renfei / renfei-java-sdk Goto Github PK

Vulnerable Library - nokogiri-1.10.9.gem

Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.

Library home page: https://rubygems.org/gems/nokogiri-1.10.9.gem

Dependency Hierarchy:

Found in HEAD commit: df53ce9bece73ef02bbecc4805f12573437b552c

Found in base branch: master

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.

Publish Date: 2020-12-30

URL: CVE-2020-26247

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4

Release Date: 2020-12-30

Fix Resolution: 1.11.0.rc4

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • ❌ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 4ac3105ab2458876cc19dae561961cd3e399f896

Found in base branch: master

Vulnerability Details

When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35515

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - rexml-3.2.4.gem

An XML toolkit for Ruby

Library home page: https://rubygems.org/gems/rexml-3.2.4.gem

Dependency Hierarchy:

• rubocop-0.80.1.gem (Root Library)
  • ❌ rexml-3.2.4.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.

Publish Date: 2021-04-21

URL: CVE-2021-28965

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-8cr8-4vfw-mr7h

Release Date: 2021-04-21

Fix Resolution: rexml - 3.2.5

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39140

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6wf9-jmg9-vxcc

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - pdfbox-2.0.22.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Library home page: https://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.22/pdfbox-2.0.22.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • graphics2d-0.30.jar
    • ❌ pdfbox-2.0.22.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

Publish Date: 2021-06-12

URL: CVE-2021-31811

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31811

Release Date: 2021-06-12

Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.24

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - nokogiri-1.11.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.5.gem

Dependency Hierarchy:

• w3c_validators-1.3.5.gem (Root Library)
  • ❌ nokogiri-1.11.5.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Nokogiri before version 1.13.2 is vulnerable.

Publish Date: 2022-03-01

URL: WS-2022-0089

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-fq42-c5rg-92c2

Release Date: 2022-03-01

Fix Resolution: nokogiri - v1.13.2

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39149

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-3ccq-5vw3-2p6x

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • ❌ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 4ac3105ab2458876cc19dae561961cd3e399f896

Found in base branch: master

Vulnerability Details

When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.

Publish Date: 2021-07-13

URL: CVE-2021-35516

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39146

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-p8pq-r894-fm8f

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - xstream-1.4.16.jar

Library home page: http://x-stream.github.io

Path to dependency file: renfei-java-sdk/pom.xml

Path to vulnerable library: canner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.16/xstream-1.4.16.jar

Dependency Hierarchy:

• ❌ xstream-1.4.16.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is vulnerable to a Remote Command Execution attack before version 1.4.17. The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Publish Date: 2021-03-31

URL: CVE-2021-29505

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-7chv-rrw6-w6fc

Release Date: 2021-03-31

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.17

Vulnerable Library - batik-svgbrowser-1.13.jar

Batik SVG Browser Application Library

Library home page: http://xmlgraphics.apache.org/batik/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlgraphics/batik-svgbrowser/1.13/batik-svgbrowser-1.13.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • batik-all-1.13.jar
    • ❌ batik-svgbrowser-1.13.jar (Vulnerable Library)

Found in HEAD commit: 2f8731b5439a38e7a1b18770958626c53080ff98

Found in base branch: master

Vulnerability Details

Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.

Publish Date: 2021-02-24

URL: CVE-2020-11987

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987

Release Date: 2021-02-24

Fix Resolution (org.apache.xmlgraphics:batik-svgbrowser): 1.14

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - xmlsec-2.2.1.jar

Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.

Library home page: https://santuario.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.2.1/xmlsec-2.2.1.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • ❌ xmlsec-2.2.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.

Publish Date: 2021-09-19

URL: CVE-2021-40690

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690

Release Date: 2021-09-19

Fix Resolution (org.apache.santuario:xmlsec): 2.2.3

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - nokogiri-1.11.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.5.gem

Dependency Hierarchy:

• w3c_validators-1.3.5.gem (Root Library)
  • ❌ nokogiri-1.11.5.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4 contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4. There are no known workarounds for this issue.

Publish Date: 2022-04-11

URL: CVE-2022-24836

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-crjr-9rc5-ghw8

Release Date: 2022-04-11

Fix Resolution: nokogiri - 1.13.4

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39145

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-8jrj-525p-826v

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39141

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-g5w6-mrj7-75h2

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - pdfbox-2.0.22.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Library home page: https://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.22/pdfbox-2.0.22.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • graphics2d-0.30.jar
    • ❌ pdfbox-2.0.22.jar (Vulnerable Library)

Found in HEAD commit: 2f8731b5439a38e7a1b18770958626c53080ff98

Found in base branch: master

Vulnerability Details

A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

Publish Date: 2021-03-19

URL: CVE-2021-27807

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27807

Release Date: 2021-03-19

Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.23

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: renfei-java-sdk/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar

Dependency Hierarchy:

• httpclient-4.5.13.jar (Root Library)
  • ❌ commons-codec-1.11.jar (Vulnerable Library)

Found in HEAD commit: 300913d5486fed4c9616cfa238e014a2d041507f

Found in base branch: master

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: apache/commons-codec@48b6157

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39148

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-qrx8-8545-4wg2

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - fastjson-1.2.76.jar

Fastjson is a JSON processor (JSON parser + JSON generator) written in Java

Library home page: https://github.com/alibaba/fastjson

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar

Dependency Hierarchy:

• ❌ fastjson-1.2.76.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.

Publish Date: 2022-06-10

URL: CVE-2022-25845

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-06-10

Fix Resolution: 1.2.83

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39153

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - nokogiri-1.11.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.5.gem

Dependency Hierarchy:

• w3c_validators-1.3.5.gem (Root Library)
  • ❌ nokogiri-1.11.5.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.

Publish Date: 2021-09-27

URL: CVE-2021-41098

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098

Release Date: 2021-09-27

Fix Resolution: nokogiri - 1.12.5

Vulnerable Library - xmlgraphics-commons-2.4.jar

Apache XML Graphics Commons is a library that consists of several reusable components used by Apache Batik and Apache FOP. Many of these components can easily be used separately outside the domains of SVG and XSL-FO.

Library home page: http://xmlgraphics.apache.org/commons/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlgraphics/xmlgraphics-commons/2.4/xmlgraphics-commons-2.4.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • batik-all-1.13.jar
    • batik-awt-util-1.13.jar
      • ❌ xmlgraphics-commons-2.4.jar (Vulnerable Library)

Found in HEAD commit: 2f8731b5439a38e7a1b18770958626c53080ff98

Found in base branch: master

Vulnerability Details

Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.

Publish Date: 2021-02-24

URL: CVE-2020-11988

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://xmlgraphics.apache.org/security.html

Release Date: 2021-02-24

Fix Resolution (org.apache.xmlgraphics:xmlgraphics-commons): 2.6

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39151

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hph2-m3g5-xxv4

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39144

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-j9h8-phrw-h4fh

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - commons-io-1.3.1.jar

Commons-IO contains utility classes, stream implementations, file filters, and endian classes.

Library home page: http://jakarta.apache.org/commons/io/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/1.3.1/commons-io-1.3.1.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • batik-all-1.13.jar
    • batik-awt-util-1.13.jar
      • xmlgraphics-commons-2.4.jar
        • ❌ commons-io-1.3.1.jar (Vulnerable Library)

Found in HEAD commit: b2cc2f8ff9d0034404196db9e47e036ee6965009

Found in base branch: master

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution (commons-io:commons-io): 2.7

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - nokogiri-1.11.5.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.11.5.gem

Dependency Hierarchy:

• w3c_validators-1.3.5.gem (Root Library)
  • ❌ nokogiri-1.11.5.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String by calling #to_s or equivalent.

Publish Date: 2022-05-20

URL: CVE-2022-29181

CVSS 3 Score Details (8.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181

Release Date: 2022-05-20

Fix Resolution: nokogiri - 1.13.6

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39154

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-6w62-hx7r-mw68

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - nokogiri-1.13.6-x86_64-linux.gem

Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).

Library home page: https://rubygems.org/gems/nokogiri-1.13.6-x86_64-linux.gem

Path to dependency file: /docs/Gemfile.lock

Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.13.6-x86_64-linux.gem

Dependency Hierarchy:

• html-proofer-3.19.4.gem (Root Library)
  • ❌ nokogiri-1.13.6-x86_64-linux.gem (Vulnerable Library)

Found in base branch: master

Vulnerability Details

nokogiri up to and including 1.13.8 is affected by several vulnerabilities (CVE-2022-40303, CVE-2022-40304 and CVE-2022-2309) in the dependency bundled libxml2 library. Version 1.13.9 of nokogiri contains a patch where the dependency is upgraded with the patches as well.

Publish Date: 2022-10-18

URL: WS-2022-0334

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2qc6-mcvw-92cw

Release Date: 2022-10-18

Fix Resolution: nokogiri - 1.13.9

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.

Publish Date: 2022-02-01

URL: CVE-2021-43859

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-rmr5-cpv2-vgjf

Release Date: 2022-02-01

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.19

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • ❌ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 4ac3105ab2458876cc19dae561961cd3e399f896

Found in base branch: master

Vulnerability Details

When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.

Publish Date: 2021-07-13

URL: CVE-2021-35517

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - pdfbox-2.0.22.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Library home page: https://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.22/pdfbox-2.0.22.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • graphics2d-0.30.jar
    • ❌ pdfbox-2.0.22.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.

Publish Date: 2021-06-12

URL: CVE-2021-31812

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31812

Release Date: 2021-06-12

Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.24

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - commons-compress-1.20.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.

Library home page: https://commons.apache.org/proper/commons-compress/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • ❌ commons-compress-1.20.jar (Vulnerable Library)

Found in HEAD commit: 4ac3105ab2458876cc19dae561961cd3e399f896

Found in base branch: master

Vulnerability Details

When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2021-07-13

URL: CVE-2021-36090

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://commons.apache.org/proper/commons-compress/security-reports.html

Release Date: 2021-07-13

Fix Resolution (org.apache.commons:commons-compress): 1.21

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.

Publish Date: 2021-08-23

URL: CVE-2021-39150

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hph2-m3g5-xxv4

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39139

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-64xx-cq4q-mf44

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - pdfbox-2.0.22.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Library home page: https://www.apache.org/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.22/pdfbox-2.0.22.jar

Dependency Hierarchy:

• poi-ooxml-5.0.0.jar (Root Library)
  • graphics2d-0.30.jar
    • ❌ pdfbox-2.0.22.jar (Vulnerable Library)

Found in HEAD commit: 2f8731b5439a38e7a1b18770958626c53080ff98

Found in base branch: master

Vulnerability Details

A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.

Publish Date: 2021-03-19

URL: CVE-2021-27906

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27906

Release Date: 2021-03-19

Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.23

Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.

Publish Date: 2021-08-23

URL: CVE-2021-39152

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-xw4p-crpj-vjx2

Release Date: 2021-08-23

Fix Resolution: 1.4.18

Vulnerable Library - xstream-1.4.17.jar

Library home page: http://x-stream.github.io

Path to dependency file: /pom.xml

Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar

Dependency Hierarchy:

• ❌ xstream-1.4.17.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.

Publish Date: 2021-08-23

URL: CVE-2021-39147

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-h7v4-7xg3-hxcc

Release Date: 2021-08-23

Fix Resolution: 1.4.18