.12.3
Direct dependency fix Resolution (gulp-less): 4.0.0
Step up your Open Source Security Game with Mend here
WS-2020-0091 - High Severity Vulnerability
Vulnerable Library - http-proxy-1.15.2.tgz
HTTP proxying for the masses
Library home page: https://registry.npmjs.org/http-proxy/-/http-proxy-1.15.2.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/http-proxy/package.json
Dependency Hierarchy:
browser-sync-2.26.7.tgz (Root Library)
โ http-proxy-1.15.2.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
Versions of http-proxy prior to 1.18.1 are vulnerable to Denial of Service. An HTTP request with a long body triggers an ERR_HTTP_HEADERS_SENT unhandled exception that crashes the proxy server. This is only possible when the proxy server sets headers in the proxy request using the proxyReq.setHeader function.
Publish Date: 2020-05-14
URL: WS-2020-0091
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/1486
Release Date: 2020-05-26
Fix Resolution: http-proxy - 1.18.1
Step up your Open Source Security Game with WhiteSource here
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.12.4.js , jquery-1.12.4.min.js
jquery-1.12.4.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.js
Path to vulnerable library: /resources/vendor/jquery/jquery.js
Dependency Hierarchy:
โ jquery-1.12.4.js (Vulnerable Library)
jquery-1.12.4.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.12.4/jquery.min.js
Path to dependency file: /src/main/webapp/index.jsp
Path to vulnerable library: /resources/vendor/jquery/jquery.min.js,/src/main/webapp/resources/vendor/jquery/jquery.min.js,/resources/vendor/jquery/jquery.min.js
Dependency Hierarchy:
โ jquery-1.12.4.min.js (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
Step up your Open Source Security Game with Mend here
WS-2019-0017 - Medium Severity Vulnerability
Vulnerable Library - clean-css-3.4.28.tgz
A well-tested CSS minifier
Library home page: https://registry.npmjs.org/clean-css/-/clean-css-3.4.28.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/clean-css/package.json
Dependency Hierarchy:
gulp-clean-css-2.3.2.tgz (Root Library)
โ clean-css-3.4.28.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Version of clean-css prior to 4.1.11 are vulnerable to Regular Expression Denial of Service (ReDoS). Untrusted input may cause catastrophic backtracking while matching regular expressions. This can cause the application to be unresponsive leading to Denial of Service.
Publish Date: 2018-03-06
URL: WS-2019-0017
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: Low
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-wxhq-pm8v-cw75
Release Date: 2018-03-06
Fix Resolution (clean-css): 4.1.11
Direct dependency fix Resolution (gulp-clean-css): 2.4.0
Step up your Open Source Security Game with Mend here
CVE-2018-20677 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
โ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Step up your Open Source Security Game with Mend here
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
โ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Step up your Open Source Security Game with Mend here
WS-2020-0070 - High Severity Vulnerability
Vulnerable Libraries - lodash-1.0.2.tgz , lodash-4.17.15.tgz
lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ lodash-1.0.2.tgz (Vulnerable Library)
lodash-4.17.15.tgz
Lodash modular utilities.
Library home page: https://registry.npmjs.org/lodash/-/lodash-4.17.15.tgz
Path to dependency file: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/package.json
Path to vulnerable library: /tmp/ws-scm/online-jsp-compiler/src/main/webapp/resources/node_modules/lodash/package.json
Dependency Hierarchy:
browser-sync-2.26.7.tgz (Root Library)
easy-extender-2.3.4.tgz
โ lodash-4.17.15.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Vulnerability Details
a prototype pollution vulnerability in lodash. It allows an attacker to inject properties on Object.prototype
Publish Date: 2020-04-28
URL: WS-2020-0070
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Step up your Open Source Security Game with WhiteSource here
The project could not be analyzed because of build errors. Please review the error messages here . Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.
This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.
CVE-2019-10744 - Critical Severity Vulnerability
Vulnerable Libraries - lodash.template-3.6.2.tgz , lodash-1.0.2.tgz
lodash.template-3.6.2.tgz
The modern build of lodashโs `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/lodash.template/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
gulp-util-3.0.8.tgz
โ lodash.template-3.6.2.tgz (Vulnerable Library)
lodash-1.0.2.tgz
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /src/main/webapp/resources/package.json
Path to vulnerable library: /src/main/webapp/resources/node_modules/globule/node_modules/lodash/package.json
Dependency Hierarchy:
gulp-3.9.1.tgz (Root Library)
vinyl-fs-0.3.14.tgz
glob-watcher-0.0.6.tgz
gaze-0.5.2.tgz
globule-0.1.0.tgz
โ lodash-1.0.2.tgz (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
CVSS 3 Score Details (9.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution (lodash.template): 4.5.0
Direct dependency fix Resolution (gulp): 4.0.0
Fix Resolution (lodash): 4.5.0
Direct dependency fix Resolution (gulp): 4.0.0
Step up your Open Source Security Game with Mend here
CVE-2018-14042 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7.min.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /index.jsp
Path to vulnerable library: /resources/vendor/bootstrap/js/bootstrap.min.js,/resources/vendor/bootstrap/js/bootstrap.min.js,/src/main/webapp/resources/vendor/bootstrap/js/bootstrap.min.js
Dependency Hierarchy:
โ bootstrap-3.3.7.min.js (Vulnerable Library)
Found in HEAD commit: 5d8ffb248a8e5c277b04d2f3429de779a33919c4
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
Step up your Open Source Security Game with Mend here