brightcove / adobe-aem-brightcove-connector Goto Github PK
View Code? Open in Web Editor NEWBrightcove connector to Adobe Experience Manager
Home Page: http://www.brightcove.com
License: MIT License
Brightcove connector to Adobe Experience Manager
Home Page: http://www.brightcove.com
License: MIT License
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
Base Score Metrics:
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
Base Score Metrics:
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Plexus-utils before 3.0.24 are vulnerable to Directory Traversal
Publish Date: 2016-05-07
URL: WS-2016-7057
Base Score Metrics:
Type: Upgrade version
Origin: codehaus-plexus/plexus-utils@33a2853
Release Date: 2016-05-07
Fix Resolution: 3.0.24
In version 6.0.0 of the connector (for AEMaaCS) in the in-page experience component dialog, I am not able to select an account from the dropdown
after investigating it, looking at the 6.0.0 package and the dialog for the component at path
/apps/brightcove/components/content/brightcoveexperiences/_cq_dialog/.content.xml
it seems the issue is a missing class granite:class="brightcove-dialog-account-dropdown"
on the account field.
Now, latest version of the connector on github does have that class, however, it does not seem to have been released for cloud. Will this be released soon?
Hi,
We are using Brightcove and integrated it with AEM. As with most of the projects these days, we are also using maven for build and deployment. With this Brightcove AEM connector, right now we need to install it manually to our AEM. We want to automate this deployment but problem is that this AEM-Brightcove connector is not available in a public repo (Maven central repo). So, we can't automate the deployment of this connector package with our code. It is problematic especially for AMS and AEM as a Cloud service as it restricts doing anything manually in AEM servers.
The only solution is to set up our own Nexus and host this connector package there. But there are a couple of problems with this approach:
1.) If the company does not have nexus, they need to set up and manage this server just to host 1 dependency.
2.) If a company already have their own Nexus, it is usually internal and can be accessed only through a VPN. As you know AEM is now hosted mostly with AMS (Adobe Managed Services) or AEMaaCS (AEM as a Cloud Service). In both cases, they can't access our VPN-enabled Nexus. We can't make our Nexus public as well for security reasons.
So, wouldn't it be better if you guys can publish this connector to Maven central repo? It is a simple and straightforward task for you guys and it will save lots of effort and time for most people.
P.S: We are using AEM Brightcove connector version 5.6.1 right now.
Thanks,
Kapil.
Hi Team,
I am integrating brightcove connector with AEM 6.5.6. I have added new brightcove service osgi configuration with account details (account, clientId and client secret) and saved it. After that admin page http://localhost:4502/brightcove/admin is keep on loading and I can see below console error. I can see account_id value as undefined. Can you please let me know why this is an issue and do I have to update any other configuration values.
Refused to execute script from 'http://localhost:4502/bin/brightcove/api.js?account_id=undefined&a=search_videos&callback=showAllVideosCallBack&sort=name&limit=30&start=0&fields=id,name,shortDescription,longDescription,publishedDate,lastModifiedDate,linkURL,linkText,tags,thumbnailURL,referenceId,length,economics,videoStillURL' because its MIME type ('') is not executable, and strict MIME type checking is enabled.
NOTE: Connection works fine if i execute the shell script in my local as mentioned in https://integrations.support.brightcove.com/general/debugging-network-and-api-connection-issues-cms-and-dam-integrations.html
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: Adobe-AEM-Brightcove-Connector/current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.
Publish Date: 2021-11-27
URL: CVE-2021-44228
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jfh8-c2jp-5v3q
Release Date: 2021-12-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.15.0
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-23305 | High | 9.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
CVE-2019-13116 | High | 9.8 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
CVE-2019-17571 | High | 9.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
CVE-2017-15708 | High | 9.8 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
CVE-2020-9493 | High | 9.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
CVE-2015-7501 | High | 9.8 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
CVE-2022-23307 | High | 8.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
CVE-2022-23302 | High | 8.8 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
CVE-2020-13936 | High | 8.8 | velocity-1.5.jar | Transitive | N/A | ❌ |
CVE-2021-4104 | High | 7.5 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
CVE-2015-4852 | High | 7.3 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
CVE-2019-10086 | High | 7.3 | commons-beanutils-1.7.0.jar | Transitive | N/A | ❌ |
CVE-2014-0114 | High | 7.3 | commons-beanutils-1.7.0.jar | Transitive | N/A | ❌ |
CVE-2015-6420 | High | 7.3 | commons-collections-3.2.jar | Transitive | N/A | ❌ |
CVE-2022-23437 | Medium | 6.5 | xercesImpl-2.8.1.jar | Transitive | N/A | ❌ |
CVE-2013-4002 | Medium | 5.9 | xercesImpl-2.8.1.jar | Transitive | N/A | ❌ |
WS-2016-7057 | Medium | 5.9 | plexus-utils-3.0.22.jar | Transitive | N/A | ❌ |
CVE-2020-15250 | Medium | 5.5 | junit-4.8.2.jar | Transitive | N/A | ❌ |
WS-2016-7062 | Medium | 5.3 | plexus-utils-3.0.22.jar | Transitive | N/A | ❌ |
CVE-2009-2625 | Medium | 5.3 | xercesImpl-2.8.1.jar | Transitive | N/A | ❌ |
CVE-2012-0881 | Medium | 5.3 | xercesImpl-2.8.1.jar | Transitive | N/A | ❌ |
CVE-2012-5783 | Medium | 4.8 | commons-httpclient-3.1.jar | Transitive | N/A | ❌ |
CVE-2020-9488 | Low | 3.7 | log4j-1.2.14.jar | Transitive | N/A | ❌ |
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in base branch: master
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
Publish Date: 2019-10-16
URL: CVE-2019-13116
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13116
Release Date: 2019-10-29
Fix Resolution: commons-collections:commons-collections:3.2.2
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in base branch: master
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-11
Fix Resolution: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in base branch: master
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
Release Date: 2017-11-09
Fix Resolution: commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Apache Velocity is a general purpose template engine.
Library home page: http://velocity.apache.org/engine/
Path to dependency file: /current/core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/velocity/velocity/1.5/velocity-1.5.jar,/home/wss-scanner/.m2/repository/org/apache/velocity/velocity/1.5/velocity-1.5.jar
Dependency Hierarchy:
Found in base branch: master
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Publish Date: 2021-03-10
URL: CVE-2020-13936
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-03-10
Fix Resolution: org.apache.velocity:velocity-engine-core:2.3
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in base branch: master
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19
Release Date: 2015-11-18
Fix Resolution: commons-collections:commons-collections:3.2.2
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
Found in base branch: master
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
Found in base branch: master
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in base branch: master
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
Base Score Metrics:
Type: Upgrade version
Release Date: 2015-12-15
Fix Resolution: commons-collections:commons-collections3.2.2,org.apache.commons:commons-collections4:4.1
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
Found in base branch: master
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
Found in base branch: master
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Publish Date: 2013-07-23
URL: CVE-2013-4002
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Release Date: 2013-07-23
Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
Found in base branch: master
Plexus-utils before 3.0.24 are vulnerable to Directory Traversal
Publish Date: 2016-05-07
URL: WS-2016-7057
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-05-07
Fix Resolution: 3.0.24
JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar
Dependency Hierarchy:
Found in base branch: master
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: junit:junit:4.13.1
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
Found in base branch: master
Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.
Publish Date: 2016-05-07
URL: WS-2016-7062
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-05-07
Fix Resolution: 3.0.24
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
Found in base branch: master
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-2625
Release Date: 2009-08-06
Fix Resolution: xerces:xercesImpl:2.12.0
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
Found in base branch: master
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: xerces:xercesImpl:2.12.0
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to dependency file: /current/core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
Found in base branch: master
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
Release Date: 2012-11-04
Fix Resolution: commons-httpclient:commons-httpclient - 3.1-jenkins-1,3.1-redhat-3,3.1-HTTPCLIENT-1265
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar,/home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.
Publish Date: 2016-05-07
URL: WS-2016-7062
Base Score Metrics:
Type: Upgrade version
Origin: codehaus-plexus/plexus-utils@f933e5e
Release Date: 2016-05-07
Fix Resolution: 3.0.24
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-11
Fix Resolution: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
Hi,
We used the 6.0 version zip provided here: https://github.com/brightcove/Adobe-AEM-Brightcove-Connector/releases/tag/6.0.0-cloud
Cloud manager build is failing at "Build Images" step with following error:
[91mjava.lang.IllegalStateException: Error while assembling launcher: Package has unresolved dependencies: com.coresecure:brightcove.all:[6.0.0-cp2fm-converted,6.0.0-cp2fm-converted]
�[0m�[91m at org.apache.sling.feature.launcher.impl.Bootstrap.runWithException(Bootstrap.java:169)�[0m�[91m
�[0m�[91m at com.adobe.granite.fact.command.PrepareContentCommand.doCall(PrepareContentCommand.java:174)�[0m�[91m
�[0m�[91m at com.adobe.granite.fact.command.AbstractRepoCommand.call(AbstractRepoCommand.java:67)�[0m�[91m
�[0m�[91m at com.adobe.granite.fact.command.buildimage.BuildImageTasks.doPrepareContent(BuildImageTasks.java:707)�[0m�[91m
�[0m�[91m at com.adobe.granite.fact.command.buildimage.BuildImageExecutor.lambda$submit$1(BuildImageExecutor.java:110)
at java.base/java.lang.Thread.run(Thread.java:834)
�[0m�[91mCaused by: shaded.org.apache.jackrabbit.vault.packaging.DependencyException: Package has unresolved dependencies: com.coresecure:brightcove.all:[6.0.0-cp2fm-converted,6.0.0-cp2fm-converted]�[0m�[91m
�[0m�[91m at shaded.org.apache.jackrabbit.vault.packaging.registry.impl.ExecutionPlanBuilderImpl.resolveInstall(ExecutionPlanBuilderImpl.java:257)�[0m�[91m
�[0m�[91m at shaded.org.apache.jackrabbit.vault.packaging.registry.impl.ExecutionPlanBuilderImpl.validate(ExecutionPlanBuilderImpl.java:239)�[0m�[91m
�[0m�[91m at org.apache.sling.feature.extension.content.ContentHandler.buildExecutionPlan(ContentHandler.java:87)
at org.apache.sling.feature.extension.content.ContentHandler.handle(ContentHandler.java:127)
�[0m�[91m at org.apache.sling.feature.launcher.impl.FeatureProcessor.prepareLauncher(FeatureProcessor.java:205)
at org.apache.sling.feature.launcher.impl.Bootstrap.runWithException(Bootstrap.java:157)
... 5 more
Hi,
Thumbnails are not sync’ing from Brightcove to AEM when the overnight sync runs or when the sync is run manually via the AEM Brightcove Admin console. Based on the error in the log, it appears to be an SSL issue. We are using OpenJDK 1.8. Here is the exception:
2023-01-05 14:32:06.387 DEBUG [com.coresecure.brightcove.wrapper.utils.HttpServices] getSSLConnection: https://cf-images.us-east-1.prod.boltdns.net/v1/jit/624142960001/d010aa36-8a1f-4870-a10a-d4779e39e36c/main/160x90/2s688ms/match/image.jpg PROXY: DIRECT 2023-01-05 14:32:06.397 ERROR [com.coresecure.brightcove.wrapper.utils.HttpServices] Error! {} javax.net.ssl.SSLHandshakeException: Received fatal alert: handshake_failure at sun.security.ssl.Alert.createSSLException(Alert.java:131) at sun.security.ssl.Alert.createSSLException(Alert.java:117) at sun.security.ssl.TransportContext.fatal(TransportContext.java:311) at sun.security.ssl.Alert$AlertConsumer.consume(Alert.java:293) at sun.security.ssl.TransportContext.dispatch(TransportContext.java:185) at sun.security.ssl.SSLTransport.decode(SSLTransport.java:152) at sun.security.ssl.SSLSocketImpl.decode(SSLSocketImpl.java:1397) at sun.security.ssl.SSLSocketImpl.readHandshakeRecord(SSLSocketImpl.java:1305) at sun.security.ssl.SSLSocketImpl.startHandshake(SSLSocketImpl.java:440) at sun.net.www.protocol.https.HttpsClient.afterConnect(HttpsClient.java:559) at sun.net.www.protocol.https.AbstractDelegateHttpsURLConnection.connect(AbstractDelegateHttpsURLConnection.java:197) at sun.net.www.protocol.https.HttpsURLConnectionImpl.connect(HttpsURLConnectionImpl.java:167) at com.coresecure.brightcove.wrapper.utils.HttpServices.executeFullGet(HttpServices.java:515) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at com.coresecure.brightcove.wrapper.utils.HttpServices.getRemoteBinary(HttpServices.java:715) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at com.coresecure.brightcove.wrapper.schedulers.asset_integrator.callables.VideoImportCallable.createAsset(VideoImportCallable.java:113) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at com.coresecure.brightcove.wrapper.schedulers.asset_integrator.callables.VideoImportCallable.call(VideoImportCallable.java:264) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at com.coresecure.brightcove.wrapper.schedulers.asset_integrator.callables.VideoImportCallable.call(VideoImportCallable.java:67) [com.coresecure.brightcove.cq5.brightcove-services:5.6.2] at java.util.concurrent.FutureTask.run(FutureTask.java:266) at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1149) at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:624) at java.lang.Thread.run(Thread.java:750)
Any suggestions on how to resolve would be greatly appreciated. Thank you!
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.
Publish Date: 2020-04-27
URL: CVE-2020-9488
Base Score Metrics:
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/LOG4J2-2819
Release Date: 2020-04-27
Fix Resolution: org.apache.logging.log4j:log4j-core:2.13.2
Hi , while configuring the AEM brightcove connector.I’m getting an error on index.js 404 error. Do anyone have got the same error? Any ideas how this can be resolved? First it support AEM 6.5
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to dependency file: /current/core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar,/home/wss-scanner/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
Release Date: 2012-11-04
Fix Resolution: commons-httpclient:commons-httpclient - 3.1-jenkins-1,3.1-redhat-3,3.1-HTTPCLIENT-1265
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Currently the source code contains 2 licenses - GPL and MIT (which is also linked for the Github repo). What license does apply (or is it dual-licensed? In any case some clarifying notes would be great!
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
Publish Date: 2019-10-16
URL: CVE-2019-13116
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13116
Release Date: 2019-10-29
Fix Resolution: commons-collections:commons-collections:3.2.2
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2019-8331 | Medium | 6.1 | bootstrap-2.0.4.js | Direct | bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1 | ❌ |
CVE-2018-14040 | Medium | 6.1 | bootstrap-2.0.4.js | Direct | org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0 | ❌ |
CVE-2018-20677 | Medium | 6.1 | bootstrap-2.0.4.js | Direct | Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0 | ❌ |
CVE-2018-20676 | Medium | 6.1 | bootstrap-2.0.4.js | Direct | bootstrap - 3.4.0 | ❌ |
CVE-2018-14042 | Medium | 6.1 | bootstrap-2.0.4.js | Direct | org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0 | ❌ |
CVE-2016-10735 | Medium | 6.1 | bootstrap-2.0.4.js | Direct | bootstrap - 3.4.0, 4.0.0-beta.2 | ❌ |
WS-2017-0178 | Medium | 5.4 | bootstrap-2.0.4.js | Direct | 2.1.0 | ❌ |
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in base branch: master
Affected versions of the package are vulnerable to Cross-site Scripting (XSS).
Publish Date: 2012-06-03
URL: WS-2017-0178
Base Score Metrics:
Type: Upgrade version
Release Date: 2012-06-03
Fix Resolution: 2.1.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#20184
Release Date: 2019-01-09
Fix Resolution: 3.4.0
We're trying to set up Brightcove Connector 6.0.3 with AEM 6.5.17 but we're unable to load the Brightcove admin page. (please see sceenshot)
I've verified that brightcove bundle is active and the correct account id, client id and client secret have been entered in config manager. I see the following in the Brightcove log:
2023-07-10 16:27:50.351 DEBUG [com.coresecure.brightcove.wrapper.sling.ConfigurationGrabberImpl] getAvailableServices() all: [207397170001]
2023-07-10 16:27:50.351 DEBUG [com.coresecure.brightcove.wrapper.sling.ConfigurationGrabberImpl] getAvailableServices() all: [207397170001]
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: 2.12.0
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
Base Score Metrics:
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
Base Score Metrics:
Type: Upgrade version
Origin: victims/victims-cve-db@16a669c
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
After removing 'unsafe-eval ' from our CSP directive , we are facing the following issue for pages where Brightcove Video player
component is configured --
Refused to evaluate a string as JavaScript because 'unsafe-eval' is not an allowed source of script .
We are using Brightcove 6.1.3-cloud AEM Connector .
Source is shown in below screenshots ->
Could you please look into all possible CSP issues with Brightcove - AEM connector and provide solution ASAP ?
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19
Release Date: 2015-11-18
Fix Resolution: commons-collections:commons-collections:3.2.2
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
Base Score Metrics:
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.
Publish Date: 2013-07-23
URL: CVE-2013-4002
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002
Release Date: 2013-07-23
Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0
Hello!
I am trying to install the connector on an AEM Cloud instance through a CM pipeline. I've added the proper dependencies to the codebase, but what is the URL to the repository that holds this dependency?
I would assume it would be at the below link but it does not appear to be.
https://repo.maven.apache.org/maven2/com/brightcove/
Thanks.
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.
Publish Date: 2009-08-06
URL: CVE-2009-2625
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2009-2625
Release Date: 2009-08-06
Fix Resolution: apache-xerces:xercesImpl - 2.9.1;xerces:xercesImpl - 2.3.0,2.9.1-NODEP,2.9.0;org.apache.servicemix.bundles:org.apache.servicemix.bundles.xerces - 2.10.0_1
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.0.4/js/bootstrap.js
Path to vulnerable library: /Adobe-AEM-Brightcove-Connector/current/ui.apps/src/main/content/jcr_root/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js,/Adobe-AEM-Brightcove-Connector/current/ui.apps/target/classes/etc/designs/cs/brightcove/vendor/bootstrap/bootstrap-v2/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Affected versions of the package are vulnerable to Cross-site Scripting (XSS).
Publish Date: 2012-06-03
URL: WS-2017-0178
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#3421
Release Date: 2012-06-03
Fix Resolution: 2.1.0
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
HI Team,
Could you please let me know where can i get below brightcove certificates. Without these certs I can see sync is not happening between AEM and BrightCove. I have tried to export the certs from URL but it didnt work.
"https://players.api.brightcove.com/v2:::D:/cert/players_api.cer",
"https://cms.api.brightcove.com/v1:::D:/cert/cms_api.cer",
"https://ingest.api.brightcove.com/v1:::D:/cert/ingest_api.cer",
"https://oauth.brightcove.com/v4/access_token:::D:/cert/oath_brightcove.cer"
The Brightcove connector works when we configure the settings under /system/console/configMgr. However we would like to check the config settings into our code release by adding it under the runmode for config.author. Is it possible to add it to a runmode in the bundle instead of manually configuring it under the Web Console Configuration? The Brightcove Connector does not pick up the config settings from this location.
i.e. ui.apps/src/main/content/jcr_root/apps/jhi-investments/config.author/ com.coresecure.brightcove.wrapper.sling.BrcServiceImpl.90abfe45-4b0c-41b0-b22b-b0ee9b79415f.config
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
Base Score Metrics:
Hi Team,
We have integrated Brightcove with AEM as a cloud service. We are seeing the issue in Adobe scan report which has been attached to this request. Could you please check on this issue as soon as possible.
Our team uses context path for AEM instances to distinguish our Author and Publisher instances. e.g we access author instance using the Url http://localhost:4502/author
Many ajax calls (especially where servlet/api calls are made), are executed without appending the context path. There are a few occurrences where it is done properly but not across all of them. As a result the ajax call when happens with /bin/brightcove/api instead of /author/bin/brightcove/api and fails since it cant be accessed.
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
Found in base branch: master
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org/commons/collections/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
Release Date: 2017-11-09
Fix Resolution: commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.14/log4j-1.2.14.jar
Dependency Hierarchy:
Found in base branch: master
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
Base Score Metrics:
JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: /current/ui.apps/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar
Dependency Hierarchy:
Found in HEAD commit: ae3813c54719492c0ce18119a1c887e85fe6bd10
Found in base branch: master
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: junit:junit:4.13.1
The current filter will overwrite any custom changes , can we use specific filter for /apps/cq path .
we are using https://github.com/brightcove/Adobe-AEM-Brightcove-Connector/releases/download/6.0.1-cloud/brightcove.all-6.0.1.zip
We've set up sub-folders in our Brightcove directory for multilingual videos. (i.e. Spain, Germany, etc.) How can we modify the AEM Brightcove connector to sync metadata between Brightcove and AEM for these new sub-directories? Currently database synchronization is only working in the folder name with the numeric Account ID from the Brightcove configuration. We're also using version 5.5.4 of the Brightcove connector.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.