Code Monkey home page Code Monkey logo

carbon-mediation's People

Contributors

a5anka avatar bsenduran avatar buddhima avatar chanakaudaya avatar chanikag avatar djkevincr avatar erandacr avatar isudana avatar isururanawaka avatar iuj avatar kabanawso2 avatar madhawa-gunasekara avatar maheeka avatar malakaganga avatar malakasilva avatar manoramahp avatar nadeeshaan avatar nirothipan avatar nwnpallewela avatar prabathariyaratna avatar prabushi avatar ravindraranwala avatar raviu avatar sandamal avatar sdkottegoda avatar shakila avatar vanjikumaran avatar vijithaekanayake avatar virajsenevirathne avatar wso2-jenkins-bot avatar

Watchers

avatar

carbon-mediation's Issues

CVE-2019-0232 (High) detected in tomcat-catalina-7.0.93.jar

CVE-2019-0232 - High Severity Vulnerability

Vulnerable Library - tomcat-catalina-7.0.93.jar

Tomcat Servlet Engine Core Classes and Standard implementations

Library home page: https://tomcat.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-ui/mediators-ui/org.wso2.carbon.mediator.script.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar

Dependency Hierarchy:

  • org.wso2.carbon.ui-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.core-4.5.0-m1.jar
      • tomcat-catalina-ha-7.0.93.jar
        • tomcat-catalina-7.0.93.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

When running on Windows with enableCmdLineArguments enabled, the CGI Servlet in Apache Tomcat 9.0.0.M1 to 9.0.17, 8.5.0 to 8.5.39 and 7.0.0 to 7.0.93 is vulnerable to Remote Code Execution due to a bug in the way the JRE passes command line arguments to Windows. The CGI Servlet is disabled by default. The CGI option enableCmdLineArguments is disable by default in Tomcat 9.0.x (and will be disabled by default in all versions in response to this vulnerability). For a detailed explanation of the JRE behaviour, see Markus Wulftange's blog (https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html) and this archived MSDN blog (https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/).

Publish Date: 2019-04-15

URL: CVE-2019-0232

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0232

Release Date: 2019-04-15

Fix Resolution: 9.0.18,8.5.40,7.0.94

CVE-2018-12022 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2018-12022 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12022

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

CVE-2013-6440 (Medium) detected in xmltooling-1.4.4.jar

CVE-2013-6440 - Medium Severity Vulnerability

Vulnerable Library - xmltooling-1.4.4.jar

XMLTooling-J is a low-level library that may be used to construct libraries that allow developers to work with XML in a Java beans manner.

Library home page: http://opensaml.org/

Path to dependency file: /carbon-mediation/components/mediation-admin/org.wso2.carbon.proxyadmin.common/pom.xml

Path to vulnerable library: /root/.m2/repository/org/opensaml/xmltooling/1.4.4/xmltooling-1.4.4.jar,/root/.m2/repository/org/opensaml/xmltooling/1.4.4/xmltooling-1.4.4.jar,/root/.m2/repository/org/opensaml/xmltooling/1.4.4/xmltooling-1.4.4.jar,/root/.m2/repository/org/opensaml/xmltooling/1.4.4/xmltooling-1.4.4.jar,/root/.m2/repository/org/opensaml/xmltooling/1.4.4/xmltooling-1.4.4.jar,/root/.m2/repository/org/opensaml/xmltooling/1.4.4/xmltooling-1.4.4.jar

Dependency Hierarchy:

  • org.wso2.carbon.proxyadmin-4.7.4-SNAPSHOT.jar (Root Library)
    • rampart-core-1.6.1-wso2v36.jar
      • opensaml-2.6.4.jar
        • openws-1.5.4.jar
          • xmltooling-1.4.4.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

The (1) BasicParserPool, (2) StaticBasicParserPool, (3) XML Decrypter, and (4) SAML Decrypter in Shibboleth OpenSAML-Java before 2.6.1 set the expandEntityReferences property to true, which allows remote attackers to conduct XML external entity (XXE) attacks via a crafted XML DOCTYPE declaration.

Publish Date: 2014-02-14

URL: CVE-2013-6440

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6440

Release Date: 2019-02-11

Fix Resolution: 2.6.1

CVE-2019-12814 (Medium) detected in jackson-databind-2.7.9.1.jar

CVE-2019-12814 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.

Publish Date: 2019-06-19

URL: CVE-2019-12814

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@5f7c69b

Release Date: 2019-06-14

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

CVE-2017-15708 (High) detected in commons-collections-3.2.1.jar

CVE-2017-15708 - High Severity Vulnerability

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /carbon-mediation/components/mediation-ui/mediators-ui/org.wso2.carbon.mediator.bean.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

  • commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.

Publish Date: 2017-12-11

URL: CVE-2017-15708

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708

Release Date: 2017-12-11

Fix Resolution: Apache Synapse - 3.0.1;Apache Commons Collections - 3.2.2

CVE-2018-14721 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2018-14721 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution: 2.9.7

CVE-2018-11307 (Medium) detected in jackson-databind-2.7.9.1.jar

CVE-2018-11307 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

jackson-databind has a Potential information exfiltration with default typing. versions 2.7.9.x < 2.7.9.4, 2.8.x < 2.8.11.2, 2.9.x < 2.9.6

Publish Date: 2018-12-13

URL: CVE-2018-11307

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: FasterXML/jackson-databind#2032

Release Date: 2019-03-17

Fix Resolution: jackson-databind-2.9.6

CVE-2012-0881 (High) detected in xercesImpl-2.8.1.jar

CVE-2012-0881 - High Severity Vulnerability

Vulnerable Library - xercesImpl-2.8.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://xerces.apache.org/xerces2-j/

Path to dependency file: /carbon-mediation/components/org.wso2.carbon.integrator.core/pom.xml

Path to vulnerable library: /root/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar,/root/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.webapp.mgt-4.9.0.jar (Root Library)
    • org.wso2.carbon.identity.sso.agent-5.2.0.jar
      • openid4java-1.0.0.jar
        • xercesImpl-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Publish Date: 2017-10-30

URL: CVE-2012-0881

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/XERCESJ-1685

Release Date: 2017-10-30

Fix Resolution: 2.12.0

CVE-2019-12086 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2019-12086 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

CVE-2018-19361 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2018-19361 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution: 2.9.8

CVE-2016-10750 (High) detected in hazelcast-all-3.5.4.jar

CVE-2016-10750 - High Severity Vulnerability

Vulnerable Library - hazelcast-all-3.5.4.jar

Hazelcast In-Memory DataGrid

Library home page: http://www.hazelcast.com/hazelcast-all/

Path to dependency file: /carbon-mediation/components/mediators/cache/org.wso2.carbon.mediator.cache/pom.xml

Path to vulnerable library: /root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar,/root/.m2/repository/com/hazelcast/hazelcast-all/3.5.4/hazelcast-all-3.5.4.jar

Dependency Hierarchy:

  • org.wso2.carbon.ui-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.core-4.5.0-m1.jar
      • hazelcast-3.5.4.wso2v2.jar
        • hazelcast-all-3.5.4.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

In Hazelcast before 3.11, the cluster join procedure is vulnerable to remote code execution via Java deserialization. If an attacker can reach a listening Hazelcast instance with a crafted JoinRequest, and vulnerable classes exist in the classpath, the attacker can run arbitrary code.

Publish Date: 2019-05-22

URL: CVE-2016-10750

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: hazelcast/hazelcast#8024

Release Date: 2019-05-22

Fix Resolution: v3.11

CVE-2015-6420 (High) detected in commons-collections-3.2.1.jar

CVE-2015-6420 - High Severity Vulnerability

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /carbon-mediation/components/mediation-ui/mediators-ui/org.wso2.carbon.mediator.bean.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

  • commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2015-12-15

URL: CVE-2015-6420

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6420

Release Date: 2019-04-08

Fix Resolution: 3.2.2,4.1

CVE-2016-0762 (Medium) detected in tomcat-catalina-7.0.93.jar

CVE-2016-0762 - Medium Severity Vulnerability

Vulnerable Library - tomcat-catalina-7.0.93.jar

Tomcat Servlet Engine Core Classes and Standard implementations

Library home page: https://tomcat.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-ui/mediators-ui/org.wso2.carbon.mediator.script.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar,/root/.m2/repository/org/apache/tomcat/tomcat-catalina/7.0.93/tomcat-catalina-7.0.93.jar

Dependency Hierarchy:

  • org.wso2.carbon.ui-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.core-4.5.0-m1.jar
      • tomcat-catalina-ha-7.0.93.jar
        • tomcat-catalina-7.0.93.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.

Publish Date: 2017-08-10

URL: CVE-2016-0762

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/1872f96bad43647832bdd84a408794cd06d9cbb557af63085ca10009@%3Cannounce.tomcat.apache.org%3E

Release Date: 2017-08-10

Fix Resolution: 9.0.0.M10, 8.0.37,8.5.5, 7.0.72, 6.0.46

CVE-2014-9527 (Medium) detected in poi-scratchpad-3.9.jar

CVE-2014-9527 - Medium Severity Vulnerability

Vulnerable Library - poi-scratchpad-3.9.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-admin/org.wso2.carbon.proxyadmin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar

Dependency Hierarchy:

  • org.wso2.carbon.message.processor-4.7.4-SNAPSHOT.jar (Root Library)
    • org.wso2.carbon.service.mgt-4.9.0.jar
      • org.wso2.carbon.user.mgt-5.13.0.jar
        • poi-scratchpad-3.9.0.wso2v1.jar
          • poi-scratchpad-3.9.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.

Publish Date: 2015-01-06

URL: CVE-2014-9527

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9527

Release Date: 2015-01-06

Fix Resolution: REL_3_11_FINAL

CVE-2013-5960 (Medium) detected in esapi-2.0.1.jar

CVE-2013-5960 - Medium Severity Vulnerability

Vulnerable Library - esapi-2.0.1.jar

The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP website. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.

Library home page: http://www.esapi.org/

Path to dependency file: /carbon-mediation/components/mediation-cg/org.wso2.carbon.cloud.gateway/pom.xml

Path to vulnerable library: /root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.proxyadmin-4.7.4-SNAPSHOT.jar (Root Library)
    • rampart-core-1.6.1-wso2v36.jar
      • opensaml-2.6.4.jar
        • esapi-2.0.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.

Publish Date: 2013-09-30

URL: CVE-2013-5960

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-5960

Release Date: 2013-09-30

Fix Resolution: 2.1.0.1

CVE-2014-0107 (High) detected in xalan-2.7.1.jar, xalan-2.6.0.jar

CVE-2014-0107 - High Severity Vulnerability

Vulnerable Libraries - xalan-2.7.1.jar, xalan-2.6.0.jar

xalan-2.7.1.jar

Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.

Library home page: http://xml.apache.org/xalan-j/

Path to dependency file: /carbon-mediation/components/mediation-ui/mediators-ui/org.wso2.carbon.mediator.payloadfactory.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar,/root/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.mediator.cache-4.7.4-SNAPSHOT.jar (Root Library)
    • synapse-core-2.1.7-wso2v114.jar
      • xalan-2.7.1.jar (Vulnerable Library)
xalan-2.6.0.jar

null

Path to dependency file: /carbon-mediation/components/event-sink/org.wso2.carbon.event.sink/pom.xml

Path to vulnerable library: /root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar,/root/.m2/repository/xalan/xalan/2.6.0/xalan-2.6.0.jar

Dependency Hierarchy:

  • org.wso2.carbon.ui-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.utils-4.5.0-m1.jar
      • jaxen-1.1.1.jar
        • xom-1.0.jar
          • xalan-2.6.0.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

Publish Date: 2014-04-15

URL: CVE-2014-0107

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/XALANJ-2435

Release Date: 2014-03-25

Fix Resolution: Upgrade to version 2.7.2 or greater

WS-2017-3734 (Medium) detected in httpclient-4.3.2.jar

WS-2017-3734 - Medium Severity Vulnerability

Vulnerable Library - httpclient-4.3.2.jar

null

Library home page: http://hc.apache.org/httpcomponents-client

Path to dependency file: /carbon-mediation/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar

Dependency Hierarchy:

  • libthrift_0.9.2.wso2v1.jar (Root Library)
    • libthrift-0.9.2.jar
      • httpclient-4.3.2.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.

Publish Date: 2019-05-30

URL: WS-2017-3734

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803

Release Date: 2019-05-30

Fix Resolution: httpclient-4.5.3

CVE-2015-7501 (High) detected in commons-collections-3.2.1.jar

CVE-2015-7501 - High Severity Vulnerability

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /carbon-mediation/components/mediation-ui/mediators-ui/org.wso2.carbon.mediator.bean.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

  • commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.

Publish Date: 2017-11-09

URL: CVE-2015-7501

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7501

Release Date: 2017-12-31

Fix Resolution: Upgrade to version apache-commons-collections 4.1, apache-commons-collections 3.2.2 or greater

CVE-2014-0114 (High) detected in commons-beanutils-1.8.3.jar

CVE-2014-0114 - High Severity Vulnerability

Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Library home page: http://commons.apache.org/beanutils/

Path to dependency file: /carbon-mediation/components/mediators/bam/org.wso2.carbon.mediator.bam.config.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/root/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/root/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/root/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy:

  • commons-beanutils-1.8.3.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201607-09

Release Date: 2016-07-20

Fix Resolution: All Commons BeanUtils users should upgrade to the latest version >= commons-beanutils-1.9.2

CVE-2013-2172 (Medium) detected in xmlsec-1.5.5.jar

CVE-2013-2172 - Medium Severity Vulnerability

Vulnerable Library - xmlsec-1.5.5.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: http://santuario.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-cg/org.wso2.carbon.cloud.gateway.agent.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar

Dependency Hierarchy:

  • org.wso2.carbon.proxyadmin-4.7.4-SNAPSHOT.jar (Root Library)
    • rampart-core-1.6.1-wso2v36.jar
      • opensaml-2.6.4.jar
        • xmlsec-1.5.5.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak "canonicalization algorithm to apply to the SignedInfo part of the Signature."

Publish Date: 2013-08-20

URL: CVE-2013-2172

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2172

Release Date: 2013-08-20

Fix Resolution: 1.4.8,1.5.5

CVE-2019-12384 (Medium) detected in jackson-databind-2.7.9.1.jar

CVE-2019-12384 - Medium Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.9 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.

Publish Date: 2019-06-24

URL: CVE-2019-12384

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@c9ef4a1

Release Date: 2019-06-13

Fix Resolution: Replace or update the following files: SubTypeValidator.java, VERSION

CVE-2018-12023 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2018-12023 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-03-21

URL: CVE-2018-12023

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022

Release Date: 2019-03-21

Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6

CVE-2018-19360 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2018-19360 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution: 2.9.8

CVE-2014-3529 (Medium) detected in poi-ooxml-3.9.jar

CVE-2014-3529 - Medium Severity Vulnerability

Vulnerable Library - poi-ooxml-3.9.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-cg/org.wso2.carbon.cloud.gateway.agent/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar

Dependency Hierarchy:

  • org.wso2.carbon.message.processor-4.7.4-SNAPSHOT.jar (Root Library)
    • org.wso2.carbon.service.mgt-4.9.0.jar
      • org.wso2.carbon.user.mgt-5.13.0.jar
        • poi-ooxml-3.9.0.wso2v1.jar
          • poi-ooxml-3.9.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Publish Date: 2014-09-04

URL: CVE-2014-3529

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3529

Release Date: 2014-09-04

Fix Resolution: 3.10.1

CVE-2017-15095 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2017-15095 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095

Release Date: 2018-02-06

Fix Resolution: 2.8.10,2.9.1

CVE-2018-1272 (High) detected in spring-core-3.0.7.RELEASE.jar

CVE-2018-1272 - High Severity Vulnerability

Vulnerable Library - spring-core-3.0.7.RELEASE.jar

Spring Framework Parent

Path to dependency file: /carbon-mediation/components/mediation-ui/mediators-ui/org.wso2.carbon.mediator.call.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar,/root/.m2/repository/org/springframework/spring-core/3.0.7.RELEASE/spring-core-3.0.7.RELEASE.jar

Dependency Hierarchy:

  • org.wso2.carbon.mediator.cache-4.7.4-SNAPSHOT.jar (Root Library)
    • synapse-core-2.1.7-wso2v114.jar
      • synapse-commons-2.1.7-wso2v114.jar
        • spring-core-3.0.7.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: spring-projects/spring-framework@ab2410c

Release Date: 2018-03-24

Fix Resolution: Replace or update the following file: MimeTypeUtils.java

CVE-2018-7489 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2018-7489 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.

Publish Date: 2018-02-26

URL: CVE-2018-7489

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-7489

Release Date: 2018-02-26

Fix Resolution: 2.8.11.1,2.9.5

CVE-2017-17485 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2017-17485 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

Publish Date: 2018-01-10

URL: CVE-2017-17485

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Change files

Origin: FasterXML/jackson-databind@bb45fb1

Release Date: 2017-12-19

Fix Resolution: Replace or update the following files: AbstractApplicationContext.java, AbstractPointcutAdvisor.java, BogusApplicationContext.java, SubTypeValidator.java, BogusPointcutAdvisor.java, IllegalTypesCheckTest.java

CVE-2017-5644 (Medium) detected in poi-ooxml-3.9.jar

CVE-2017-5644 - Medium Severity Vulnerability

Vulnerable Library - poi-ooxml-3.9.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-cg/org.wso2.carbon.cloud.gateway.agent/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar

Dependency Hierarchy:

  • org.wso2.carbon.message.processor-4.7.4-SNAPSHOT.jar (Root Library)
    • org.wso2.carbon.service.mgt-4.9.0.jar
      • org.wso2.carbon.user.mgt-5.13.0.jar
        • poi-ooxml-3.9.0.wso2v1.jar
          • poi-ooxml-3.9.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Publish Date: 2017-03-24

URL: CVE-2017-5644

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-5644

Release Date: 2019-04-08

Fix Resolution: 3.15

CVE-2019-0201 (Medium) detected in zookeeper-3.3.4.jar

CVE-2019-0201 - Medium Severity Vulnerability

Vulnerable Library - zookeeper-3.3.4.jar

null

Path to dependency file: /carbon-mediation/components/mediation-admin/org.wso2.carbon.mediation.templates/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar

Dependency Hierarchy:

  • kafka_2.9.2-0.8.1.1.jar (Root Library)
    • zookeeper-3.3.4.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

An issue is present in Apache ZooKeeper 1.0.0 to 3.4.13 and 3.5.0-alpha to 3.5.4-beta. ZooKeeper?s getACL() command doesn?t check any permission when retrieves the ACLs of the requested node and returns all information contained in the ACL Id field as plaintext string. DigestAuthenticationProvider overloads the Id field with the hash value that is used for user authentication. As a consequence, if Digest Authentication is in use, the unsalted hash value will be disclosed by getACL() request for unauthenticated or unprivileged users.

Publish Date: 2019-05-23

URL: CVE-2019-0201

CVSS 3 Score Details (5.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://zookeeper.apache.org/security.html

Release Date: 2019-05-23

Fix Resolution: 3.4.14, 3.5.5

CVE-2016-2510 (High) detected in bsh-2.0b4.jar

CVE-2016-2510 - High Severity Vulnerability

Vulnerable Library - bsh-2.0b4.jar

BeanShell

Path to dependency file: /carbon-mediation/components/mediators/entitlement/org.wso2.carbon.identity.entitlement.mediator/pom.xml

Path to vulnerable library: /root/.m2/repository/org/beanshell/bsh/2.0b4/bsh-2.0b4.jar

Dependency Hierarchy:

  • org.wso2.carbon.identity.entitlement.proxy-5.2.0.jar (Root Library)
    • testng-6.3.1.jar
      • bsh-2.0b4.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.

Publish Date: 2016-04-07

URL: CVE-2016-2510

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security.gentoo.org/glsa/201607-17

Release Date: 2016-07-30

Fix Resolution: All BeanShell users should upgrade to the latest version >= bsh-2.0_beta6

CVE-2019-5427 (High) detected in c3p0-0.9.1.1.jar

CVE-2019-5427 - High Severity Vulnerability

Vulnerable Library - c3p0-0.9.1.1.jar

c3p0 is an easy-to-use library for augmenting traditional (DriverManager-based) JDBC drivers with JNDI-bindable DataSources, including DataSources that implement Connection and Statement Pooling, as described by the jdbc3 spec and jdbc2 std extension.

Library home page: http://c3p0.sourceforge.net

Path to dependency file: /carbon-mediation/components/mediation-config-admin/org.wso2.carbon.mediation.configadmin/pom.xml

Path to vulnerable library: /root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar,/root/.m2/repository/c3p0/c3p0/0.9.1.1/c3p0-0.9.1.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.mediator.cache-4.7.4-SNAPSHOT.jar (Root Library)
    • synapse-core-2.1.7-wso2v114.jar
      • synapse-tasks-2.1.7-wso2v114.jar
        • quartz-2.1.1.jar
          • c3p0-0.9.1.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.

Publish Date: 2019-04-22

URL: CVE-2019-5427

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427

Release Date: 2019-04-22

Fix Resolution: c3p0-0.9.5.4

CVE-2018-19362 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2018-19362 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution: 2.9.8

CVE-2017-12626 (High) detected in poi-3.9.jar, poi-scratchpad-3.9.jar

CVE-2017-12626 - High Severity Vulnerability

Vulnerable Libraries - poi-3.9.jar, poi-scratchpad-3.9.jar

poi-3.9.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-config-admin/org.wso2.carbon.mediation.configadmin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar,/root/.m2/repository/org/apache/poi/poi/3.9/poi-3.9.jar

Dependency Hierarchy:

  • org.wso2.carbon.message.processor-4.7.4-SNAPSHOT.jar (Root Library)
    • org.wso2.carbon.service.mgt-4.9.0.jar
      • org.wso2.carbon.user.mgt-5.13.0.jar
        • poi-scratchpad-3.9.0.wso2v1.jar
          • poi-scratchpad-3.9.jar
            • poi-3.9.jar (Vulnerable Library)
poi-scratchpad-3.9.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-admin/org.wso2.carbon.proxyadmin/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar,/root/.m2/repository/org/apache/poi/poi-scratchpad/3.9/poi-scratchpad-3.9.jar

Dependency Hierarchy:

  • org.wso2.carbon.message.processor-4.7.4-SNAPSHOT.jar (Root Library)
    • org.wso2.carbon.service.mgt-4.9.0.jar
      • org.wso2.carbon.user.mgt-5.13.0.jar
        • poi-scratchpad-3.9.0.wso2v1.jar
          • poi-scratchpad-3.9.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).

Publish Date: 2018-01-29

URL: CVE-2017-12626

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b@%3Cdev.poi.apache.org%3E

Release Date: 2018-01-29

Fix Resolution: 3.17

CVE-2013-4517 (Medium) detected in xmlsec-1.5.5.jar

CVE-2013-4517 - Medium Severity Vulnerability

Vulnerable Library - xmlsec-1.5.5.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: http://santuario.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-cg/org.wso2.carbon.cloud.gateway.agent.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar,/root/.m2/repository/org/apache/santuario/xmlsec/1.5.5/xmlsec-1.5.5.jar

Dependency Hierarchy:

  • org.wso2.carbon.proxyadmin-4.7.4-SNAPSHOT.jar (Root Library)
    • rampart-core-1.6.1-wso2v36.jar
      • opensaml-2.6.4.jar
        • xmlsec-1.5.5.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.

Publish Date: 2014-01-11

URL: CVE-2013-4517

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-4517

Release Date: 2014-01-11

Fix Resolution: 1.5.6

CVE-2015-1796 (Medium) detected in opensaml-2.6.4.jar

CVE-2015-1796 - Medium Severity Vulnerability

Vulnerable Library - opensaml-2.6.4.jar

The OpenSAML-J library provides tools to support developers working with the Security Assertion Markup Language (SAML).

Library home page: http://opensaml.org/

Path to dependency file: /carbon-mediation/components/mediation-admin/org.wso2.carbon.proxyadmin.common/pom.xml

Path to vulnerable library: /root/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar,/root/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar,/root/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar,/root/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar,/root/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar,/root/.m2/repository/org/opensaml/opensaml/2.6.4/opensaml-2.6.4.jar

Dependency Hierarchy:

  • org.wso2.carbon.proxyadmin-4.7.4-SNAPSHOT.jar (Root Library)
    • rampart-core-1.6.1-wso2v36.jar
      • opensaml-2.6.4.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

The PKIX trust engines in Shibboleth Identity Provider before 2.4.4 and OpenSAML Java (OpenSAML-J) before 2.6.5 trust candidate X.509 credentials when no trusted names are available for the entityID, which allows remote attackers to impersonate an entity via a certificate issued by a shibmd:KeyAuthority trust anchor.

Publish Date: 2015-07-08

URL: CVE-2015-1796

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1796

Release Date: 2019-02-19

Fix Resolution: 2.6.5

CVE-2018-5968 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2018-5968 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.

Publish Date: 2018-01-22

URL: CVE-2018-5968

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968

Release Date: 2018-01-22

Fix Resolution: 2.8.11.1, 2.9.4

WS-2018-0124 (Medium) detected in jackson-core-2.7.9.jar

WS-2018-0124 - Medium Severity Vulnerability

Vulnerable Library - jackson-core-2.7.9.jar

Core Jackson abstractions, basic JSON streaming API implementation

Library home page: https://github.com/FasterXML/jackson-core

Path to dependency file: /carbon-mediation/components/org.wso2.carbon.integrator.core/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.7.9/jackson-core-2.7.9.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.7.9/jackson-core-2.7.9.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.7.9/jackson-core-2.7.9.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-core-2.7.9.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.

Publish Date: 2018-06-24

URL: WS-2018-0124

CVSS 2 Score Details (5.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://issues.jboss.org/browse/JBEAP-6316

Release Date: 2018-01-24

Fix Resolution: 2.8.6

CVE-2018-1000632 (High) detected in dom4j-1.6.1.jar

CVE-2018-1000632 - High Severity Vulnerability

Vulnerable Library - dom4j-1.6.1.jar

dom4j: the flexible XML framework for Java

Library home page: http://dom4j.org

Path to dependency file: /carbon-mediation/components/inbound-endpoints/org.wso2.carbon.inbound.endpoint.persistence/pom.xml

Path to vulnerable library: /root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar,/root/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.ui-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.utils-4.5.0-m1.jar
      • jaxen-1.1.1.jar
        • dom4j-1.6.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Publish Date: 2018-08-20

URL: CVE-2018-1000632

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000632

Release Date: 2018-08-20

Fix Resolution: 2.1.1

CVE-2009-2625 (Medium) detected in xercesImpl-2.8.1.jar

CVE-2009-2625 - Medium Severity Vulnerability

Vulnerable Library - xercesImpl-2.8.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://xerces.apache.org/xerces2-j/

Path to dependency file: /carbon-mediation/components/org.wso2.carbon.integrator.core/pom.xml

Path to vulnerable library: /root/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar,/root/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.webapp.mgt-4.9.0.jar (Root Library)
    • org.wso2.carbon.identity.sso.agent-5.2.0.jar
      • openid4java-1.0.0.jar
        • xercesImpl-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Publish Date: 2009-08-06

URL: CVE-2009-2625

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id?1022680

Release Date: 2017-12-31

Fix Resolution: The vendor has issued a fix for Windows, Solaris, and Linux:

  • JDK and JRE 6 Update 15 or later
  • JDK and JRE 5.0 Update 20 or later

Java SE releases are available at:

JDK and JRE 6 Update 15:

http://java.sun.com/javase/downloads/index.jsp

JRE 6 Update 15:

http://java.com/

through the Java Update tool for Microsoft Windows users.

JDK 6 Update 15 for Solaris is available in the following patches:

  • Java SE 6 Update 15 (as delivered in patch 125136-16)
  • Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit))
  • Java SE 6_x86 Update 15 (as delivered in patch 125138-16)
  • Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit))

JDK and JRE 5.0 Update 20:

http://java.sun.com/javase/downloads/index_jdk5.jsp

JDK 5.0 Update 20 for Solaris is available in the following patches:

  • J2SE 5.0 Update 18 (as delivered in patch 118666-21)
  • J2SE 5.0 Update 18 (as delivered in patch 118667-21 (64bit))
  • J2SE 5.0_x86 Update 18 (as delivered in patch 118668-21)
  • J2SE 5.0_x86 Update 18 (as delivered in patch 118669-21 (64bit))

Java SE for Business releases are available at:

http://www.sun.com/software/javaseforbusiness/getit_download.jsp

Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see:

http://www.java.com/en/download/help/5000010800.xml

The vendor's advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1

CVE-2014-3604 (Medium) detected in not-yet-commons-ssl-0.3.9.jar

CVE-2014-3604 - Medium Severity Vulnerability

Vulnerable Library - not-yet-commons-ssl-0.3.9.jar

A Java SSL component library

Library home page: http://juliusdavies.ca/commons-ssl

Path to dependency file: /carbon-mediation/components/business-adaptors/hl7/org.wso2.carbon.business.messaging.hl7.samples/pom.xml

Path to vulnerable library: /root/.m2/repository/ca/juliusdavies/not-yet-commons-ssl/0.3.9/not-yet-commons-ssl-0.3.9.jar,/root/.m2/repository/ca/juliusdavies/not-yet-commons-ssl/0.3.9/not-yet-commons-ssl-0.3.9.jar,/root/.m2/repository/ca/juliusdavies/not-yet-commons-ssl/0.3.9/not-yet-commons-ssl-0.3.9.jar,/root/.m2/repository/ca/juliusdavies/not-yet-commons-ssl/0.3.9/not-yet-commons-ssl-0.3.9.jar,/root/.m2/repository/ca/juliusdavies/not-yet-commons-ssl/0.3.9/not-yet-commons-ssl-0.3.9.jar,/root/.m2/repository/ca/juliusdavies/not-yet-commons-ssl/0.3.9/not-yet-commons-ssl-0.3.9.jar

Dependency Hierarchy:

  • org.wso2.carbon.proxyadmin-4.7.4-SNAPSHOT.jar (Root Library)
    • rampart-core-1.6.1-wso2v36.jar
      • opensaml-2.6.4.jar
        • openws-1.5.4.jar
          • xmltooling-1.4.4.jar
            • not-yet-commons-ssl-0.3.9.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

Publish Date: 2014-10-25

URL: CVE-2014-3604

CVSS 2 Score Details (6.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3604

Release Date: 2014-10-25

Fix Resolution: 0.3.15

CVE-2013-5679 (Low) detected in esapi-2.0.1.jar

CVE-2013-5679 - Low Severity Vulnerability

Vulnerable Library - esapi-2.0.1.jar

The Enterprise Security API (ESAPI) project is an OWASP project to create simple strong security controls for every web platform. Security controls are not simple to build. You can read about the hundreds of pitfalls for unwary developers on the OWASP website. By providing developers with a set of strong controls, we aim to eliminate some of the complexity of creating secure web applications. This can result in significant cost savings across the SDLC.

Library home page: http://www.esapi.org/

Path to dependency file: /carbon-mediation/components/mediation-cg/org.wso2.carbon.cloud.gateway/pom.xml

Path to vulnerable library: /root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar,/root/.m2/repository/org/owasp/esapi/esapi/2.0.1/esapi-2.0.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.proxyadmin-4.7.4-SNAPSHOT.jar (Root Library)
    • rampart-core-1.6.1-wso2v36.jar
      • opensaml-2.6.4.jar
        • esapi-2.0.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against authenticity in the default configuration, involving a null MAC and a zero MAC length.

Publish Date: 2013-09-30

URL: CVE-2013-5679

CVSS 2 Score Details (2.6)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-5679

Release Date: 2013-09-30

Fix Resolution: 2.1.0

CVE-2018-8012 (High) detected in zookeeper-3.3.4.jar

CVE-2018-8012 - High Severity Vulnerability

Vulnerable Library - zookeeper-3.3.4.jar

null

Path to dependency file: /carbon-mediation/components/mediation-admin/org.wso2.carbon.mediation.templates/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar,/root/.m2/repository/org/apache/zookeeper/zookeeper/3.3.4/zookeeper-3.3.4.jar

Dependency Hierarchy:

  • kafka_2.9.2-0.8.1.1.jar (Root Library)
    • zookeeper-3.3.4.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

No authentication/authorization is enforced when a server attempts to join a quorum in Apache ZooKeeper before 3.4.10, and 3.5.0-alpha through 3.5.3-beta. As a result an arbitrary end point could join the cluster and begin propagating counterfeit changes to the leader.

Publish Date: 2018-05-21

URL: CVE-2018-8012

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1040948

Release Date: 2018-05-20

Fix Resolution: 3.4.10

CVE-2018-14718 (High) detected in jackson-databind-2.7.9.1.jar

CVE-2018-14718 - High Severity Vulnerability

Vulnerable Library - jackson-databind-2.7.9.1.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /carbon-mediation/components/mediation-monitor/mediation-data-publisher/org.wso2.carbon.prometheus.publisher/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.7.9.1/jackson-databind-2.7.9.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.server-4.5.0-m1.jar (Root Library)
    • org.wso2.carbon.nextgen.config-4.5.0-m1.jar
      • jinjava-2.4.14.jar
        • jackson-databind-2.7.9.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14718

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718

Release Date: 2019-01-02

Fix Resolution: 2.9.7

CVE-2014-3574 (Medium) detected in poi-ooxml-3.9.jar

CVE-2014-3574 - Medium Severity Vulnerability

Vulnerable Library - poi-ooxml-3.9.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /carbon-mediation/components/mediation-cg/org.wso2.carbon.cloud.gateway.agent/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar,/root/.m2/repository/org/apache/poi/poi-ooxml/3.9/poi-ooxml-3.9.jar

Dependency Hierarchy:

  • org.wso2.carbon.message.processor-4.7.4-SNAPSHOT.jar (Root Library)
    • org.wso2.carbon.service.mgt-4.9.0.jar
      • org.wso2.carbon.user.mgt-5.13.0.jar
        • poi-ooxml-3.9.0.wso2v1.jar
          • poi-ooxml-3.9.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Publish Date: 2014-09-04

URL: CVE-2014-3574

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3574

Release Date: 2014-09-04

Fix Resolution: 3.10.1,3.11-beta2

CVE-2015-4852 (High) detected in commons-collections-3.2.1.jar

CVE-2015-4852 - High Severity Vulnerability

Vulnerable Library - commons-collections-3.2.1.jar

Types that extend and augment the Java Collections Framework.

Library home page: http://commons.apache.org/collections/

Path to dependency file: /carbon-mediation/components/mediation-ui/mediators-ui/org.wso2.carbon.mediator.bean.ui/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar

Dependency Hierarchy:

  • commons-collections-3.2.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.

Publish Date: 2015-11-18

URL: CVE-2015-4852

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19

Release Date: 2015-11-18

Fix Resolution: 3.2.2

CVE-2014-3577 (Medium) detected in httpclient-4.3.2.jar

CVE-2014-3577 - Medium Severity Vulnerability

Vulnerable Library - httpclient-4.3.2.jar

null

Library home page: http://hc.apache.org/httpcomponents-client

Path to dependency file: /carbon-mediation/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar

Dependency Hierarchy:

  • libthrift_0.9.2.wso2v1.jar (Root Library)
    • libthrift-0.9.2.jar
      • httpclient-4.3.2.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.

Publish Date: 2014-08-21

URL: CVE-2014-3577

CVSS 2 Score Details (5.8)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3577

Release Date: 2014-08-21

Fix Resolution: 4.3.5,4.0.2

CVE-2013-4002 (High) detected in xercesImpl-2.8.1.jar

CVE-2013-4002 - High Severity Vulnerability

Vulnerable Library - xercesImpl-2.8.1.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Library home page: http://xerces.apache.org/xerces2-j/

Path to dependency file: /carbon-mediation/components/org.wso2.carbon.integrator.core/pom.xml

Path to vulnerable library: /root/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar,/root/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar

Dependency Hierarchy:

  • org.wso2.carbon.webapp.mgt-4.9.0.jar (Root Library)
    • org.wso2.carbon.identity.sso.agent-5.2.0.jar
      • openid4java-1.0.0.jar
        • xercesImpl-2.8.1.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Publish Date: 2013-07-23

URL: CVE-2013-4002

CVSS 2 Score Details (7.1)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-4002

Release Date: 2013-07-23

Fix Resolution: 5.0 SR16-FP3,6 SR14,6.0.1 SR6,7 SR5

CVE-2018-1320 (High) detected in libthrift-0.9.2.jar

CVE-2018-1320 - High Severity Vulnerability

Vulnerable Library - libthrift-0.9.2.jar

null

Path to dependency file: /carbon-mediation/components/mediation-cg/org.wso2.carbon.cloud.gateway.common/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar,/root/.m2/repository/org/apache/thrift/libthrift/0.9.2/libthrift-0.9.2.jar

Dependency Hierarchy:

  • libthrift_0.9.2.wso2v1.jar (Root Library)
    • libthrift-0.9.2.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

Apache Thrift Java client library versions 0.5.0 through 0.11.0 can bypass SASL negotiation isComplete validation in the org.apache.thrift.transport.TSaslTransport class. An assert used to determine if the SASL handshake had successfully completed could be disabled in production settings making the validation incomplete.

Publish Date: 2019-01-07

URL: CVE-2018-1320

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1320

Release Date: 2019-01-07

Fix Resolution: 0.12.0

CVE-2015-5262 (Medium) detected in httpclient-4.3.2.jar

CVE-2015-5262 - Medium Severity Vulnerability

Vulnerable Library - httpclient-4.3.2.jar

null

Library home page: http://hc.apache.org/httpcomponents-client

Path to dependency file: /carbon-mediation/components/mediation-admin/org.wso2.carbon.mediation.artifactuploader/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar,/root/.m2/repository/org/apache/httpcomponents/httpclient/4.3.2/httpclient-4.3.2.jar

Dependency Hierarchy:

  • libthrift_0.9.2.wso2v1.jar (Root Library)
    • libthrift-0.9.2.jar
      • httpclient-4.3.2.jar (Vulnerable Library)

Found in HEAD commit: b3da2491f455afc6823905dfa1234a43e48d0881

Vulnerability Details

http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.

Publish Date: 2015-10-27

URL: CVE-2015-5262

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-5262

Release Date: 2015-10-27

Fix Resolution: 4.3.6

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.