hammondjm / ksa Goto Github PK
View Code? Open in Web Editor NEWThis project forked from xsocket/ksa
杭州凯思爱物流管理系统
License: Apache License 2.0
ksa's People
Contributors
![mend-for-github-com[bot] avatar](https://avatars.githubusercontent.com/in/30796?v=4 "mend-for-github-com[bot]")
Stargazers
ksa's Issues
CVE-2019-8331 (Medium) detected in bootstrap-2.1.0.js
CVE-2019-8331 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.1.0.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
❌ bootstrap-2.1.0.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
WS-2015-0033 (High) detected in uglify-js-1.2.6.tgz
WS-2015-0033 - High Severity Vulnerability
Vulnerable Library - uglify-js-1.2.6.tgz
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
❌ uglify-js-1.2.6.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
uglifier incorrectly handles non-boolean comparisons during minification.The upstream library for the Ruby uglifier gem, UglifyJS, is affected by a vulnerability that allows a specially crafted Javascript file to have altered functionality after minification. This bug, found in UglifyJS versions 2.4.23 and earlier, was demonstrated to allow potentially malicious code to be hidden within secure code, and activated by the minification process.
Publish Date: 2015-07-22
URL: WS-2015-0033
CVSS 3 Score Details (7.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://hakiri.io/technologies/uglifier/issues/279911d9720338
Release Date: 2020-06-07
Fix Resolution: Uglifier - 2.7.2;uglify-js - v2.4.24
CVE-2014-0114 (High) detected in commons-beanutils-1.8.3.jar
CVE-2014-0114 - High Severity Vulnerability
Vulnerable Library - commons-beanutils-1.8.3.jar
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: ksa/ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
❌ commons-beanutils-1.8.3.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
WS-2015-0024 (High) detected in uglify-js-1.2.6.tgz
WS-2015-0024 - High Severity Vulnerability
Vulnerable Library - uglify-js-1.2.6.tgz
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: /tmp/ws-scm/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: /ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
❌ uglify-js-1.2.6.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Vulnerability Details
UglifyJS versions 2.4.23 and earlier are affected by a vulnerability which allows a specially crafted Javascript file to have altered functionality after minification.
Publish Date: 2015-08-24
URL: WS-2015-0024
CVSS 2 Score Details (8.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: mishoo/UglifyJS@905b601
Release Date: 2017-01-31
Fix Resolution: v2.4.24
- Check this box to open an automated fix PR
CVE-2012-0213 (Medium) detected in poi-3.8.jar
CVE-2012-0213 - Medium Severity Vulnerability
Vulnerable Library - poi-3.8.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: /tmp/ws-scm/ksa/ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: canner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar
Dependency Hierarchy:
❌ poi-3.8.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Vulnerability Details
The UnhandledDataStructure function in hwpf/model/UnhandledDataStructure.java in Apache POI 3.8 and earlier allows remote attackers to cause a denial of service (OutOfMemoryError exception and possibly JVM destabilization) via a crafted length value in a Channel Definition Format (CDF) or Compound File Binary Format (CFBF) document.
Publish Date: 2012-08-07
URL: CVE-2012-0213
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0213
Release Date: 2012-08-07
Fix Resolution: org.apache.poi:poi-scratchpad:3.9,org.apache.poi:poi:3.9
- Check this box to open an automated fix PR
WS-2014-0034 (High) detected in commons-fileupload-1.2.2.jar
WS-2014-0034 - High Severity Vulnerability
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: apache/commons-fileupload@5b4881d
Release Date: 2019-09-26
Fix Resolution: 1.4
CVE-2014-0050 (High) detected in commons-fileupload-1.2.2.jar
CVE-2014-0050 - High Severity Vulnerability
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Publish Date: 2014-04-01
URL: CVE-2014-0050
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
Release Date: 2014-04-01
Fix Resolution: 1.3.2
WS-2014-0005 (High) detected in qs-0.4.2.tgz
WS-2014-0005 - High Severity Vulnerability
Vulnerable Library - qs-0.4.2.tgz
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.4.2.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/qs/package.json
Dependency Hierarchy:
- connect-2.1.3.tgz (Root Library)
❌ qs-0.4.2.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-07-31
URL: WS-2014-0005
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
Release Date: 2014-08-06
Fix Resolution: Update qs to version 1.0.0 or greater
CVE-2018-20676 (Medium) detected in bootstrap-2.1.0.js
CVE-2018-20676 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.1.0.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
❌ bootstrap-2.1.0.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
WS-2016-7061 (Medium) detected in poi-3.8.jar
WS-2016-7061 - Medium Severity Vulnerability
Vulnerable Library - poi-3.8.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,canner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar
Dependency Hierarchy:
❌ poi-3.8.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Apache POI before 3.16-beta1 is vulnerable to bufferoverflow attack due to lack of length sanity check for length of embedded OLE10Native.
Publish Date: 2016-10-14
URL: WS-2016-7061
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: apache/poi@7f9f8e9
Release Date: 2019-09-26
Fix Resolution: 3.16-beta1
CVE-2020-7656 (Medium) detected in jquery-1.7.2.min.js
CVE-2020-7656 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
❌ jquery-1.7.2.min.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: rails/jquery-rails@8f601cb
Release Date: 2020-05-19
Fix Resolution: jquery-rails - 2.2.0
CVE-2015-9251 (Medium) detected in jquery-1.7.2.min.js
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
❌ jquery-1.7.2.min.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
WS-2013-0004 (Medium) detected in connect-2.1.3.tgz
WS-2013-0004 - Medium Severity Vulnerability
Vulnerable Library - connect-2.1.3.tgz
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
❌ connect-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The "methodOverride" let the http post to override the method of the request with the value of the post key or with the header, which allows XSS attack.
Publish Date: 2013-06-27
URL: WS-2013-0004
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-07-01
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
CVE-2013-7370 (Medium) detected in connect-2.1.3.tgz
CVE-2013-7370 - Medium Severity Vulnerability
Vulnerable Library - connect-2.1.3.tgz
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
❌ connect-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
node-connect before 2.8.1 has XSS in the Sencha Labs Connect middleware
Publish Date: 2019-12-11
URL: CVE-2013-7370
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7370
Release Date: 2013-07-01
Fix Resolution: 2.8.2
CVE-2018-1199 (Medium) detected in spring-core-3.1.1.RELEASE.jar
CVE-2018-1199 - Medium Severity Vulnerability
Vulnerable Library - spring-core-3.1.1.RELEASE.jar
Spring Framework Parent
Path to dependency file: ksa/ksa-debug/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,canner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar
Dependency Hierarchy:
- mybatis-spring-1.1.1.jar (Root Library)
- ❌ spring-core-3.1.1.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Publish Date: 2018-03-16
URL: CVE-2018-1199
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1199
Release Date: 2018-03-16
Fix Resolution: org.springframework.security:spring-security-web:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,org.springframework.security:spring-security-config:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,org.springframework:spring-core:4.1.5.RELEASE,4.2.4.RELEASE,5.0.1.RELEASE,5.0.3.RELEASE,4.3.14.RELEASE
CVE-2016-10735 (Medium) detected in bootstrap-2.1.0.js
CVE-2016-10735 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.1.0.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
❌ bootstrap-2.1.0.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Publish Date: 2019-01-09
URL: CVE-2016-10735
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#20184
Release Date: 2019-01-09
Fix Resolution: 3.4.0
CVE-2014-7191 (Medium) detected in qs-0.4.2.tgz
CVE-2014-7191 - Medium Severity Vulnerability
Vulnerable Library - qs-0.4.2.tgz
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.4.2.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/qs/package.json
Dependency Hierarchy:
- connect-2.1.3.tgz (Root Library)
❌ qs-0.4.2.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-7191
Release Date: 2014-10-19
Fix Resolution: 1.0.0
WS-2013-0003 (Medium) detected in connect-2.1.3.tgz
WS-2013-0003 - Medium Severity Vulnerability
Vulnerable Library - connect-2.1.3.tgz
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
❌ connect-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
senchalabs/connect prior to 2.8.1 is vulnerable to xss attack
Publish Date: 2013-06-27
URL: WS-2013-0003
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-07-01
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
WS-2017-0330 (Medium) detected in mime-1.2.4.tgz
WS-2017-0330 - Medium Severity Vulnerability
Vulnerable Library - mime-1.2.4.tgz
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.4.tgz
Path to dependency file: /tmp/ws-scm/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: /tmp/ws-scm/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/mime/package.json
Dependency Hierarchy:
- connect-2.1.3.tgz (Root Library)
❌ mime-1.2.4.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Vulnerability Details
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-27
URL: WS-2017-0330
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: broofa/mime@1df903f
Release Date: 2019-04-03
Fix Resolution: 1.4.1,2.0.3
CVE-2015-8857 (High) detected in uglify-js-1.2.6.tgz
CVE-2015-8857 - High Severity Vulnerability
Vulnerable Library - uglify-js-1.2.6.tgz
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
❌ uglify-js-1.2.6.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The uglify-js package before 2.4.24 for Node.js does not properly account for non-boolean values when rewriting boolean expressions, which might allow attackers to bypass security mechanisms or possibly have unspecified other impact by leveraging improperly rewritten Javascript.
Publish Date: 2017-01-23
URL: CVE-2015-8857
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.4.24
CVE-2017-3589 (Low) detected in mysql-connector-java-5.1.18.jar
CVE-2017-3589 - Low Severity Vulnerability
Vulnerable Library - mysql-connector-java-5.1.18.jar
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3589
CVSS 3 Score Details (3.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589
Release Date: 2017-04-24
Fix Resolution: 5.1.42
CVE-2019-2692 (Medium) detected in mysql-connector-java-5.1.18.jar
CVE-2019-2692 - Medium Severity Vulnerability
Vulnerable Library - mysql-connector-java-5.1.18.jar
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Publish Date: 2019-04-23
URL: CVE-2019-2692
CVSS 3 Score Details (6.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: High
- Privileges Required: High
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-jcq3-cprp-m333
Release Date: 2019-04-23
Fix Resolution: mysql:mysql-connector-java:8.0.16
CVE-2018-3717 (Medium) detected in connect-2.1.3.tgz
CVE-2018-3717 - Medium Severity Vulnerability
Vulnerable Library - connect-2.1.3.tgz
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
❌ connect-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
connect node module before 2.14.0 suffers from a Cross-Site Scripting (XSS) vulnerability due to a lack of validation of file in directory.js middleware.
Publish Date: 2018-06-07
URL: CVE-2018-3717
CVSS 3 Score Details (5.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-3717
Release Date: 2018-06-07
Fix Resolution: 2.14.0
CVE-2020-2933 (Low) detected in mysql-connector-java-5.1.18.jar
CVE-2020-2933 - Low Severity Vulnerability
Vulnerable Library - mysql-connector-java-5.1.18.jar
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2933
CVSS 3 Score Details (2.2)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
Release Date: 2020-04-15
Fix Resolution: mysql:mysql-connector-java:5.1.49
CVE-2013-2186 (High) detected in commons-fileupload-1.2.2.jar
CVE-2013-2186 - High Severity Vulnerability
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
Publish Date: 2013-10-28
URL: CVE-2013-2186
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2186
Release Date: 2019-04-08
Fix Resolution: 1.3.1
CVE-2018-14042 (Medium) detected in bootstrap-2.1.0.js
CVE-2018-14042 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.1.0.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
❌ bootstrap-2.1.0.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2017-12626 (High) detected in poi-3.8.jar
CVE-2017-12626 - High Severity Vulnerability
Vulnerable Library - poi-3.8.jar
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,canner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar
Dependency Hierarchy:
❌ poi-3.8.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
Publish Date: 2018-01-29
URL: CVE-2017-12626
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Release Date: 2018-01-29
Fix Resolution: org.apache.poi:poi-scratchpad:3.17,org.apache.poi:poi:3.17
CVE-2019-10086 (High) detected in commons-beanutils-1.8.3.jar
CVE-2019-10086 - High Severity Vulnerability
Vulnerable Library - commons-beanutils-1.8.3.jar
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: ksa/ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
❌ commons-beanutils-1.8.3.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: victims/victims-cve-db@16a669c
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
CVE-2013-7371 (Medium) detected in connect-2.1.3.tgz
CVE-2013-7371 - Medium Severity Vulnerability
Vulnerable Library - connect-2.1.3.tgz
High performance middleware framework
Library home page: https://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Dependency Hierarchy:
❌ connect-2.1.3.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
node-connects before 2.8.2 has cross site scripting in Sencha Labs Connect middleware (vulnerability due to incomplete fix for CVE-2013-7370)
Publish Date: 2019-12-11
URL: CVE-2013-7371
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7371
Release Date: 2014-04-21
Fix Resolution: 2.8.2
WS-2015-0017 (Medium) detected in uglify-js-1.2.6.tgz
WS-2015-0017 - Medium Severity Vulnerability
Vulnerable Library - uglify-js-1.2.6.tgz
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: /tmp/ws-scm/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: /ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
- ❌ uglify-js-1.2.6.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Vulnerability Details
Uglify-js is vulnerable to regular expression denial of service (ReDoS) when certain types of input is passed into .parse().
Publish Date: 2015-10-24
URL: WS-2015-0017
CVSS 2 Score Details (5.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/48
Release Date: 2015-10-24
Fix Resolution: Update to version 2.6.0 or later
CVE-2020-11023 (Medium) detected in jquery-1.7.2.min.js
CVE-2020-11023 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
- ❌ jquery-1.7.2.min.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0
WS-2016-0090 (Medium) detected in jquery-1.7.2.min.js
WS-2016-0090 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: /ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
❌ jquery-1.7.2.min.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Vulnerability Details
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
CVSS 2 Score Details (4.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
CVE-2016-1000031 (High) detected in commons-fileupload-1.2.2.jar
CVE-2016-1000031 - High Severity Vulnerability
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution: 1.3.3
CVE-2014-10064 (High) detected in qs-0.4.2.tgz
CVE-2014-10064 - High Severity Vulnerability
Vulnerable Library - qs-0.4.2.tgz
querystring parser
Library home page: https://registry.npmjs.org/qs/-/qs-0.4.2.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/qs/package.json
Dependency Hierarchy:
- connect-2.1.3.tgz (Root Library)
❌ qs-0.4.2.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The qs module before 1.0.0 does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time. An attacker could leverage this to cause a temporary denial-of-service condition, for example, in a web application, other requests would not be processed while this blocking is occurring.
Publish Date: 2018-05-31
URL: CVE-2014-10064
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/28
Release Date: 2014-08-06
Fix Resolution: Update to version 1.0.0 or later
CVE-2017-3523 (High) detected in mysql-connector-java-5.1.18.jar
CVE-2017-3523 - High Severity Vulnerability
Vulnerable Library - mysql-connector-java-5.1.18.jar
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Publish Date: 2017-04-24
URL: CVE-2017-3523
CVSS 3 Score Details (8.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://www.oracle.com/technetwork/security-advisory/cpuapr2017-3236618.html
Release Date: 2017-04-24
Fix Resolution: 5.1.41
CVE-2017-3586 (Medium) detected in mysql-connector-java-5.1.18.jar
CVE-2017-3586 - Medium Severity Vulnerability
Vulnerable Library - mysql-connector-java-5.1.18.jar
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3586
CVSS 3 Score Details (6.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406
Release Date: 2017-04-24
Fix Resolution: 5.1.42
CVE-2016-3092 (High) detected in commons-fileupload-1.2.2.jar
CVE-2016-3092 - High Severity Vulnerability
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M8,8.5.3,8.0.36,7.0.70,org.apache.tomcat:tomcat-coyote:9.0.0.M8,8.5.3,8.0.36,7.0.70,commons-fileupload:commons-fileupload:1.3.2
WS-2019-0379 (Medium) detected in commons-codec-1.5.jar
WS-2019-0379 - Medium Severity Vulnerability
Vulnerable Library - commons-codec-1.5.jar
The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: ksa/ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar
Dependency Hierarchy:
❌ commons-codec-1.5.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
CVE-2020-2875 (Medium) detected in mysql-connector-java-5.1.18.jar
CVE-2020-2875 - Medium Severity Vulnerability
Vulnerable Library - mysql-connector-java-5.1.18.jar
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
Publish Date: 2020-04-15
URL: CVE-2020-2875
CVSS 3 Score Details (4.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: mysql/mysql-connector-j@79a4336
Release Date: 2020-04-15
Fix Resolution: mysql:mysql-connector-java:5.1.49,8.0.15
CVE-2012-6708 (Medium) detected in jquery-1.7.2.min.js
CVE-2012-6708 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
❌ jquery-1.7.2.min.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
CVE-2014-3578 (Medium) detected in spring-core-3.1.1.RELEASE.jar
CVE-2014-3578 - Medium Severity Vulnerability
Vulnerable Library - spring-core-3.1.1.RELEASE.jar
Spring Framework Parent
Path to dependency file: ksa/ksa-debug/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,canner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar
Dependency Hierarchy:
- mybatis-spring-1.1.1.jar (Root Library)
❌ spring-core-3.1.1.RELEASE.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
Publish Date: 2015-02-19
URL: CVE-2014-3578
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3578
Release Date: 2015-02-19
Fix Resolution: 3.2.9,4.0.5
CVE-2013-0248 (Low) detected in commons-fileupload-1.2.2.jar
CVE-2013-0248 - Low Severity Vulnerability
Vulnerable Library - commons-fileupload-1.2.2.jar
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: ksa/ksa-web-root/ksa-bd-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
- struts2-core-2.3.31.jar (Root Library)
❌ commons-fileupload-1.2.2.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Publish Date: 2013-03-15
URL: CVE-2013-0248
CVSS 2 Score Details (3.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248
Release Date: 2013-03-15
Fix Resolution: 1.3
CVE-2020-11022 (Medium) detected in jquery-1.7.2.min.js
CVE-2020-11022 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.7.2.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js,ksa/ksa-web-root/ksa-web/target/ROOT/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
❌ jquery-1.7.2.min.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
CVE-2015-8858 (High) detected in uglify-js-1.2.6.tgz
CVE-2015-8858 - High Severity Vulnerability
Vulnerable Library - uglify-js-1.2.6.tgz
JavaScript parser and compressor/beautifier toolkit
Library home page: https://registry.npmjs.org/uglify-js/-/uglify-js-1.2.6.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/uglify-js/package.json
Dependency Hierarchy:
❌ uglify-js-1.2.6.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The uglify-js package before 2.6.0 for Node.js allows attackers to cause a denial of service (CPU consumption) via crafted input in a parse call, aka a "regular expression denial of service (ReDoS)."
Publish Date: 2017-01-23
URL: CVE-2015-8858
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-8858
Release Date: 2018-12-15
Fix Resolution: v2.6.0
CVE-2017-16138 (High) detected in mime-1.2.4.tgz
CVE-2017-16138 - High Severity Vulnerability
Vulnerable Library - mime-1.2.4.tgz
A comprehensive library for mime-type mapping
Library home page: https://registry.npmjs.org/mime/-/mime-1.2.4.tgz
Path to dependency file: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/package.json
Path to vulnerable library: ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/mime/package.json
Dependency Hierarchy:
- connect-2.1.3.tgz (Root Library)
❌ mime-1.2.4.tgz (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
The mime module < 1.4.1, 2.0.1, 2.0.2 is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16138
Release Date: 2018-06-07
Fix Resolution: 1.4.1,2.0.3
CVE-2020-2934 (Medium) detected in mysql-connector-java-5.1.18.jar
CVE-2020-2934 - Medium Severity Vulnerability
Vulnerable Library - mysql-connector-java-5.1.18.jar
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: ksa/ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,canner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
❌ mysql-connector-java-5.1.18.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2934
CVSS 3 Score Details (5.0)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
Suggested Fix
Type: Upgrade version
Origin: https://www.oracle.com/security-alerts/cpuapr2020.html
Release Date: 2020-04-15
Fix Resolution: mysql:mysql-connector-java:5.1.49,8.0.20
CVE-2014-0074 (High) detected in shiro-core-1.2.0.jar
CVE-2014-0074 - High Severity Vulnerability
Vulnerable Library - shiro-core-1.2.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,canner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
- shiro-web-1.2.0.jar (Root Library)
❌ shiro-core-1.2.0.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
Publish Date: 2014-10-06
URL: CVE-2014-0074
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0074
Release Date: 2014-10-06
Fix Resolution: 1.2.3
CVE-2018-14040 (Medium) detected in bootstrap-2.1.0.js
CVE-2018-14040 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-2.1.0.js
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
❌ bootstrap-2.1.0.js (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: twbs/bootstrap#26630
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
CVE-2016-4437 (High) detected in shiro-core-1.2.0.jar
CVE-2016-4437 - High Severity Vulnerability
Vulnerable Library - shiro-core-1.2.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,canner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
- shiro-web-1.2.0.jar (Root Library)
- ❌ shiro-core-1.2.0.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Publish Date: 2016-06-07
URL: CVE-2016-4437
CVSS 3 Score Details (8.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437
Release Date: 2016-06-07
Fix Resolution: org.apache.shiro:shiro-all:1.2.5,org.apache.shiro:shiro-core:1.2.5
CVE-2020-13933 (High) detected in shiro-core-1.2.0.jar
CVE-2020-13933 - High Severity Vulnerability
Vulnerable Library - shiro-core-1.2.0.jar
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: ksa/ksa-web-root/ksa-statistics-web/pom.xml
Path to vulnerable library: ksa/ksa-web-root/ksa-web/target/ROOT/WEB-INF/lib/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,canner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
- shiro-web-1.2.0.jar (Root Library)
❌ shiro-core-1.2.0.jar (Vulnerable Library)
Found in HEAD commit: 5a3799544bbdfbed38c2c8191a9866ba18bc9768
Found in base branch: master
Vulnerability Details
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-08-17
URL: CVE-2020-13933
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Change files
Origin: apache/shiro@7935aa8
Release Date: 2020-05-04
Fix Resolution: Replace or update the following file: SecurityUtils.java
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.