renfei / renfei-java-sdk Goto Github PK
View Code? Open in Web Editor NEW收集开发中常用的代码工具。虽然程序员们都热衷于重复的"造轮子",但这样是不对的,如果代码有问题你应该尝试去修复,而不是重新再造一个轮子出来。所以我收集开发中常用的工具代码,以方便在各个项目中重新利用它们。
Home Page: https://sdk.renfei.net/
License: Apache License 2.0
收集开发中常用的代码工具。虽然程序员们都热衷于重复的"造轮子",但这样是不对的,如果代码有问题你应该尝试去修复,而不是重新再造一个轮子出来。所以我收集开发中常用的工具代码,以方便在各个项目中重新利用它们。
Home Page: https://sdk.renfei.net/
License: Apache License 2.0
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.10.9.gem
Dependency Hierarchy:
Found in HEAD commit: df53ce9bece73ef02bbecc4805f12573437b552c
Found in base branch: master
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
Publish Date: 2020-12-30
URL: CVE-2020-26247
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/sparklemotion/nokogiri/releases/tag/v1.11.0.rc4
Release Date: 2020-12-30
Fix Resolution: 1.11.0.rc4
Step up your Open Source Security Game with WhiteSource here
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar
Dependency Hierarchy:
Found in HEAD commit: 4ac3105ab2458876cc19dae561961cd3e399f896
Found in base branch: master
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35515
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
An XML toolkit for Ruby
Library home page: https://rubygems.org/gems/rexml-3.2.4.gem
Dependency Hierarchy:
Found in base branch: master
The REXML gem before 3.2.5 in Ruby before 2.6.7, 2.7.x before 2.7.3, and 3.x before 3.0.1 does not properly address XML round-trip issues. An incorrect document can be produced after parsing and serializing.
Publish Date: 2021-04-21
URL: CVE-2021-28965
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8cr8-4vfw-mr7h
Release Date: 2021-04-21
Fix Resolution: rexml - 3.2.5
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39140
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6wf9-jmg9-vxcc
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.22/pdfbox-2.0.22.jar
Dependency Hierarchy:
Found in base branch: master
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Publish Date: 2021-06-12
URL: CVE-2021-31811
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31811
Release Date: 2021-06-12
Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.24
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.11.5.gem
Dependency Hierarchy:
Found in base branch: master
Nokogiri before version 1.13.2 is vulnerable.
Publish Date: 2022-03-01
URL: WS-2022-0089
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-fq42-c5rg-92c2
Release Date: 2022-03-01
Fix Resolution: nokogiri - v1.13.2
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39149
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3ccq-5vw3-2p6x
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar
Dependency Hierarchy:
Found in HEAD commit: 4ac3105ab2458876cc19dae561961cd3e399f896
Found in base branch: master
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35516
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
Describe the bug
Java 9 以上编译失败: cannot find symbol
To Reproduce
Steps to reproduce the behavior:
Expected behavior
BUILD SUCCESS
Screenshots
/src/main/java/net/renfei/sdk/utils/AESUtil.java:[4,16] cannot find symbol
symbol: class BASE64Decoder
location: package sun.misc
Additional context
Add any other context about the problem here.
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39146
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-p8pq-r894-fm8f
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: renfei-java-sdk/pom.xml
Path to vulnerable library: canner/.m2/repository/com/thoughtworks/xstream/xstream/1.4.16/xstream-1.4.16.jar
Dependency Hierarchy:
Found in base branch: master
XStream is vulnerable to a Remote Command Execution attack before version 1.4.17. The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.
Publish Date: 2021-03-31
URL: CVE-2021-29505
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7chv-rrw6-w6fc
Release Date: 2021-03-31
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.17
Step up your Open Source Security Game with WhiteSource here
Batik SVG Browser Application Library
Library home page: http://xmlgraphics.apache.org/batik/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlgraphics/batik-svgbrowser/1.13/batik-svgbrowser-1.13.jar
Dependency Hierarchy:
Found in HEAD commit: 2f8731b5439a38e7a1b18770958626c53080ff98
Found in base branch: master
Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.
Publish Date: 2021-02-24
URL: CVE-2020-11987
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11987
Release Date: 2021-02-24
Fix Resolution (org.apache.xmlgraphics:batik-svgbrowser): 1.14
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of version 1.4, the library supports the standard Java API JSR-105: XML Digital Signature APIs.
Library home page: https://santuario.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/santuario/xmlsec/2.2.1/xmlsec-2.2.1.jar
Dependency Hierarchy:
Found in base branch: master
All versions of Apache Santuario - XML Security for Java prior to 2.2.3 and 2.1.7 are vulnerable to an issue where the "secureValidation" property is not passed correctly when creating a KeyInfo from a KeyInfoReference element. This allows an attacker to abuse an XPath Transform to extract any local .xml files in a RetrievalMethod element.
Publish Date: 2021-09-19
URL: CVE-2021-40690
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-40690
Release Date: 2021-09-19
Fix Resolution (org.apache.santuario:xmlsec): 2.2.3
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.11.5.gem
Dependency Hierarchy:
Found in base branch: master
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4
contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4
. There are no known workarounds for this issue.
Publish Date: 2022-04-11
URL: CVE-2022-24836
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-crjr-9rc5-ghw8
Release Date: 2022-04-11
Fix Resolution: nokogiri - 1.13.4
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39145
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8jrj-525p-826v
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39141
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g5w6-mrj7-75h2
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.22/pdfbox-2.0.22.jar
Dependency Hierarchy:
Found in HEAD commit: 2f8731b5439a38e7a1b18770958626c53080ff98
Found in base branch: master
A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Publish Date: 2021-03-19
URL: CVE-2021-27807
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27807
Release Date: 2021-03-19
Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.23
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: renfei-java-sdk/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 300913d5486fed4c9616cfa238e014a2d041507f
Found in base branch: master
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Step up your Open Source Security Game with WhiteSource here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39148
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-qrx8-8545-4wg2
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Fastjson is a JSON processor (JSON parser + JSON generator) written in Java
Library home page: https://github.com/alibaba/fastjson
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/alibaba/fastjson/1.2.76/fastjson-1.2.76.jar
Dependency Hierarchy:
Found in base branch: master
The package com.alibaba:fastjson before 1.2.83 are vulnerable to Deserialization of Untrusted Data by bypassing the default autoType shutdown restrictions, which is possible under certain conditions. Exploiting this vulnerability allows attacking remote servers. Workaround: If upgrading is not possible, you can enable safeMode.
Publish Date: 2022-06-10
URL: CVE-2022-25845
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream, if using the version out of the box with Java runtime version 14 to 8 or with JavaFX installed. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39153
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-39153
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.11.5.gem
Dependency Hierarchy:
Found in base branch: master
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Publish Date: 2021-09-27
URL: CVE-2021-41098
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098
Release Date: 2021-09-27
Fix Resolution: nokogiri - 1.12.5
Step up your Open Source Security Game with Mend here
Apache XML Graphics Commons is a library that consists of several reusable components used by Apache Batik and Apache FOP. Many of these components can easily be used separately outside the domains of SVG and XSL-FO.
Library home page: http://xmlgraphics.apache.org/commons/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/xmlgraphics/xmlgraphics-commons/2.4/xmlgraphics-commons-2.4.jar
Dependency Hierarchy:
Found in HEAD commit: 2f8731b5439a38e7a1b18770958626c53080ff98
Found in base branch: master
Apache XmlGraphics Commons 2.4 and earlier is vulnerable to server-side request forgery, caused by improper input validation by the XMPParser. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests. Users should upgrade to 2.6 or later.
Publish Date: 2021-02-24
URL: CVE-2020-11988
Base Score Metrics:
Type: Upgrade version
Origin: https://xmlgraphics.apache.org/security.html
Release Date: 2021-02-24
Fix Resolution (org.apache.xmlgraphics:xmlgraphics-commons): 2.6
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39151
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hph2-m3g5-xxv4
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39144
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-j9h8-phrw-h4fh
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Commons-IO contains utility classes, stream implementations, file filters, and endian classes.
Library home page: http://jakarta.apache.org/commons/io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/1.3.1/commons-io-1.3.1.jar
Dependency Hierarchy:
Found in HEAD commit: b2cc2f8ff9d0034404196db9e47e036ee6965009
Found in base branch: master
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution (commons-io:commons-io): 2.7
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.11.5.gem
Dependency Hierarchy:
Found in base branch: master
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String
by calling #to_s
or equivalent.
Publish Date: 2022-05-20
URL: CVE-2022-29181
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181
Release Date: 2022-05-20
Fix Resolution: nokogiri - 1.13.6
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39154
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-6w62-hx7r-mw68
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) makes it easy and painless to work with XML and HTML from Ruby. It provides a sensible, easy-to-understand API for reading, writing, modifying, and querying documents. It is fast and standards-compliant by relying on native parsers like libxml2 (C) and xerces (Java).
Library home page: https://rubygems.org/gems/nokogiri-1.13.6-x86_64-linux.gem
Path to dependency file: /docs/Gemfile.lock
Path to vulnerable library: /home/wss-scanner/.gem/ruby/2.7.0/cache/nokogiri-1.13.6-x86_64-linux.gem
Dependency Hierarchy:
Found in base branch: master
nokogiri up to and including 1.13.8 is affected by several vulnerabilities (CVE-2022-40303, CVE-2022-40304 and CVE-2022-2309) in the dependency bundled libxml2 library. Version 1.13.9 of nokogiri contains a patch where the dependency is upgraded with the patches as well.
Publish Date: 2022-10-18
URL: WS-2022-0334
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2qc6-mcvw-92cw
Release Date: 2022-10-18
Fix Resolution: nokogiri - 1.13.9
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is an open source java library to serialize objects to XML and back again. Versions prior to 1.4.19 may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. XStream 1.4.19 monitors and accumulates the time it takes to add elements to collections and throws an exception if a set threshold is exceeded. Users are advised to upgrade as soon as possible. Users unable to upgrade may set the NO_REFERENCE mode to prevent recursion. See GHSA-rmr5-cpv2-vgjf for further details on a workaround if an upgrade is not possible.
Publish Date: 2022-02-01
URL: CVE-2021-43859
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-rmr5-cpv2-vgjf
Release Date: 2022-02-01
Fix Resolution: com.thoughtworks.xstream:xstream:1.4.19
Step up your Open Source Security Game with Mend here
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar
Dependency Hierarchy:
Found in HEAD commit: 4ac3105ab2458876cc19dae561961cd3e399f896
Found in base branch: master
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Publish Date: 2021-07-13
URL: CVE-2021-35517
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.22/pdfbox-2.0.22.jar
Dependency Hierarchy:
Found in base branch: master
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Publish Date: 2021-06-12
URL: CVE-2021-31812
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31812
Release Date: 2021-06-12
Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.24
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.20/commons-compress-1.20.jar
Dependency Hierarchy:
Found in HEAD commit: 4ac3105ab2458876cc19dae561961cd3e399f896
Found in base branch: master
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2021-07-13
URL: CVE-2021-36090
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.
Publish Date: 2021-08-23
URL: CVE-2021-39150
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hph2-m3g5-xxv4
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. A user is only affected if using the version out of the box with JDK 1.7u21 or below. However, this scenario can be adjusted easily to an external Xalan that works regardless of the version of the Java runtime. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39139
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-64xx-cq4q-mf44
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Library home page: https://www.apache.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/pdfbox/pdfbox/2.0.22/pdfbox-2.0.22.jar
Dependency Hierarchy:
Found in HEAD commit: 2f8731b5439a38e7a1b18770958626c53080ff98
Found in base branch: master
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Publish Date: 2021-03-19
URL: CVE-2021-27906
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27906
Release Date: 2021-03-19
Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.23
Direct dependency fix Resolution (org.apache.poi:poi-ooxml): 5.1.0
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream with a Java runtime version 14 to 8. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.18.
Publish Date: 2021-08-23
URL: CVE-2021-39152
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-xw4p-crpj-vjx2
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
Library home page: http://x-stream.github.io
Path to dependency file: /pom.xml
Path to vulnerable library: /itory/com/thoughtworks/xstream/xstream/1.4.17/xstream-1.4.17.jar
Dependency Hierarchy:
Found in base branch: master
XStream is a simple library to serialize objects to XML and back again. In affected versions this vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. XStream 1.4.18 uses no longer a blacklist by default, since it cannot be secured for general purpose.
Publish Date: 2021-08-23
URL: CVE-2021-39147
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h7v4-7xg3-hxcc
Release Date: 2021-08-23
Fix Resolution: 1.4.18
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.