brightcove / adobe-aem-brightcove-connector Goto Github PK
View Code? Open in Web Editor NEWBrightcove connector to Adobe Experience Manager
Home Page: http://www.brightcove.com
License: MIT License
adobe-aem-brightcove-connector's People
Contributors
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
Stargazers
Watchers
Forkers
aragiphani406 sameryadav shsteimer headwirecom kropipa richa-rallyhealth ahmed-musallam rampai94 friendlymahi rkcrbgfadobe-aem-brightcove-connector's Issues
CVE-2022-23307 (High) detected in log4j-1.2.14.jar - autoclosed
CVE-2022-23307 - High Severity Vulnerability
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- slf4j-log4j12-1.5.6.jar (Root Library)
- ❌ log4j-1.2.14.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2022-23305 (High) detected in log4j-1.2.14.jar - autoclosed
CVE-2022-23305 - High Severity Vulnerability
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- slf4j-log4j12-1.5.6.jar (Root Library)
- ❌ log4j-1.2.14.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
WS-2016-7057 (Medium) detected in plexus-utils-3.0.22.jar - autoclosed
WS-2016-7057 - Medium Severity Vulnerability
Vulnerable Library - plexus-utils-3.0.22.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
- jacoco-maven-plugin-0.7.9.jar (Root Library)
- ❌ plexus-utils-3.0.22.jar (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
Plexus-utils before 3.0.24 are vulnerable to Directory Traversal
Publish Date: 2016-05-07
URL: WS-2016-7057
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: codehaus-plexus/plexus-utils@33a2853
Release Date: 2016-05-07
Fix Resolution: 3.0.24
AEMaaCS In-Page Experience Selector Dialog - Account Dropdown not working
In version 6.0.0 of the connector (for AEMaaCS) in the in-page experience component dialog, I am not able to select an account from the dropdown
after investigating it, looking at the 6.0.0 package and the dialog for the component at path
/apps/brightcove/components/content/brightcoveexperiences/_cq_dialog/.content.xml
it seems the issue is a missing class granite:class="brightcove-dialog-account-dropdown" on the account field.
Now, latest version of the connector on github does have that class, however, it does not seem to have been released for cloud. Will this be released soon?
Package not available in maven central repo
Hi,
We are using Brightcove and integrated it with AEM. As with most of the projects these days, we are also using maven for build and deployment. With this Brightcove AEM connector, right now we need to install it manually to our AEM. We want to automate this deployment but problem is that this AEM-Brightcove connector is not available in a public repo (Maven central repo). So, we can't automate the deployment of this connector package with our code. It is problematic especially for AMS and AEM as a Cloud service as it restricts doing anything manually in AEM servers.
The only solution is to set up our own Nexus and host this connector package there. But there are a couple of problems with this approach:
1.) If the company does not have nexus, they need to set up and manage this server just to host 1 dependency.
2.) If a company already have their own Nexus, it is usually internal and can be accessed only through a VPN. As you know AEM is now hosted mostly with AMS (Adobe Managed Services) or AEMaaCS (AEM as a Cloud Service). In both cases, they can't access our VPN-enabled Nexus. We can't make our Nexus public as well for security reasons.
So, wouldn't it be better if you guys can publish this connector to Maven central repo? It is a simple and straightforward task for you guys and it will save lots of effort and time for most people.
P.S: We are using AEM Brightcove connector version 5.6.1 right now.
Thanks,
Kapil.
Account Id Error in the admin console
Hi Team,
I am integrating brightcove connector with AEM 6.5.6. I have added new brightcove service osgi configuration with account details (account, clientId and client secret) and saved it. After that admin page http://localhost:4502/brightcove/admin is keep on loading and I can see below console error. I can see account_id value as undefined. Can you please let me know why this is an issue and do I have to update any other configuration values.
Refused to execute script from 'http://localhost:4502/bin/brightcove/api.js?account_id=undefined&a=search_videos&callback=showAllVideosCallBack&sort=name&limit=30&start=0&fields=id,name,shortDescription,longDescription,publishedDate,lastModifiedDate,linkURL,linkText,tags,thumbnailURL,referenceId,length,economics,videoStillURL' because its MIME type ('') is not executable, and strict MIME type checking is enabled.
NOTE: Connection works fine if i execute the shell script in my local as mentioned in https://integrations.support.brightcove.com/general/debugging-network-and-api-connection-issues-cms-and-dam-integrations.html
CVE-2014-0114 (High) detected in commons-beanutils-1.7.0.jar - autoclosed
CVE-2014-0114 - High Severity Vulnerability
Vulnerable Library - commons-beanutils-1.7.0.jar
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- commons-validator-1.2.0.jar
- ❌ commons-beanutils-1.7.0.jar (Vulnerable Library)
- commons-validator-1.2.0.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
CVE-2021-44228 (High) detected in log4j-1.2.14.jar - autoclosed
CVE-2021-44228 - High Severity Vulnerability
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: Adobe-AEM-Brightcove-Connector/current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- slf4j-log4j12-1.5.6.jar (Root Library)
- ❌ log4j-1.2.14.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.
Publish Date: 2021-11-27
URL: CVE-2021-44228
CVSS 3 Score Details (10.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jfh8-c2jp-5v3q
Release Date: 2021-12-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.15.0
brightcove-services-5.6-SNAPSHOT.jar: 23 vulnerabilities (highest severity is: 9.8) - autoclosed
Vulnerable Library - brightcove-services-5.6-SNAPSHOT.jar
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Vulnerabilities
| CVE | Severity |  CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2022-23305 |  High |
9.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
| CVE-2019-13116 | High |
9.8 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
| CVE-2019-17571 | High |
9.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
| CVE-2017-15708 | High |
9.8 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
| CVE-2020-9493 | High |
9.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
| CVE-2015-7501 | High |
9.8 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
| CVE-2022-23307 | High |
8.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
| CVE-2022-23302 | High |
8.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
| CVE-2020-13936 | High |
8.8 | velocity-1.5.jar | Transitive | N/A | ❌ |
| CVE-2021-4104 | High |
7.5 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
| CVE-2015-4852 | High |
7.3 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
| CVE-2019-10086 | High |
7.3 | commons-beanutils-1.7.0.jar | Transitive | N/A | ❌ |
| CVE-2014-0114 | High |
7.3 | commons-beanutils-1.7.0.jar | Transitive | N/A | ❌ |
| CVE-2015-6420 | High |
7.3 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
| CVE-2022-23437 |  Medium |
6.5 | xercesImpl-2.8.1.jar | Transitive | N/A | ❌ |
| CVE-2013-4002 | Medium |
5.9 | xercesImpl-2.8.1.jar | Transitive | N/A | ❌ |
| WS-2016-7057 | Medium |
5.9 | plexus-utils-3.0.22.jar | Transitive | N/A | ❌ |
| CVE-2020-15250 | Medium |
5.5 | junit-4.8.2.jar | Transitive | N/A | ❌ |
| WS-2016-7062 | Medium |
5.3 | plexus-utils-3.0.22.jar | Transitive | N/A | ❌ |
| CVE-2009-2625 | Medium |
5.3 | xercesImpl-2.8.1.jar | Transitive | N/A | ❌ |
| CVE-2012-0881 | Medium |
5.3 | xercesImpl-2.8.1.jar | Transitive | N/A | ❌ |
| CVE-2012-5783 | Medium |
4.8 | commons-httpclient-3.1.jar | Transitive | N/A | ❌ |
| CVE-2020-9488 |  Low |
3.7 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
Details
CVE-2022-23305
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- slf4j-log4j12-1.5.6.jar
- ❌ log4j-1.2.14.jar (Vulnerable Library)
- slf4j-log4j12-1.5.6.jar
Found in base branch: master
Vulnerability Details
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
CVE-2019-13116
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
Publish Date: 2019-10-16
URL: CVE-2019-13116
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13116
Release Date: 2019-10-29
Fix Resolution: commons-collections:commons-collections:3.2.2
CVE-2019-17571
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- slf4j-log4j12-1.5.6.jar
- ❌ log4j-1.2.14.jar (Vulnerable Library)
- slf4j-log4j12-1.5.6.jar
Found in base branch: master
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
CVE-2017-15708
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-11
Fix Resolution: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2
CVE-2020-9493
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- slf4j-log4j12-1.5.6.jar
- ❌ log4j-1.2.14.jar (Vulnerable Library)
- slf4j-log4j12-1.5.6.jar
Found in base branch: master
Vulnerability Details
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2015-7501
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
Release Date: 2017-11-09
Fix Resolution: commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1
CVE-2022-23307
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- slf4j-log4j12-1.5.6.jar
- ❌ log4j-1.2.14.jar (Vulnerable Library)
- slf4j-log4j12-1.5.6.jar
Found in base branch: master
Vulnerability Details
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2022-23302
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- slf4j-log4j12-1.5.6.jar
- ❌ log4j-1.2.14.jar (Vulnerable Library)
- slf4j-log4j12-1.5.6.jar
Found in base branch: master
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
CVE-2020-13936
Vulnerable Library - velocity-1.5.jar
Apache Velocity is a general purpose template engine.
Library home page: http://velocity.apache.org/engine/
Path to dependency file: /current/core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/velocity/velocity/1.5/velocity-1.5.jar,/home/wss-scanner/.m2/repository/org/apache/velocity/velocity/1.5/velocity-1.5.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ velocity-1.5.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Publish Date: 2021-03-10
URL: CVE-2020-13936
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2021-03-10
Fix Resolution: org.apache.velocity:velocity-engine-core:2.3
CVE-2021-4104
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- slf4j-log4j12-1.5.6.jar
- ❌ log4j-1.2.14.jar (Vulnerable Library)
- slf4j-log4j12-1.5.6.jar
Found in base branch: master
Vulnerability Details
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
CVE-2015-4852
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19
Release Date: 2015-11-18
Fix Resolution: commons-collections:commons-collections:3.2.2
CVE-2019-10086
Vulnerable Library - commons-beanutils-1.7.0.jar
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- commons-validator-1.2.0.jar
- ❌ commons-beanutils-1.7.0.jar (Vulnerable Library)
- commons-validator-1.2.0.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
CVE-2014-0114
Vulnerable Library - commons-beanutils-1.7.0.jar
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- commons-validator-1.2.0.jar
- ❌ commons-beanutils-1.7.0.jar (Vulnerable Library)
- commons-validator-1.2.0.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
CVE-2015-6420
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2015-12-15
Fix Resolution: commons-collections:commons-collections3.2.2,org.apache.commons:commons-collections4:4.1
CVE-2022-23437
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ xercesImpl-2.8.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
CVE-2013-4002
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ xercesImpl-2.8.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Publish Date: 2013-07-23
URL: CVE-2013-4002
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Release Date: 2013-07-23
Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0
WS-2016-7057
Vulnerable Library - plexus-utils-3.0.22.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- ❌ plexus-utils-3.0.22.jar (Vulnerable Library)
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
Plexus-utils before 3.0.24 are vulnerable to Directory Traversal
Publish Date: 2016-05-07
URL: WS-2016-7057
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Release Date: 2016-05-07
Fix Resolution: 3.0.24
CVE-2020-15250
Vulnerable Library - junit-4.8.2.jar
JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-project-2.2.1.jar
- plexus-container-default-1.0-alpha-9-stable-1.jar
- ❌ junit-4.8.2.jar (Vulnerable Library)
- plexus-container-default-1.0-alpha-9-stable-1.jar
- maven-project-2.2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: junit:junit:4.13.1
WS-2016-7062
Vulnerable Library - plexus-utils-3.0.22.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- ❌ plexus-utils-3.0.22.jar (Vulnerable Library)
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.
Publish Date: 2016-05-07
URL: WS-2016-7062
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2016-05-07
Fix Resolution: 3.0.24
CVE-2009-2625
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ xercesImpl-2.8.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
Release Date: 2009-08-06
Fix Resolution: xerces:xercesImpl:2.12.0
CVE-2012-0881
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ xercesImpl-2.8.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: xerces:xercesImpl:2.12.0
CVE-2012-5783
Vulnerable Library - commons-httpclient-3.1.jar
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to dependency file: /current/core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ commons-httpclient-3.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
Release Date: 2012-11-04
Fix Resolution: commons-httpclient:commons-httpclient - 3.1-jenkins-1,3.1-redhat-3,3.1-HTTPCLIENT-1265
CVE-2020-9488
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- slf4j-log4j12-1.5.6.jar
- ❌ log4j-1.2.14.jar (Vulnerable Library)
- slf4j-log4j12-1.5.6.jar
Found in base branch: master
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3
WS-2016-7062 (Medium) detected in plexus-utils-3.0.22.jar - autoclosed
WS-2016-7062 - Medium Severity Vulnerability
Vulnerable Library - plexus-utils-3.0.22.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
- jacoco-maven-plugin-0.7.9.jar (Root Library)
- ❌ plexus-utils-3.0.22.jar (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.
Publish Date: 2016-05-07
URL: WS-2016-7062
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: codehaus-plexus/plexus-utils@f933e5e
Release Date: 2016-05-07
Fix Resolution: 3.0.24
CVE-2017-15708 (High) detected in commons-collections-3.2.jar - autoclosed
CVE-2017-15708 - High Severity Vulnerability
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-11
Fix Resolution: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2
CVE-2018-20677 (Medium) detected in bootstrap-2.0.4.js - autoclosed
CVE-2018-20677 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Cloud manager build failing at "Build Images" step
Hi,
We used the 6.0 version zip provided here: https://github.com/brightcove/Adobe-AEM-Brightcove-Connector/releases/tag/6.0.0-cloud
Cloud manager build is failing at "Build Images" step with following error:
[91mjava.lang.IllegalStateException: Error while assembling launcher: Package has unresolved dependencies: com.coresecure:brightcove.all:[6.0.0-cp2fm-converted,6.0.0-cp2fm-converted]
�[0m�[91m at org.apache.sling.feature.launcher.impl.Bootstrap.runWithException(Bootstrap.java:169)�[0m�[91m
�[0m�[91m at com.adobe.granite.fact.command.PrepareContentCommand.doCall(PrepareContentCommand.java:174)�[0m�[91m
�[0m�[91m at com.adobe.granite.fact.command.AbstractRepoCommand.call(AbstractRepoCommand.java:67)�[0m�[91m
�[0m�[91m at com.adobe.granite.fact.command.buildimage.BuildImageTasks.doPrepareContent(BuildImageTasks.java:707)�[0m�[91m
�[0m�[91m at com.adobe.granite.fact.command.buildimage.BuildImageExecutor.lambda$submit$1(BuildImageExecutor.java:110)
at java.base/java.lang.Thread.run(Thread.java:834)
�[0m�[91mCaused by: shaded.org.apache.jackrabbit.vault.packaging.DependencyException: Package has unresolved dependencies: com.coresecure:brightcove.all:[6.0.0-cp2fm-converted,6.0.0-cp2fm-converted]�[0m�[91m
�[0m�[91m at shaded.org.apache.jackrabbit.vault.packaging.registry.impl.ExecutionPlanBuilderImpl.resolveInstall(ExecutionPlanBuilderImpl.java:257)�[0m�[91m
�[0m�[91m at shaded.org.apache.jackrabbit.vault.packaging.registry.impl.ExecutionPlanBuilderImpl.validate(ExecutionPlanBuilderImpl.java:239)�[0m�[91m
�[0m�[91m at org.apache.sling.feature.extension.content.ContentHandler.buildExecutionPlan(ContentHandler.java:87)
at org.apache.sling.feature.extension.content.ContentHandler.handle(ContentHandler.java:127)
�[0m�[91m at org.apache.sling.feature.launcher.impl.FeatureProcessor.prepareLauncher(FeatureProcessor.java:205)
at org.apache.sling.feature.launcher.impl.Bootstrap.runWithException(Bootstrap.java:157)
... 5 more
Thumbnails Not Sync'ing From Brightcove to AEM
Hi,
Thumbnails are not sync’ing from Brightcove to AEM when the overnight sync runs or when the sync is run manually via the AEM Brightcove Admin console. Based on the error in the log, it appears to be an SSL issue. We are using OpenJDK 1.8. Here is the exception:
2023-01-05 14:32:06.387 DEBUG [com.coresecure.brightcove.wrapper.utils.HttpServices] getSSLConnection: https://cf-images.us-east-1.prod.boltdns.net/v1/jit/624142960001/d010aa36-8a1f-4870-a10a-d4779e39e36c/main/160x90/2s688ms/match/image.jpg PROXY: DIRECT 2023-01-05 14:32:06.397 ERROR [com.coresecure.brightcove.wrapper.utils.HttpServices] Error! {} javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.Alert.createSSLException(Alert.java:117) at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167) at com.coresecure.brightcove.wrapper.utils.HttpServices.executeFullGet(HttpServices.java:515) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at com.coresecure.brightcove.wrapper.utils.HttpServices.getRemoteBinary(HttpServices.java:715) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at com.coresecure.brightcove.wrapper.schedulers.asset_integrator.callables.VideoImportCallable.createAsset(VideoImportCallable.java:113) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at com.coresecure.brightcove.wrapper.schedulers.asset_integrator.callables.VideoImportCallable.call(VideoImportCallable.java:264) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at com.coresecure.brightcove.wrapper.schedulers.asset_integrator.callables.VideoImportCallable.call(VideoImportCallable.java:67) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:750)
Any suggestions on how to resolve would be greatly appreciated. Thank you!
CVE-2018-14042 (Medium) detected in bootstrap-2.0.4.js - autoclosed
CVE-2018-14042 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2020-9488 (Low) detected in log4j-1.2.14.jar - autoclosed
CVE-2020-9488 - Low Severity Vulnerability
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- slf4j-log4j12-1.5.6.jar (Root Library)
- ❌ log4j-1.2.14.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
Publish Date: 2020-04-27
URL: CVE-2020-9488
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/LOG4J2-2819
Release Date: 2020-04-27
Fix Resolution: org.apache.logging.log4j:log4j-core:2.13.2
Index.js issue
Hi , while configuring the AEM brightcove connector.I’m getting an error on index.js 404 error. Do anyone have got the same error? Any ideas how this can be resolved? First it support AEM 6.5
CVE-2012-5783 (Low) detected in commons-httpclient-3.1.jar - autoclosed
CVE-2012-5783 - Low Severity Vulnerability
Vulnerable Library - commons-httpclient-3.1.jar
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to dependency file: /current/core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
- jacoco-maven-plugin-0.7.9.jar (Root Library)
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ commons-httpclient-3.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
CVSS 3 Score Details (3.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
Release Date: 2012-11-04
Fix Resolution: commons-httpclient:commons-httpclient - 3.1-jenkins-1,3.1-redhat-3,3.1-HTTPCLIENT-1265
CVE-2018-20676 (Medium) detected in bootstrap-2.0.4.js - autoclosed
CVE-2018-20676 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Unclear license
Currently the source code contains 2 licenses - GPL and MIT (which is also linked for the Github repo). What license does apply (or is it dual-licensed? In any case some clarifying notes would be great!
CVE-2019-13116 (High) detected in commons-collections-3.2.jar - autoclosed
CVE-2019-13116 - High Severity Vulnerability
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
Publish Date: 2019-10-16
URL: CVE-2019-13116
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13116
Release Date: 2019-10-29
Fix Resolution: commons-collections:commons-collections:3.2.2
CVE-2019-8331 (Medium) detected in bootstrap-2.0.4.js - autoclosed
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2018-14040 (Medium) detected in bootstrap-2.0.4.js - autoclosed
CVE-2018-14040 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
bootstrap-2.0.4.js: 7 vulnerabilities (highest severity is: 6.1)
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Vulnerabilities
| CVE | Severity | CVSS |
Dependency | Type | Fixed in | Remediation Available |
|---|---|---|---|---|---|---|
| CVE-2019-8331 | Medium |
6.1 | bootstrap-2.0.4.js | Direct | bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1 | ❌ |
| CVE-2018-14040 | Medium |
6.1 | bootstrap-2.0.4.js | Direct | org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0 | ❌ |
| CVE-2018-20677 | Medium |
6.1 | bootstrap-2.0.4.js | Direct | Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0 | ❌ |
| CVE-2018-20676 | Medium |
6.1 | bootstrap-2.0.4.js | Direct | bootstrap - 3.4.0 | ❌ |
| CVE-2018-14042 | Medium |
6.1 | bootstrap-2.0.4.js | Direct | org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0 | ❌ |
| CVE-2016-10735 | Medium |
6.1 | bootstrap-2.0.4.js | Direct | bootstrap - 3.4.0, 4.0.0-beta.2 | ❌ |
| WS-2017-0178 | Medium |
5.4 | bootstrap-2.0.4.js | Direct | 2.1.0 | ❌ |
Details
CVE-2019-8331
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2018-14040
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
CVE-2018-20677
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
CVE-2018-20676
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
CVE-2018-14042
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2016-10735
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
WS-2017-0178
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Affected versions of the package are vulnerable to Cross-site Scripting (XSS).
Publish Date: 2012-06-03
URL: WS-2017-0178
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Release Date: 2012-06-03
Fix Resolution: 2.1.0
CVE-2016-10735 (Medium) detected in bootstrap-2.0.4.js - autoclosed
CVE-2016-10735 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#20184
Release Date: 2019-01-09
Fix Resolution: 3.4.0
on AEM Cloud, In Brightcove Video Player (HTML5) component dialog, the account and players dropdown option values doesn't show up again to author, after the first time edit and save.
Trying to set up Brightcove Connector 6.0.3 with AEM 6.5.17
We're trying to set up Brightcove Connector 6.0.3 with AEM 6.5.17 but we're unable to load the Brightcove admin page. (please see sceenshot)
I've verified that brightcove bundle is active and the correct account id, client id and client secret have been entered in config manager. I see the following in the Brightcove log:
2023-07-10 16:27:50.351 DEBUG [com.coresecure.brightcove.wrapper.sling.ConfigurationGrabberImpl] getAvailableServices() all: [207397170001]
2023-07-10 16:27:50.351 DEBUG [com.coresecure.brightcove.wrapper.sling.ConfigurationGrabberImpl] getAvailableServices() all: [207397170001]
CVE-2012-0881 (High) detected in xercesImpl-2.8.1.jar - autoclosed
CVE-2012-0881 - High Severity Vulnerability
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ xercesImpl-2.8.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: 2.12.0
CVE-2019-17571 (High) detected in log4j-1.2.14.jar - autoclosed
CVE-2019-17571 - High Severity Vulnerability
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- slf4j-log4j12-1.5.6.jar (Root Library)
- ❌ log4j-1.2.14.jar (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2019-10086 (High) detected in commons-beanutils-1.7.0.jar - autoclosed
CVE-2019-10086 - High Severity Vulnerability
Vulnerable Library - commons-beanutils-1.7.0.jar
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- commons-validator-1.2.0.jar
- ❌ commons-beanutils-1.7.0.jar (Vulnerable Library)
- commons-validator-1.2.0.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: victims/victims-cve-db@16a669c
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
Content Security Policy Issue
After removing 'unsafe-eval ' from our CSP directive , we are facing the following issue for pages where Brightcove Video player
component is configured --
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script .
We are using Brightcove 6.1.3-cloud AEM Connector .
Source is shown in below screenshots ->
Could you please look into all possible CSP issues with Brightcove - AEM connector and provide solution ASAP ?
CVE-2015-4852 (High) detected in commons-collections-3.2.jar - autoclosed
CVE-2015-4852 - High Severity Vulnerability
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19
Release Date: 2015-11-18
Fix Resolution: commons-collections:commons-collections:3.2.2
CVE-2020-9493 (High) detected in log4j-1.2.14.jar - autoclosed
CVE-2020-9493 - High Severity Vulnerability
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- slf4j-log4j12-1.5.6.jar (Root Library)
- ❌ log4j-1.2.14.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2013-4002 (Medium) detected in xercesImpl-2.8.1.jar - autoclosed
CVE-2013-4002 - Medium Severity Vulnerability
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ xercesImpl-2.8.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Publish Date: 2013-07-23
URL: CVE-2013-4002
CVSS 3 Score Details (5.9)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Release Date: 2013-07-23
Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0
Repository URL for dependency?
Hello!
I am trying to install the connector on an AEM Cloud instance through a CM pipeline. I've added the proper dependencies to the codebase, but what is the URL to the repository that holds this dependency?
I would assume it would be at the below link but it does not appear to be.
https://repo.maven.apache.org/maven2/com/brightcove/
Thanks.
CVE-2009-2625 (Medium) detected in xercesImpl-2.8.1.jar - autoclosed
CVE-2009-2625 - Medium Severity Vulnerability
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ xercesImpl-2.8.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2009-2625
Release Date: 2009-08-06
Fix Resolution: apache-xerces:xercesImpl - 2.9.1;xerces:xercesImpl - 2.3.0,2.9.1-NODEP,2.9.0;org.apache.servicemix.bundles:org.apache.servicemix.bundles.xerces - 2.10.0_1
Brightcove connector not working with AEM server running HTTPS
We just switched to HTTPS on our AEM 6.4.8.2 author server and now we can no longer load the Brightcove admin page (version 5.5.4.). (see screenshot) Is there a setting that we need to change to have it work in HTTPS? Thanks.
WS-2017-0178 (Medium) detected in bootstrap-2.0.4.js - autoclosed
WS-2017-0178 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.0.4.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
- ❌ bootstrap-2.0.4.js (Vulnerable Library)
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
Affected versions of the package are vulnerable to Cross-site Scripting (XSS).
Publish Date: 2012-06-03
URL: WS-2017-0178
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#3421
Release Date: 2012-06-03
Fix Resolution: 2.1.0
CVE-2015-6420 (High) detected in commons-collections-3.2.jar - autoclosed
CVE-2015-6420 - High Severity Vulnerability
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Release Date: 2015-12-15
Fix Resolution: commons-collections:commons-collections3.2.2,org.apache.commons:commons-collections4:4.1
BrightCove Certificates
HI Team,
Could you please let me know where can i get below brightcove certificates. Without these certs I can see sync is not happening between AEM and BrightCove. I have tried to export the certs from URL but it didnt work.
"https://players.api.brightcove.com/v2:::D:/cert/players_api.cer",
"https://cms.api.brightcove.com/v1:::D:/cert/cms_api.cer",
"https://ingest.api.brightcove.com/v1:::D:/cert/ingest_api.cer",
"https://oauth.brightcove.com/v4/access_token:::D:/cert/oath_brightcove.cer"
Using runmode for config settings instead of manual configuration
The Brightcove connector works when we configure the settings under /system/console/configMgr. However we would like to check the config settings into our code release by adding it under the runmode for config.author. Is it possible to add it to a runmode in the bundle instead of manually configuring it under the Web Console Configuration? The Brightcove Connector does not pick up the config settings from this location.
i.e. ui.apps/src/main/content/jcr_root/apps/jhi-investments/config.author/ com.coresecure.brightcove.wrapper.sling.BrcServiceImpl.90abfe45-4b0c-41b0-b22b-b0ee9b79415f.config
CVE-2021-4104 (High) detected in log4j-1.2.14.jar - autoclosed
CVE-2021-4104 - High Severity Vulnerability
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- slf4j-log4j12-1.5.6.jar (Root Library)
- ❌ log4j-1.2.14.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Adobe Scan Report - Brightcove issues
Hi Team,
We have integrated Brightcove with AEM as a cloud service. We are seeing the issue in Adobe scan report which has been attached to this request. Could you please check on this issue as soon as possible.
BrightCove Dialogs & Admin UI doesn't load when context path is enabled
Our team uses context path for AEM instances to distinguish our Author and Publisher instances. e.g we access author instance using the Url http://localhost:4502/author
Many ajax calls (especially where servlet/api calls are made), are executed without appending the context path. There are a few occurrences where it is done properly but not across all of them. As a result the ajax call when happens with /bin/brightcove/api instead of /author/bin/brightcove/api and fails since it cant be accessed.
CVE-2022-23437 (Medium) detected in xercesImpl-2.8.1.jar - autoclosed
CVE-2022-23437 - Medium Severity Vulnerability
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-core-1.1.2.jar
- ❌ xercesImpl-2.8.1.jar (Vulnerable Library)
- doxia-core-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in base branch: master
Vulnerability Details
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
CVE-2015-7501 (High) detected in commons-collections-3.2.jar - autoclosed
CVE-2015-7501 - High Severity Vulnerability
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-reporting-impl-2.1.jar
- doxia-site-renderer-1.1.2.jar
- ❌ commons-collections-3.2.jar (Vulnerable Library)
- doxia-site-renderer-1.1.2.jar
- maven-reporting-impl-2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
Release Date: 2017-11-09
Fix Resolution: commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1
CVE-2022-23302 (High) detected in log4j-1.2.14.jar - autoclosed
CVE-2022-23302 - High Severity Vulnerability
Vulnerable Library - log4j-1.2.14.jar
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
- slf4j-log4j12-1.5.6.jar (Root Library)
- ❌ log4j-1.2.14.jar (Vulnerable Library)
Found in base branch: master
Vulnerability Details
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
CVE-2020-15250 (Medium) detected in junit-4.8.2.jar - autoclosed
CVE-2020-15250 - Medium Severity Vulnerability
Vulnerable Library - junit-4.8.2.jar
JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar
Dependency Hierarchy:
- brightcove-services-5.6-SNAPSHOT.jar (Root Library)
- jacoco-maven-plugin-0.7.9.jar
- maven-project-2.2.1.jar
- plexus-container-default-1.0-alpha-9-stable-1.jar
- ❌ junit-4.8.2.jar (Vulnerable Library)
- plexus-container-default-1.0-alpha-9-stable-1.jar
- maven-project-2.2.1.jar
- jacoco-maven-plugin-0.7.9.jar
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Vulnerability Details
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: junit:junit:4.13.1
add filter specific to changes - /apps/cq/core/content/nav/brightcove
The current filter will overwrite any custom changes , can we use specific filter for /apps/cq path .
we are using https://github.com/brightcove/Adobe-AEM-Brightcove-Connector/releases/download/6.0.1-cloud/brightcove.all-6.0.1.zip
Synchronizing multilingual sub-folders with Brightcove connector
We've set up sub-folders in our Brightcove directory for multilingual videos. (i.e. Spain, Germany, etc.) How can we modify the AEM Brightcove connector to sync metadata between Brightcove and AEM for these new sub-directories? Currently database synchronization is only working in the folder name with the numeric Account ID from the Brightcove configuration. We're also using version 5.5.4 of the Brightcove connector.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.