dima2022 / easybuggy5 Goto Github PK
View Code? Open in Web Editor NEWLicense: Apache License 2.0
License: Apache License 2.0
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
CVE | Severity | Dependency | Type | Fixed in (mysql-connector-java version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2017-3523 | 8.5 | mysql-connector-java-5.1.25.jar | Direct | 5.1.41 | ✅ | |
CVE-2023-22102 | 8.3 | mysql-connector-java-5.1.25.jar | Direct | com.mysql:mysql-connector-j:8.2.0 | ✅ | |
CVE-2022-21363 | 6.6 | mysql-connector-java-5.1.25.jar | Direct | mysql:mysql-connector-java:8.0.28 | ✅ | |
CVE-2017-3586 | 6.4 | mysql-connector-java-5.1.25.jar | Direct | 5.1.42 | ✅ | |
CVE-2019-2692 | 6.3 | mysql-connector-java-5.1.25.jar | Direct | 5.1.48 | ✅ | |
CVE-2020-2934 | 5.0 | mysql-connector-java-5.1.25.jar | Direct | 5.1.49 | ✅ | |
CVE-2020-2875 | 4.7 | mysql-connector-java-5.1.25.jar | Direct | 5.1.49 | ✅ | |
CVE-2015-2575 | 4.2 | mysql-connector-java-5.1.25.jar | Direct | 5.1.35 | ✅ | |
CVE-2017-3589 | 3.3 | mysql-connector-java-5.1.25.jar | Direct | 5.1.42 | ✅ | |
CVE-2020-2933 | 2.2 | mysql-connector-java-5.1.25.jar | Direct | 5.1.49 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Publish Date: 2017-04-24
URL: CVE-2017-3523
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2xxh-f8r3-hvvr
Release Date: 2017-04-24
Fix Resolution: 5.1.41
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.1.0 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 8.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H).
Publish Date: 2023-10-17
URL: CVE-2023-22102
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2023-22102
Release Date: 2023-10-17
Fix Resolution: com.mysql:mysql-connector-j:8.2.0
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Publish Date: 2022-01-19
URL: CVE-2022-21363
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g76j-4cxx-23h9
Release Date: 2022-01-19
Fix Resolution: mysql:mysql-connector-java:8.0.28
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3586
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406
Release Date: 2017-04-24
Fix Resolution: 5.1.42
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Publish Date: 2019-04-23
URL: CVE-2019-2692
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jcq3-cprp-m333
Release Date: 2019-04-23
Fix Resolution: 5.1.48
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2934
Base Score Metrics:
Type: Upgrade version
Origin: https://www.oracle.com/security-alerts/cpuapr2020.html
Release Date: 2020-04-15
Fix Resolution: 5.1.49
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
Publish Date: 2020-04-15
URL: CVE-2020-2875
Base Score Metrics:
Type: Upgrade version
Origin: mysql/mysql-connector-j@79a4336
Release Date: 2020-04-15
Fix Resolution: 5.1.49
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Publish Date: 2015-04-16
URL: CVE-2015-2575
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gc43-g62c-99g2
Release Date: 2015-04-16
Fix Resolution: 5.1.35
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3589
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589
Release Date: 2017-04-24
Fix Resolution: 5.1.42
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2933
Base Score Metrics:
Type: Upgrade version
Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
Release Date: 2020-04-15
Fix Resolution: 5.1.49
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
CVE | Severity | Dependency | Type | Fixed in (derby version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2022-46337 | 9.8 | derby-10.8.3.0.jar | Direct | org.apache.derby:derby:10.14.3,10.15.2.1,10.16.1.2,10.17.1.0 | ✅ | |
CVE-2015-1832 | 9.1 | derby-10.8.3.0.jar | Direct | 10.12.1.1 | ✅ | |
CVE-2018-1313 | 5.3 | derby-10.8.3.0.jar | Direct | 10.14.2.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
A cleverly devised username might bypass LDAP authentication checks. In
LDAP-authenticated Derby installations, this could let an attacker fill
up the disk by creating junk Derby databases. In LDAP-authenticated
Derby installations, this could also allow the attacker to execute
malware which was visible to and executable by the account which booted
the Derby server. In LDAP-protected databases which weren't also
protected by SQL GRANT/REVOKE authorization, this vulnerability could
also let an attacker view and corrupt sensitive data and run sensitive
database functions and procedures.
Mitigation:
Users should upgrade to Java 21 and Derby 10.17.1.0.
Alternatively, users who wish to remain on older Java versions should
build their own Derby distribution from one of the release families to
which the fix was backported: 10.16, 10.15, and 10.14. Those are the
releases which correspond, respectively, with Java LTS versions 17, 11,
and 8.
Publish Date: 2023-11-20
URL: CVE-2022-46337
Base Score Metrics:
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/DERBY-7147
Release Date: 2023-11-20
Fix Resolution: org.apache.derby:derby:10.14.3,10.15.2.1,10.16.1.2,10.17.1.0
⛑️ Automatic Remediation will be attempted for this issue.
Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.
Publish Date: 2016-10-03
URL: CVE-2015-1832
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832
Release Date: 2016-10-03
Fix Resolution: 10.12.1.1
⛑️ Automatic Remediation will be attempted for this issue.
Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.
Publish Date: 2018-05-07
URL: CVE-2018-1313
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1313
Release Date: 2018-05-05
Fix Resolution: 10.14.2.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
CVE | Severity | Dependency | Type | Fixed in (jstl version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2015-0254 | 7.3 | jstl-1.2.jar | Direct | org.apache.taglibs:taglibs-standard-impl:1.2.3 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
Publish Date: 2015-03-09
URL: CVE-2015-0254
Base Score Metrics:
Type: Upgrade version
Origin: https://tomcat.apache.org/taglibs/standard/
Release Date: 2015-03-09
Fix Resolution: org.apache.taglibs:taglibs-standard-impl:1.2.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
CVE | Severity | Dependency | Type | Fixed in (slf4j-log4j12 version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2022-23305 | 9.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ | |
CVE-2019-17571 | 9.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ | |
CVE-2020-9493 | 9.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ | |
CVE-2022-23307 | 8.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ | |
CVE-2022-23302 | 8.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ | |
CVE-2021-4104 | 7.5 | log4j-1.2.13.jar | Transitive | N/A* | ❌ | |
CVE-2023-26464 | 7.5 | log4j-1.2.13.jar | Transitive | N/A* | ❌ | |
CVE-2020-9488 | 3.7 | log4j-1.2.13.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
Base Score Metrics:
Type: Upgrade version
Origin: qos-ch/reload4j#21
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-10
URL: CVE-2023-26464
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vp98-w2p3-mv35
Release Date: 2023-03-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
CVE | Severity | Dependency | Type | Fixed in (bootstrap version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2019-8331 | 6.1 | bootstrap-3.3.7.min.js | Direct | bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1 | ❌ | |
CVE-2018-20677 | 6.1 | bootstrap-3.3.7.min.js | Direct | Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0 | ❌ | |
CVE-2018-14042 | 6.1 | bootstrap-3.3.7.min.js | Direct | org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0 | ❌ | |
CVE-2018-20676 | 6.1 | bootstrap-3.3.7.min.js | Direct | bootstrap - 3.4.0 | ❌ | |
CVE-2016-10735 | 6.1 | bootstrap-3.3.7.min.js | Direct | bootstrap - 3.4.0, 4.0.0-beta.2 | ❌ | |
CVE-2018-14040 | 3.7 | bootstrap-3.3.7.min.js | Direct | org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.7/js/bootstrap.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
CVE | Severity | Dependency | Type | Fixed in (esapi version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2022-23457 | 9.8 | esapi-2.1.0.1.jar | Direct | 2.3.0.0 | ✅ | |
CVE-2016-2510 | 8.1 | bsh-core-2.0b4.jar | Transitive | N/A* | ❌ | |
CVE-2023-24998 | 7.5 | commons-fileupload-1.3.1.jar | Transitive | 2.5.2.0 | ✅ | |
CVE-2022-29546 | 7.5 | nekohtml-1.9.16.jar | Transitive | N/A* | ❌ | |
CVE-2012-0881 | 7.5 | xercesImpl-2.8.0.jar | Transitive | 2.5.3.0 | ✅ | |
CVE-2016-3092 | 7.5 | commons-fileupload-1.3.1.jar | Transitive | 2.2.0.0 | ✅ | |
CVE-2022-34169 | 7.5 | xalan-2.7.0.jar | Transitive | N/A* | ❌ | |
CVE-2022-24839 | 7.5 | nekohtml-1.9.16.jar | Transitive | N/A* | ❌ | |
CVE-2022-28366 | 7.5 | nekohtml-1.9.16.jar | Transitive | N/A* | ❌ | |
WS-2023-0388 | 7.5 | esapi-2.1.0.1.jar | Direct | 2.5.2.0 | ✅ | |
WS-2014-0034 | 7.5 | commons-fileupload-1.3.1.jar | Transitive | 2.4.0.0 | ✅ | |
CVE-2019-10086 | 7.3 | commons-beanutils-core-1.8.3.jar | Transitive | N/A* | ❌ | |
CVE-2014-0114 | 7.3 | commons-beanutils-core-1.8.3.jar | Transitive | N/A* | ❌ | |
CVE-2014-0107 | 7.3 | xalan-2.7.0.jar | Transitive | 2.5.0.0 | ✅ | |
CVE-2016-1000031 | 7.3 | commons-fileupload-1.3.1.jar | Transitive | 2.2.0.0 | ✅ | |
CVE-2022-23437 | 6.5 | xercesImpl-2.8.0.jar | Transitive | N/A* | ❌ | |
CVE-2016-10006 | 6.1 | antisamy-1.5.3.jar | Transitive | 2.2.0.0 | ✅ | |
CVE-2024-23635 | 6.1 | antisamy-1.5.3.jar | Transitive | N/A* | ❌ | |
CVE-2022-24891 | 6.1 | esapi-2.1.0.1.jar | Direct | 2.3.0.0 | ✅ | |
CVE-2017-14735 | 6.1 | antisamy-1.5.3.jar | Transitive | 2.2.0.0 | ✅ | |
CVE-2023-43643 | 6.1 | antisamy-1.5.3.jar | Transitive | 2.5.3.0 | ✅ | |
CVE-2022-28367 | 6.1 | antisamy-1.5.3.jar | Transitive | 2.3.0.0 | ✅ | |
CVE-2022-29577 | 6.1 | antisamy-1.5.3.jar | Transitive | 2.3.0.0 | ✅ | |
CVE-2021-35043 | 6.1 | antisamy-1.5.3.jar | Transitive | 2.3.0.0 | ✅ | |
WS-2023-0429 | 6.1 | esapi-2.1.0.1.jar | Direct | org.owasp.esapi:esapi - 2.0_rc9 | ✅ | |
CVE-2013-4002 | 5.9 | xercesImpl-2.8.0.jar | Transitive | 2.5.3.0 | ✅ | |
CVE-2009-2625 | 5.3 | xercesImpl-2.8.0.jar | Transitive | 2.5.3.0 | ✅ | |
CVE-2020-14338 | 5.3 | xercesImpl-2.8.0.jar | Transitive | 2.5.3.0 | ✅ | |
CVE-2012-5783 | 4.8 | commons-httpclient-3.1.jar | Transitive | 2.2.0.0 | ✅ | |
CVE-2021-29425 | 4.8 | commons-io-2.2.jar | Transitive | 2.5.3.0 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Partial details (24 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of Validator.getValidDirectoryPath(String, String, File, boolean)
may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.
Publish Date: 2022-04-25
URL: CVE-2022-23457
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8m5h-hrqm-pxm2
Release Date: 2022-04-25
Fix Resolution: 2.3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
BeanShell core
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.
Publish Date: 2016-04-07
URL: CVE-2016-2510
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2510
Release Date: 2016-04-07
Fix Resolution: 2.0b6
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
Base Score Metrics:
Type: Upgrade version
Origin: https://tomcat.apache.org/security-10.html
Release Date: 2023-02-20
Fix Resolution (commons-fileupload:commons-fileupload): 1.5
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.2.0
⛑️ Automatic Remediation will be attempted for this issue.
An HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Publish Date: 2022-04-25
URL: CVE-2022-29546
Base Score Metrics:
Type: Upgrade version
Origin: HtmlUnit/htmlunit-neko#16
Release Date: 2022-04-25
Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.61.0
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution (xerces:xercesImpl): 2.12.0
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
⛑️ Automatic Remediation will be attempted for this issue.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.
Publish Date: 2022-07-19
URL: CVE-2022-34169
Base Score Metrics:
An HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
org.cyberneko.html is an html parser written in Java. The fork of org.cyberneko.html
used by Nokogiri (Rubygem) raises a java.lang.OutOfMemoryError
exception when parsing ill-formed HTML markup. Users are advised to upgrade to >= 1.9.22.noko2
. Note: The upstream library org.cyberneko.html
is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.
Publish Date: 2022-04-11
URL: CVE-2022-24839
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9849-p7jc-9rmv
Release Date: 2022-04-11
Fix Resolution: net.sourceforge.nekohtml:nekohtml:1.9.22.noko2
An HTML parser and tag balancer.
Library home page: http://nekohtml.sourceforge.net/
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.
Publish Date: 2022-04-21
URL: CVE-2022-28366
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g9hh-vvx3-v37v
Release Date: 2022-04-21
Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.27
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
ESAPI 2.5.2.0 and later addressed the DoS vulnerability described in CVE-2023-24998, which Apache Commons FileUpload 1.5 attempted to remediate. But while writing up a new security bulletin regarding the impact on the affected ESAPI HTTPUtilities.getFileUploads methods (or more specifically those methods in the DefaultHTTPUtilities implementation class), I realized that a DoS vulnerability still persists in ESAPI and for that matter in Apache Commons FileUpload as well.
Publish Date: 2023-10-28
URL: WS-2023-0388
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7c2q-5qmr-v76q
Release Date: 2023-10-28
Fix Resolution: 2.5.2.0
⛑️ Automatic Remediation will be attempted for this issue.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
Base Score Metrics:
Type: Upgrade version
Origin: apache/commons-fileupload@5b4881d
Release Date: 2014-02-17
Fix Resolution (commons-fileupload:commons-fileupload): 1.4
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.4.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
Base Score Metrics:
Type: Upgrade version
Origin: victims/victims-cve-db@16a669c
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Publish Date: 2014-04-15
URL: CVE-2014-0107
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107
Release Date: 2014-04-15
Fix Resolution (xalan:xalan): 2.7.2
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.0.0
⛑️ Automatic Remediation will be attempted for this issue.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation will be attempted for this issue.
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://xerces.apache.org/xerces2-j
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.
Publish Date: 2016-12-24
URL: CVE-2016-10006
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10006
Release Date: 2016-12-24
Fix Resolution (org.owasp.antisamy:antisamy): 1.5.5
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation will be attempted for this issue.
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to 1.7.5, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the preserveComments
directive must be enabled in your policy file. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. Patched in AntiSamy 1.7.5 and later.
Publish Date: 2024-02-02
URL: CVE-2024-23635
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2mrq-w8pv-5pvq
Release Date: 2024-02-02
Fix Resolution: org.owasp.antisamy:antisamy:1.7.5
The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP web site. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for "onsiteURL" in the antisamy-esapi.xml configuration file that can cause "javascript:" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the antisamy-esapi.xml configuration files to change the "onsiteURL" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.
Publish Date: 2022-04-27
URL: CVE-2022-24891
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q77q-vx4q-xx6q
Release Date: 2022-04-27
Fix Resolution: 2.3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.
Publish Date: 2017-09-25
URL: CVE-2017-14735
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-14735
Release Date: 2017-09-25
Fix Resolution (org.owasp.antisamy:antisamy): 1.5.7
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.2.0.0
⛑️ Automatic Remediation will be attempted for this issue.
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
AntiSamy is a library for performing fast, configurable cleansing of HTML coming from untrusted sources. Prior to version 1.7.4, there is a potential for a mutation XSS (mXSS) vulnerability in AntiSamy caused by flawed parsing of the HTML being sanitized. To be subject to this vulnerability the preserveComments
directive must be enabled in your policy file and also allow for certain tags at the same time. As a result, certain crafty inputs can result in elements in comment tags being interpreted as executable when using AntiSamy's sanitized output. This issue has been patched in AntiSamy 1.7.4 and later.
Publish Date: 2023-10-09
URL: CVE-2023-43643
Base Score Metrics:
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-43643
Release Date: 2023-10-09
Fix Resolution (org.owasp.antisamy:antisamy): 1.7.4
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.5.3.0
⛑️ Automatic Remediation will be attempted for this issue.
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.
Publish Date: 2022-04-21
URL: CVE-2022-28367
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-28367
Release Date: 2022-04-21
Fix Resolution (org.owasp.antisamy:antisamy): 1.6.6
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.
Publish Date: 2022-04-21
URL: CVE-2022-29577
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29577
Release Date: 2022-04-21
Fix Resolution (org.owasp.antisamy:antisamy): 1.6.7
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
The OWASP AntiSamy project is a collection of APIs for safely allowing users to supply their own HTML and CSS without exposing the site to XSS vulnerabilities.
Library home page: http://www.owasp.org/index.php/Category:OWASP_AntiSamy_Project
Path to dependency file: /pom.xml
Path to vulnerable library: /pom.xml
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.
Publish Date: 2021-07-19
URL: CVE-2021-35043
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-35043
Release Date: 2021-07-19
Fix Resolution (org.owasp.antisamy:antisamy): 1.6.4
Direct dependency fix Resolution (org.owasp.esapi:esapi): 2.3.0.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
CVE | Severity | Dependency | Type | Fixed in (jquery version) | Remediation Possible** | |
---|---|---|---|---|---|---|
CVE-2020-11023 | 6.1 | jquery-3.1.1.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ | |
CVE-2020-11022 | 6.1 | jquery-3.1.1.min.js | Direct | jQuery - 3.5.0 | ❌ | |
CVE-2019-11358 | 6.1 | jquery-3.1.1.min.js | Direct | jquery - 3.4.0 | ❌ | |
CVE-2020-23064 | 6.1 | jquery-3.1.1.min.js | Direct | jquery - 3.5.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.1.1/jquery.min.js
Path to dependency file: /src/main/webapp/dfi/style_bootstrap.html
Path to vulnerable library: /src/main/webapp/dfi/style_bootstrap.html
Dependency Hierarchy:
Found in HEAD commit: a0ae067520693a8f1614014d3176687296d4aa6a
Found in base branch: master
Cross Site Scripting vulnerability in jQuery 2.2.0 through 3.x before 3.5.0 allows a remote attacker to execute arbitrary code via the element.
Publish Date: 2023-06-26
URL: CVE-2020-23064
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2023-06-26
Fix Resolution: jquery - 3.5.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.