View Code? Open in Web Editor
NEW
【!】NEILREN.COM 的旧版本, Java Spring 版本,RenFei.Net 替代了 NEILREN4J。NEILREN 的个人网站 Java版,使用了SpringBoot,MyBatis,Thymeleaf等开源项目组建。
Home Page: https://www.neilren.com/
License: Apache License 2.0
Java 0.81%
HTML 0.70%
PLpgSQL 98.48%
XSLT 0.01%
neilren4j's People
Watchers
neilren4j's Issues
CVE-2019-11358 - Medium Severity Vulnerability
Vulnerable Libraries - jquery-1.10.2.js , jquery-3.3.1.min.js , jquery-3.3.1.js
jquery-1.10.2.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.js
Path to vulnerable library: /NEILREN4J/target/classes/static/js/ueditor/third-party/jquery-1.10.2.js,/NEILREN4J/src/main/resources/static/js/ueditor/third-party/jquery-1.10.2.js
Dependency Hierarchy:
❌ jquery-1.10.2.js (Vulnerable Library)
jquery-3.3.1.min.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.min.js
Path to vulnerable library: /NEILREN4J/target/classes/static/js/jquery-3.3.1.min.js,/NEILREN4J/src/main/resources/static/js/jquery-3.3.1.min.js
Dependency Hierarchy:
❌ jquery-3.3.1.min.js (Vulnerable Library)
jquery-3.3.1.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.3.1/jquery.js
Path to vulnerable library: /NEILREN4J/target/classes/static/js/jquery-3.3.1.js,/NEILREN4J/src/main/resources/static/js/jquery-3.3.1.js
Dependency Hierarchy:
❌ jquery-3.3.1.js (Vulnerable Library)
Vulnerability Details
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: 3.4.0
Step up your Open Source Security Game with WhiteSource here
为什么没有后台管理功能?
在源代码中没找到网站的后台管理功能,我该如何管理网站呢?
CVE-2018-14040 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7-3.3.13.js
Google-styled theme for Bootstrap.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.js
Path to vulnerable library: /NEILREN4J/src/main/resources/static/js/bootstrap.js,/NEILREN4J/target/classes/static/js/bootstrap.js
Dependency Hierarchy:
❌ bootstrap-3.3.7-3.3.13.js (Vulnerable Library)
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14040
Release Date: 2018-07-13
Fix Resolution: 4.1.2
Step up your Open Source Security Game with WhiteSource here
CVE-2019-3797 - Medium Severity Vulnerability
Vulnerable Library - spring-data-jpa-2.0.8.RELEASE.jar
Spring Data module for JPA repositories.
Library home page: http://projects.spring.io/spring-data-jpa
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/org/springframework/data/spring-data-jpa/2.0.8.RELEASE/spring-data-jpa-2.0.8.RELEASE.jar
Dependency Hierarchy:
spring-boot-starter-data-jpa-2.0.3.RELEASE.jar (Root Library)
❌ spring-data-jpa-2.0.8.RELEASE.jar (Vulnerable Library)
Vulnerability Details
This affects Spring Data JPA in versions up to and including 2.1.5, 2.0.13 and 1.11.19. Derived queries using any of the predicates ?startingWith?, ?endingWith? or ?containing? could return more results than anticipated when a maliciously crafted query parameter value is supplied. Also, LIKE expressions in manually defined queries could return unexpected results if the parameter values bound did not have escaped reserved characters properly.
Publish Date: 2019-05-06
URL: CVE-2019-3797
CVSS 3 Score Details (5.3 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2019-3797
Release Date: 2019-04-15
Fix Resolution: 1.11.20, 2.0.14, 2.1.6
Step up your Open Source Security Game with WhiteSource here
CVE-2018-19361 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19361
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Step up your Open Source Security Game with WhiteSource here
CVE-2018-8034 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-websocket-8.5.31.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-websocket/8.5.31/tomcat-embed-websocket-8.5.31.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-tomcat-2.0.3.RELEASE.jar
❌ tomcat-embed-websocket-8.5.31.jar (Vulnerable Library)
Vulnerability Details
The host name verification when using TLS with the WebSocket client was missing. It is now enabled by default. Versions Affected: Apache Tomcat 9.0.0.M1 to 9.0.9, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, and 7.0.35 to 7.0.88.
Publish Date: 2018-08-01
URL: CVE-2018-8034
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8034
Release Date: 2018-01-07
Fix Resolution: 7.0.90, 8.0.53, 8.5.32, 9.0.10
Step up your Open Source Security Game with WhiteSource here
CVE-2018-19362 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19362
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14720 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Step up your Open Source Security Game with WhiteSource here
CVE-2018-5968 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Vulnerability Details
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Publish Date: 2018-01-22
URL: CVE-2018-5968
CVSS 3 Score Details (8.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
Release Date: 2018-01-22
Fix Resolution: 2.8.11.1, 2.9.4
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jackson-datatype-jsr310-2.9.6.jar
Add-on module to support JSR-310 (Java 8 Date & Time API) data types.
Library home page: https://github.com/FasterXML/jackson-modules-java8/jackson-datatype-jsr310
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/datatype/jackson-datatype-jsr310/2.9.6/jackson-datatype-jsr310-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-datatype-jsr310-2.9.6.jar (Vulnerable Library)
Vulnerability Details
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Publish Date: 2018-12-20
URL: CVE-2018-1000873
CVSS 3 Score Details (6.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000873
Release Date: 2018-12-20
Fix Resolution: 2.9.8
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14721 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
CVSS 3 Score Details (10.0 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Changed
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Step up your Open Source Security Game with WhiteSource here
WS-2018-0021 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7-3.3.13.js
Google-styled theme for Bootstrap.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.js
Path to vulnerable library: /NEILREN4J/src/main/resources/static/js/bootstrap.js,/NEILREN4J/target/classes/static/js/bootstrap.js
Dependency Hierarchy:
❌ bootstrap-3.3.7-3.3.13.js (Vulnerable Library)
Vulnerability Details
XSS in data-target in bootstrap (3.3.7 and before)
Publish Date: 2017-06-27
URL: WS-2018-0021
CVSS 2 Score Details (6.5 )
Base Score Metrics not available
Suggested Fix
Type: Change files
Origin: twbs/bootstrap@d9be1da
Release Date: 2017-08-25
Fix Resolution: Replace or update the following files: alert.js, carousel.js, collapse.js, dropdown.js, modal.js
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14718 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14718
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Step up your Open Source Security Game with WhiteSource here
CVE-2018-15756 - High Severity Vulnerability
Vulnerable Library - spring-web-5.0.7.RELEASE.jar
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/org/springframework/spring-web/5.0.7.RELEASE/spring-web-5.0.7.RELEASE.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
❌ spring-web-5.0.7.RELEASE.jar (Vulnerable Library)
Vulnerability Details
Spring Framework, version 5.1, versions 5.0.x prior to 5.0.10, versions 4.3.x prior to 4.3.20, and older unsupported versions on the 4.2.x branch provide support for range requests when serving static resources through the ResourceHttpRequestHandler, or starting in 5.0 when an annotated controller returns an org.springframework.core.io.Resource. A malicious user (or attacker) can add a range header with a high number of ranges, or with wide ranges that overlap, or both, for a denial of service attack. This vulnerability affects applications that depend on either spring-webmvc or spring-webflux. Such applications must also have a registration for serving static resources (e.g. JS, CSS, images, and others), or have an annotated controller that returns an org.springframework.core.io.Resource. Spring Boot applications that depend on spring-boot-starter-web or spring-boot-starter-webflux are ready to serve static resources out of the box and are therefore vulnerable.
Publish Date: 2018-10-18
URL: CVE-2018-15756
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2018-15756
Release Date: 2018-10-18
Fix Resolution: 4.3.20,5.0.10,5.1.1
Step up your Open Source Security Game with WhiteSource here
WS-2009-0001 - Low Severity Vulnerability
Vulnerable Library - commons-codec-1.11.jar
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/proper/commons-codec/
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar
Dependency Hierarchy:
aliyun-sdk-opensearch-2.1.3.jar (Root Library)
❌ commons-codec-1.11.jar (Vulnerable Library)
Vulnerability Details
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability
Publish Date: 2007-10-07
URL: WS-2009-0001
CVSS 2 Score Details (0.0 )
Base Score Metrics not available
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14041 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7-3.3.13.js
Google-styled theme for Bootstrap.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.js
Path to vulnerable library: /NEILREN4J/src/main/resources/static/js/bootstrap.js,/NEILREN4J/target/classes/static/js/bootstrap.js
Dependency Hierarchy:
❌ bootstrap-3.3.7-3.3.13.js (Vulnerable Library)
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.
Publish Date: 2018-07-13
URL: CVE-2018-14041
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Change files
Origin: twbs/bootstrap@3229efc
Release Date: 2018-05-30
Fix Resolution: Replace or update the following file: scrollspy.js
Step up your Open Source Security Game with WhiteSource here
CVE-2015-9251 - Medium Severity Vulnerability
Vulnerable Library - jquery-1.10.2.js
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.10.2/jquery.js
Path to vulnerable library: /NEILREN4J/target/classes/static/js/ueditor/third-party/jquery-1.10.2.js,/NEILREN4J/src/main/resources/static/js/ueditor/third-party/jquery-1.10.2.js
Dependency Hierarchy:
❌ jquery-1.10.2.js (Vulnerable Library)
Vulnerability Details
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: 3.0.0
Step up your Open Source Security Game with WhiteSource here
CVE-2018-8037 - Medium Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.31.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.31/tomcat-embed-core-8.5.31.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-tomcat-2.0.3.RELEASE.jar
❌ tomcat-embed-core-8.5.31.jar (Vulnerable Library)
Vulnerability Details
If an async request was completed by the application at the same time as the container triggered the async timeout, a race condition existed that could result in a user seeing a response intended for a different user. An additional issue was present in the NIO and NIO2 connectors that did not correctly track the closure of the connection when an async request was completed by the application and timed out by the container at the same time. This could also result in a user seeing a response intended for another user. Versions Affected: Apache Tomcat 9.0.0.M9 to 9.0.9 and 8.5.5 to 8.5.31.
Publish Date: 2018-08-02
URL: CVE-2018-8037
CVSS 3 Score Details (5.9 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: High
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: http://www.securitytracker.com/id/1041376
Release Date: 2018-02-07
Fix Resolution: 8.5.32, 9.0.10
Step up your Open Source Security Game with WhiteSource here
CVE-2019-12086 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Vulnerability Details
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: None
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution: 2.9.9
Step up your Open Source Security Game with WhiteSource here
CVE-2018-8014 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.31.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.31/tomcat-embed-core-8.5.31.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-tomcat-2.0.3.RELEASE.jar
❌ tomcat-embed-core-8.5.31.jar (Vulnerable Library)
Vulnerability Details
The defaults settings for the CORS filter provided in Apache Tomcat 9.0.0.M1 to 9.0.8, 8.5.0 to 8.5.31, 8.0.0.RC1 to 8.0.52, 7.0.41 to 7.0.88 are insecure and enable 'supportsCredentials' for all origins. It is expected that users of the CORS filter will have configured it appropriately for their environment rather than using it in the default configuration. Therefore, it is expected that most users will not be impacted by this issue.
Publish Date: 2018-05-16
URL: CVE-2018-8014
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Change files
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-8014
Release Date: 2019-04-08
Fix Resolution: Replace or update the following files: 7.0.89, 8.0.53, 8.5.32, 9.0.9
Step up your Open Source Security Game with WhiteSource here
CVE-2019-0199 - High Severity Vulnerability
Vulnerable Library - tomcat-embed-core-8.5.31.jar
Core Tomcat implementation
Library home page: http://tomcat.apache.org/
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/org/apache/tomcat/embed/tomcat-embed-core/8.5.31/tomcat-embed-core-8.5.31.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-tomcat-2.0.3.RELEASE.jar
❌ tomcat-embed-core-8.5.31.jar (Vulnerable Library)
Vulnerability Details
The HTTP/2 implementation in Apache Tomcat 9.0.0.M1 to 9.0.14 and 8.5.0 to 8.5.37 accepted streams with excessive numbers of SETTINGS frames and also permitted clients to keep streams open without reading/writing request/response data. By keeping streams open for requests that utilised the Servlet API's blocking I/O, clients were able to cause server-side threads to block eventually leading to thread exhaustion and a DoS.
Publish Date: 2019-04-10
URL: CVE-2019-0199
CVSS 3 Score Details (7.5 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: None
Integrity Impact: None
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-0199
Release Date: 2019-04-10
Fix Resolution: 8.5.38,9.0.14
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14719 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14719
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Step up your Open Source Security Game with WhiteSource here
CVE-2018-14042 - Medium Severity Vulnerability
Vulnerable Library - bootstrap-3.3.7-3.3.13.js
Google-styled theme for Bootstrap.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.3.7-3.3.13/js/bootstrap.js
Path to vulnerable library: /NEILREN4J/src/main/resources/static/js/bootstrap.js,/NEILREN4J/target/classes/static/js/bootstrap.js
Dependency Hierarchy:
❌ bootstrap-3.3.7-3.3.13.js (Vulnerable Library)
Vulnerability Details
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
CVSS 3 Score Details (6.1 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: Required
Scope: Changed
Impact Metrics:
Confidentiality Impact: Low
Integrity Impact: Low
Availability Impact: None
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14042
Release Date: 2018-07-13
Fix Resolution: 4.1.2
Step up your Open Source Security Game with WhiteSource here
CVE-2018-19360 - High Severity Vulnerability
Vulnerable Library - jackson-databind-2.9.6.jar
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /NEILREN4J/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Dependency Hierarchy:
spring-boot-starter-web-2.0.3.RELEASE.jar (Root Library)
spring-boot-starter-json-2.0.3.RELEASE.jar
❌ jackson-databind-2.9.6.jar (Vulnerable Library)
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19360
CVSS 3 Score Details (9.8 )
Base Score Metrics:
Exploitability Metrics:
Attack Vector: Network
Attack Complexity: Low
Privileges Required: None
User Interaction: None
Scope: Unchanged
Impact Metrics:
Confidentiality Impact: High
Integrity Impact: High
Availability Impact: High
For more information on CVSS3 Scores, click here .
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Step up your Open Source Security Game with WhiteSource here