yang-db / yang-db Goto Github PK
View Code? Open in Web Editor NEWYANGDB Open-source, Scalable, Non-native Graph database (Powered by Elasticsearch)
Home Page: https://www.yangdb.org/
License: Apache License 2.0
YANGDB Open-source, Scalable, Non-native Graph database (Powered by Elasticsearch)
Home Page: https://www.yangdb.org/
License: Apache License 2.0
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 06b35902f6d55e1d69920410512d0bc0d2ff93a5
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution: 2.10
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-assembly/target/assembly-fuse-knowledge/lib/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14719
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: ba4af1d87a032af25d92b2cc51158bf4a891142e
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2460
Release Date: 2019-10-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 859808989671b065b7e3158e1e5fdb3f65fa59df
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1
Step up your Open Source Security Game with WhiteSource here
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: https://github.com/google/guava
Path to vulnerable library: yang-db/unipop-core/target/lib/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,canner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar,/home/wss-scanner/.m2/repository/com/google/guava/guava/21.0/guava-21.0.jar
Dependency Hierarchy:
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237
Release Date: 2018-04-26
Fix Resolution: 24.1.1-jre, 24.1.1-android
Step up your Open Source Security Game with WhiteSource here
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: yang-db/fuse-dv/fuse-dv-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar
Dependency Hierarchy:
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://commons.apache.org/proper/commons-beanutils/
Path to dependency file: yang-db/fuse-test/fuse-test-framework/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,yang-db/distrib/dragon-dragon/lib/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,yang-db/distrib/knowledge-knowledge/lib/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: 026001cee931194398d9b8920ee0e6822ec8159f
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
Base Score Metrics:
Type: Upgrade version
Origin: http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%[email protected]%3e
Release Date: 2019-08-20
Fix Resolution: 1.9.4
Step up your Open Source Security Game with WhiteSource here
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: yang-db/fuse-dv/fuse-dv-asg/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: yang-db/fuse-domain/fuse-domain-dragons/fuse-domain-dragons-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,yang-db/distrib/knowledge-knowledge/lib/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,yang-db/distrib/dragon-dragon/lib/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar
Dependency Hierarchy:
Found in HEAD commit: fb4688fc73077d82b1716f0af8303e34cb1e6d25
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-codec-http:4.1.44
Step up your Open Source Security Game with WhiteSource here
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: yang-db/fuse-dv/fuse-dv-asg/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: yang-db/fuse-domain/fuse-domain-dragons/fuse-domain-dragons-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,yang-db/distrib/knowledge-knowledge/lib/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,yang-db/distrib/dragon-dragon/lib/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar
Dependency Hierarchy:
Found in HEAD commit: f8326e6f99d2a5eb0d503ac9db0c4f8f00bba7d9
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
Publish Date: 2019-09-26
URL: CVE-2019-16869
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
Release Date: 2019-09-26
Fix Resolution: io.netty:netty-all:4.1.42.Final,io.netty:netty-codec-htt:4.1.42.Final
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-assembly/target/assembly-fuse-knowledge/lib/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14718
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Step up your Open Source Security Game with WhiteSource here
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: yang-db/fuse-dv/fuse-dv-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar
Dependency Hierarchy:
Apache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Library home page: https://commons.apache.org/proper/commons-beanutils/
Path to dependency file: yang-db/fuse-test/fuse-test-framework/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,yang-db/distrib/dragon-dragon/lib/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.3/commons-beanutils-1.9.3.jar,yang-db/distrib/knowledge-knowledge/lib/commons-beanutils-1.9.3.jar
Dependency Hierarchy:
Found in HEAD commit: 026001cee931194398d9b8920ee0e6822ec8159f
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: eeac3ed7a15d1b45b7898f26dd13315117c6b9b6
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16942
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1
Step up your Open Source Security Game with WhiteSource here
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: yang-db/fuse-domain/fuse-domain-dragons/fuse-domain-dragons-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.33.Final/netty-codec-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.33.Final/netty-codec-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.33.Final/netty-codec-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.33.Final/netty-codec-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.33.Final/netty-codec-4.1.33.Final.jar,yang-db/distrib/dragon-dragon/lib/netty-codec-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.33.Final/netty-codec-4.1.33.Final.jar,yang-db/distrib/knowledge-knowledge/lib/netty-codec-4.1.33.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: yang-db/fuse-asg/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec/4.1.30.Final/netty-codec-4.1.30.Final.jar
Dependency Hierarchy:
Found in HEAD commit: fb4688fc73077d82b1716f0af8303e34cb1e6d25
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Publish Date: 2020-04-07
URL: CVE-2020-11612
Base Score Metrics:
Type: Upgrade version
Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html
Release Date: 2020-04-07
Fix Resolution: io.netty:netty-codec:4.1.46.Final;io.netty:netty-all:4.1.46.Final
Step up your Open Source Security Game with WhiteSource here
Add support for custom route schema with specific "timeless" index template
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-assembly/target/assembly-fuse-knowledge/lib/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 10e1a8ac9a1a011545bd05a958c84c67431f8e8b
SubTypeValidator.java in FasterXML jackson-databind before 2.9.9.2 mishandles default typing when ehcache is used (because of net.sf.ehcache.transaction.manager.DefaultTransactionManagerLookup), leading to remote code execution.
Publish Date: 2019-07-29
URL: CVE-2019-14379
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14379
Release Date: 2019-07-29
Fix Resolution: 2.9.9.2
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 2f9391d91afb3a86a5e9ff6e0669e6d77fd98bac
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Publish Date: 2019-06-19
URL: CVE-2019-12814
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2341
Release Date: 2019-06-19
Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0
Step up your Open Source Security Game with WhiteSource here
Flat UI Free is a beautiful theme for Bootstrap. We have redesigned many of its components to look flat in every pixel
path: /yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-poc/src/main/resources/public/assets/lib/jquery-1.10.2.min.js
Library home page: https://cdnjs.cloudflare.com/ajax/libs/flat-ui/2.1.0/js/jquery-1.10.2.min.js
Dependency Hierarchy:
In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.
Publish Date: 2017-04-15
URL: WS-2017-0195
Type: Change files
Origin: jquery/jquery@d12e13d
Release Date: 2016-05-29
Fix Resolution: Replace or update the following files: attr.js, attributes.js
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-assembly/target/assembly-fuse-knowledge/lib/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19362
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Step up your Open Source Security Game with WhiteSource here
WebJar for Swagger UI
Library home page: http://webjars.org
Path to vulnerable library: yang-db/distrib/knowledge-knowledge/lib/swagger-ui-3.17.1.jar,/home/wss-scanner/.m2/repository/org/webjars/swagger-ui/3.17.1/swagger-ui-3.17.1.jar,/home/wss-scanner/.m2/repository/org/webjars/swagger-ui/3.17.1/swagger-ui-3.17.1.jar,/home/wss-scanner/.m2/repository/org/webjars/swagger-ui/3.17.1/swagger-ui-3.17.1.jar,yang-db/distrib/dragon-dragon/lib/swagger-ui-3.17.1.jar,/home/wss-scanner/.m2/repository/org/webjars/swagger-ui/3.17.1/swagger-ui-3.17.1.jar,/home/wss-scanner/.m2/repository/org/webjars/swagger-ui/3.17.1/swagger-ui-3.17.1.jar,/home/wss-scanner/.m2/repository/org/webjars/swagger-ui/3.17.1/swagger-ui-3.17.1.jar
Dependency Hierarchy:
Found in HEAD commit: 5cebad47e1787fc42c37ef34fe4d9f3fdc940e7f
Swagger-ui before 3.18.0 is vulnerable to Reverse Tabnabbing. Setting target="_blank" on anchor tags is unsafe unless used in conjunction with the rel="noopener" attribute. Opening a link via target blank attribute can change the original page, origin policy restrictions set by the browser can be bypassed.
Publish Date: 2018-08-02
URL: WS-2018-0593
Type: Upgrade version
Origin: swagger-api/swagger-ui#4789
Release Date: 2019-06-17
Fix Resolution: v3.18.0
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: eeac3ed7a15d1b45b7898f26dd13315117c6b9b6
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
Release Date: 2019-10-01
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.3,2.7.9.7,2.8.11.5,2.9.10.1
Step up your Open Source Security Game with WhiteSource here
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: yang-db/distrib/dragon-dragon/lib/netty-codec-http2-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.33.Final/netty-codec-http2-4.1.33.Final.jar,yang-db/distrib/knowledge-knowledge/lib/netty-codec-http2-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.33.Final/netty-codec-http2-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.33.Final/netty-codec-http2-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.33.Final/netty-codec-http2-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.33.Final/netty-codec-http2-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http2/4.1.33.Final/netty-codec-http2-4.1.33.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 026001cee931194398d9b8920ee0e6822ec8159f
Some HTTP/2 implementations are vulnerable to a flood of empty frames, potentially leading to a denial of service. The attacker sends a stream of frames with an empty payload and without the end-of-stream flag. These frames can be DATA, HEADERS, CONTINUATION and/or PUSH_PROMISE. The peer spends time processing each frame disproportionate to attack bandwidth. This can consume excess CPU.
Publish Date: 2019-08-13
URL: CVE-2019-9518
Base Score Metrics:
Type: Upgrade version
Origin: https://netty.io/news/2019/08/13/4-1-39-Final.html
Release Date: 2019-08-13
Fix Resolution: io.netty:netty-codec-http2:4.1.39.Final,io.netty:netty-all:4.1.39.Final
Step up your Open Source Security Game with WhiteSource here
logback-core module
Library home page: http://logback.qos.ch
Path to vulnerable library: yang-db/distrib/knowledge-knowledge/lib/logback-core-1.1.7.jar,yang-db/distrib/dragon-dragon/lib/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,canner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,canner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.7/logback-core-1.1.7.jar
Dependency Hierarchy:
logback-classic module
Library home page: http://logback.qos.ch
Path to vulnerable library: yang-db/distrib/knowledge-knowledge/lib/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,canner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,yang-db/distrib/dragon-dragon/lib/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,canner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,canner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar,/home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.7/logback-classic-1.1.7.jar
Dependency Hierarchy:
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Publish Date: 2017-03-13
URL: CVE-2017-5929
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
Release Date: 2017-03-13
Fix Resolution: ch.qos.logback:logback-core:1.2.0;ch.qos.logback:logback-access:1.2.0;ch.qos.logback:logback-classic:1.2.0
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 8dcd29e2d8cc257308f931b9b64970a753ad1f83
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution: 2.9.9
Step up your Open Source Security Game with WhiteSource here
Apache HttpComponents Client
Path to dependency file: yang-db/fuse-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar,/home/wss-scanner/.m2/repository/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar
Dependency Hierarchy:
Found in HEAD commit: 5cebad47e1787fc42c37ef34fe4d9f3fdc940e7f
Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.
Publish Date: 2017-01-21
URL: WS-2017-3734
Base Score Metrics:
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803
Release Date: 2017-01-21
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.3
Step up your Open Source Security Game with WhiteSource here
a JDBC Connection pooling / Statement caching library
Library home page: https://github.com/swaldman/c3p0
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,yang-db/distrib/knowledge-knowledge/lib/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,yang-db/distrib/dragon-dragon/lib/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar
Dependency Hierarchy:
c3p0 0.9.5.2 allows XXE in extractXmlConfigFromInputStream in com/mchange/v2/c3p0/cfg/C3P0ConfigXmlUtils.java during initialization.
Publish Date: 2018-12-24
URL: CVE-2018-20433
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20433
Release Date: 2018-12-24
Fix Resolution: 0.9.5.3
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: yang-db/distrib/knowledge-knowledge/lib/bcprov-jdk14-138.jar,/home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar,/home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.
Publish Date: 2013-02-08
URL: CVE-2013-1624
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-1624
Release Date: 2013-02-08
Fix Resolution: org.bouncycastle:bcprov-jdk15on:1.48;org.bouncycastle:bcprov-jdk14:1.48
Step up your Open Source Security Game with WhiteSource here
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: yang-db/fuse-dv/fuse-dv-stat/pom.xml
Path to vulnerable library: canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,yang-db/distrib/dragon-dragon/lib/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,yang-db/distrib/knowledge-knowledge/lib/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar
Dependency Hierarchy:
Found in HEAD commit: 026001cee931194398d9b8920ee0e6822ec8159f
A permission issue was found in Elasticsearch versions before 5.6.15 and 6.6.1 when Field Level Security and Document Level Security are disabled and the _aliases, _shrink, or _split endpoints are used . If the elasticsearch.yml file has xpack.security.dls_fls.enabled set to false, certain permission checks are skipped when users perform one of the actions mentioned above, to make existing data available under a new index/alias name. This could result in an attacker gaining additional permissions against a restricted index.
Publish Date: 2019-03-25
URL: CVE-2019-7611
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7611
Release Date: 2019-03-25
Fix Resolution: 5.6.15,6.6.1
Step up your Open Source Security Game with WhiteSource here
H2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /tmp/ws-scm/yang-db/unipop-core/pom.xml
Path to vulnerable library: /root/.m2/repository/com/h2database/h2/1.3.171/h2-1.3.171.jar
Dependency Hierarchy:
Found in HEAD commit: 1abb6fd96dd5c7c87e3bc631fe31360bda6997b7
H2 1.4.197, as used in Datomic before 0.9.5697 and other products, allows remote code execution because CREATE ALIAS can execute arbitrary Java code.
Publish Date: 2018-04-11
URL: CVE-2018-10054
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-10054
Release Date: 2018-04-11
Fix Resolution: 1.4.198
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 859808989671b065b7e3158e1e5fdb3f65fa59df
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
Release Date: 2019-09-15
Fix Resolution: 2.9.10
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to vulnerable library: /yang-db/fuse-service/src/main/resources/public/assets/bigdesk/js/lib/jquery/jquery-1.7.1.min.js,se-service/src/main/resources/public/assets/bigdesk/js/lib/jquery/jquery-1.7.1.min.js
Dependency Hierarchy:
Found in HEAD commit: 4db703cb2d966e7364ff254943ec700a656233d1
JQuery, before 2.2.0, is vulnerable to Cross-site Scripting (XSS) attacks via text/javascript response with arbitrary code execution.
Publish Date: 2016-11-27
URL: WS-2016-0090
Type: Upgrade version
Origin: jquery/jquery@b078a62
Release Date: 2019-04-08
Fix Resolution: 2.2.0
Step up your Open Source Security Game with WhiteSource here
A modular micro web framework for Java and Kotlin
Library home page: https://github.com/jooby-project/jooby
Path to dependency file: yang-db/fuse-asg/pom.xml
Path to vulnerable library: canner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,/home/wss-scanner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,canner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,yang-db/distrib/knowledge-knowledge/lib/jooby-1.6.0.jar,/home/wss-scanner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,/home/wss-scanner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,yang-db/distrib/dragon-dragon/lib/jooby-1.6.0.jar,canner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,canner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,/home/wss-scanner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,/home/wss-scanner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,/home/wss-scanner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar,/home/wss-scanner/.m2/repository/org/jooby/jooby/1.6.0/jooby-1.6.0.jar
Dependency Hierarchy:
Found in HEAD commit: 9a598c93a911b1566d3c829af17c4b17ac8235a3
Jooby before 1.6.4 has XSS via the default error handler.
Publish Date: 2019-08-23
URL: CVE-2019-15477
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-15477
Release Date: 2019-08-23
Fix Resolution: 1.6.4
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: 10e1a8ac9a1a011545bd05a958c84c67431f8e8b
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Publish Date: 2019-07-30
URL: CVE-2019-14439
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439
Release Date: 2019-07-30
Fix Resolution: 2.9.9.2
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to vulnerable library: yang-db/fuse-service/src/main/resources/public/assets/bigdesk/js/lib/jquery/jquery-1.7.1.min.js,yang-db/fuse-service/src/main/resources/public/assets/bigdesk/js/lib/jquery/jquery-1.7.1.min.js
Dependency Hierarchy:
Found in HEAD commit: 4db703cb2d966e7364ff254943ec700a656233d1
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
Path to dependency file: yang-db/fuse-dv/fuse-dv-stat/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Dependency Hierarchy:
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19
Release Date: 2015-11-18
Fix Resolution: commons-collections:commons-collections:3.2.2
Step up your Open Source Security Game with WhiteSource here
Logic-less {{mustache}} templates with JavaScript
Library home page: https://cdnjs.cloudflare.com/ajax/libs/mustache.js/0.5.0-dev/mustache.js
Path to dependency file: yang-db/fuse-service/src/main/resources/public/assets/bigdesk/index.html
Path to vulnerable library: yang-db/fuse-service/src/main/resources/public/assets/bigdesk/js/lib/mustache/mustache.js,yang-db/fuse-service/src/main/resources/public/assets/bigdesk/js/lib/mustache/mustache.js
Dependency Hierarchy:
Found in HEAD commit: 4db703cb2d966e7364ff254943ec700a656233d1
mustache package before 2.2.1 for Node.js allows remote attackers to conduct cross-site scripting (XSS) attacks by leveraging a template with an attribute that is not quoted.
Publish Date: 2017-01-23
URL: CVE-2015-8862
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-8862
Release Date: 2017-01-23
Fix Resolution: 2.2.1
Step up your Open Source Security Game with WhiteSource here
Elasticsearch subproject :server
Library home page: https://github.com/elastic/elasticsearch
Path to dependency file: yang-db/fuse-dv/fuse-dv-stat/pom.xml
Path to vulnerable library: canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,yang-db/distrib/dragon-dragon/lib/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,yang-db/distrib/knowledge-knowledge/lib/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,/home/wss-scanner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar,canner/.m2/repository/org/elasticsearch/elasticsearch/6.5.4/elasticsearch-6.5.4.jar
Dependency Hierarchy:
Found in HEAD commit: 026001cee931194398d9b8920ee0e6822ec8159f
A race condition flaw was found in the response headers Elasticsearch versions before 7.2.1 and 6.8.2 returns to a request. On a system with multiple users submitting requests, it could be possible for an attacker to gain access to response header containing sensitive data from another user.
Publish Date: 2019-07-30
URL: CVE-2019-7614
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-7614
Release Date: 2019-07-30
Fix Resolution: org.elasticsearch:elasticsearch:6.8.2;org.elasticsearch:elasticsearch:7.2.1
Step up your Open Source Security Game with WhiteSource here
H2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /tmp/ws-scm/yang-db/unipop-core/pom.xml
Path to vulnerable library: /root/.m2/repository/com/h2database/h2/1.3.171/h2-1.3.171.jar
Dependency Hierarchy:
Found in HEAD commit: 1abb6fd96dd5c7c87e3bc631fe31360bda6997b7
An issue was discovered in H2 1.4.197. Insecure handling of permissions in the backup function allows attackers to read sensitive files (outside of their permissions) via a symlink to a fake database file.
Publish Date: 2018-07-24
URL: CVE-2018-14335
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14335
Release Date: 2018-07-24
Fix Resolution: 1.4.198
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
path: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-assembly/target/assembly-fuse-knowledge/lib/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar,/root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.6/jackson-databind-2.9.6.jar
Library home page: http://github.com/FasterXML/jackson
Dependency Hierarchy:
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. The package is organised so that it contains a light-weight API suitable for use in any environment (including the newly released J2ME) with the additional infrastructure to conform the algorithms to the JCE framework.
Library home page: http://www.bouncycastle.org/java.html
Path to vulnerable library: yang-db/distrib/knowledge-knowledge/lib/bcprov-jdk14-138.jar,/home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar,/home/wss-scanner/.m2/repository/bouncycastle/bcprov-jdk14/138/bcprov-jdk14-138.jar
Dependency Hierarchy:
Bouncy Castle BKS version 1 keystore (BKS-V1) files use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS-V1 keystore. All BKS-V1 keystores are vulnerable. Bouncy Castle release 1.47 introduces BKS version 2, which uses a 160-bit MAC.
Publish Date: 2018-04-16
URL: CVE-2018-5382
Base Score Metrics:
Type: Upgrade version
Origin: https://vulners.com/cert/VU:306792
Release Date: 2018-04-16
Fix Resolution: org.bouncycastle:bcprov-ext-jdk14:1.47,org.bouncycastle:bcprov-ext-jdk15on:1.47,org.bouncycastle:bcprov-jdk14:1.47
Step up your Open Source Security Game with WhiteSource here
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: yang-db/fuse-dv/fuse-dv-asg/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.30.Final/netty-codec-http-4.1.30.Final.jar
Dependency Hierarchy:
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: yang-db/fuse-domain/fuse-domain-dragons/fuse-domain-dragons-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,yang-db/distrib/knowledge-knowledge/lib/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,yang-db/distrib/dragon-dragon/lib/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar,/home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.33.Final/netty-codec-http-4.1.33.Final.jar
Dependency Hierarchy:
Found in HEAD commit: fb4688fc73077d82b1716f0af8303e34cb1e6d25
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Publish Date: 2020-01-29
URL: CVE-2019-20445
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-codec-http:4.1.44
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
Path to dependency file: yang-db/fuse-dv/fuse-dv-stat/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Dependency Hierarchy:
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
Type: Upgrade version
Release Date: 2015-12-15
Fix Resolution: commons-collections:commons-collections3.2.2,org.apache.commons:commons-collections4:4.1
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
Path to dependency file: yang-db/fuse-dv/fuse-dv-stat/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Dependency Hierarchy:
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
Release Date: 2017-11-09
Fix Resolution: commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1
Step up your Open Source Security Game with WhiteSource here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/knowledge-knowledge/lib/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,/home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,canner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar,yang-db/distrib/dragon-dragon/lib/jackson-databind-2.9.8.jar
Dependency Hierarchy:
Found in HEAD commit: a75de41b318277de56bc8d3f00cddc49de9dfe60
FasterXML jackson-databind 2.x before 2.9.9.1 might allow attackers to have a variety of impacts by leveraging failure to block the logback-core class from polymorphic deserialization. Depending on the classpath content, remote code execution may be possible.
Publish Date: 2019-06-24
URL: CVE-2019-12384
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12384
Release Date: 2019-06-24
Fix Resolution: 2.9.9.1
Step up your Open Source Security Game with WhiteSource here
Enterprise Job Scheduler
Library home page: http://www.quartz-scheduler.org
Path to dependency file: yang-db/fuse-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/quartz-scheduler/quartz/2.3.0/quartz-2.3.0.jar,/home/wss-scanner/.m2/repository/org/quartz-scheduler/quartz/2.3.0/quartz-2.3.0.jar,/home/wss-scanner/.m2/repository/org/quartz-scheduler/quartz/2.3.0/quartz-2.3.0.jar,/home/wss-scanner/.m2/repository/org/quartz-scheduler/quartz/2.3.0/quartz-2.3.0.jar,/home/wss-scanner/.m2/repository/org/quartz-scheduler/quartz/2.3.0/quartz-2.3.0.jar,/home/wss-scanner/.m2/repository/org/quartz-scheduler/quartz/2.3.0/quartz-2.3.0.jar,yang-db/distrib/knowledge-knowledge/lib/quartz-2.3.0.jar,yang-db/distrib/dragon-dragon/lib/quartz-2.3.0.jar
Dependency Hierarchy:
Found in HEAD commit: d1c7fbbe2a3f50d0fbee2b348397618e45d009eb
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
Publish Date: 2019-07-26
URL: CVE-2019-13990
Base Score Metrics:
Type: Change files
Origin: https://github.com/quartz-scheduler/quartz/releases/tag/v2.3.2
Release Date: 2019-12-05
Fix Resolution: Replace or update the following file: org.quartz-scheduler.internal:quartz-core:2.3.2
Step up your Open Source Security Game with WhiteSource here
The Apache Log4j Implementation
Path to dependency file: yang-db/fuse-dv/fuse-dv-epb/pom.xml
Path to vulnerable library: canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,yang-db/distrib/dragon-dragon/lib/log4j-core-2.7.jar,yang-db/distrib/knowledge-knowledge/lib/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,/home/wss-scanner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar,canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.7/log4j-core-2.7.jar
Dependency Hierarchy:
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Publish Date: 2017-04-17
URL: CVE-2017-5645
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5645
Release Date: 2017-04-17
Fix Resolution: 2.8.2
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
Path to dependency file: yang-db/fuse-dv/fuse-dv-stat/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar,/home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Dependency Hierarchy:
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-11
Fix Resolution: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2
Step up your Open Source Security Game with WhiteSource here
a JDBC Connection pooling / Statement caching library
Library home page: https://github.com/swaldman/c3p0
Path to dependency file: yang-db/fuse-domain/fuse-domain-knowledge/fuse-domain-knowledge-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,yang-db/distrib/knowledge-knowledge/lib/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar,yang-db/distrib/dragon-dragon/lib/c3p0-0.9.5.2.jar,/home/wss-scanner/.m2/repository/com/mchange/c3p0/0.9.5.2/c3p0-0.9.5.2.jar
Dependency Hierarchy:
Found in HEAD commit: 74bf5cc3d3c81d0a0e375031db11575a5777206f
c3p0 version < 0.9.5.4 may be exploited by a billion laughs attack when loading XML configuration due to missing protections against recursive entity expansion when loading configuration.
Publish Date: 2019-04-22
URL: CVE-2019-5427
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-5427
Release Date: 2019-04-22
Fix Resolution: com.mchange:c3p0:0.9.5.4
Step up your Open Source Security Game with WhiteSource here
Extensions to the SLF4J API
Library home page: http://www.slf4j.org
Path to dependency file: yang-db/fuse-domain/fuse-domain-dragons/fuse-domain-dragons-test/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/slf4j/slf4j-ext/1.6.3/slf4j-ext-1.6.3.jar,/home/wss-scanner/.m2/repository/org/slf4j/slf4j-ext/1.6.3/slf4j-ext-1.6.3.jar,yang-db/distrib/knowledge-knowledge/lib/slf4j-ext-1.6.3.jar,/home/wss-scanner/.m2/repository/org/slf4j/slf4j-ext/1.6.3/slf4j-ext-1.6.3.jar,/home/wss-scanner/.m2/repository/org/slf4j/slf4j-ext/1.6.3/slf4j-ext-1.6.3.jar,/home/wss-scanner/.m2/repository/org/slf4j/slf4j-ext/1.6.3/slf4j-ext-1.6.3.jar,yang-db/distrib/dragon-dragon/lib/slf4j-ext-1.6.3.jar,/home/wss-scanner/.m2/repository/org/slf4j/slf4j-ext/1.6.3/slf4j-ext-1.6.3.jar
Dependency Hierarchy:
org.slf4j.ext.EventData in the slf4j-ext module in QOS.CH SLF4J before 1.8.0-beta2 allows remote attackers to bypass intended access restrictions via crafted data.
Publish Date: 2018-03-20
URL: CVE-2018-8088
Base Score Metrics:
Type: Upgrade version
Origin: qos-ch/slf4j@d2b27fb
Release Date: 2018-03-20
Fix Resolution: org.slf4j:slf4j-ext:1.7.26,1.8.0-beta2
Step up your Open Source Security Game with WhiteSource here
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
path: /root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar,/root/.m2/repository/commons-codec/commons-codec/1.9/commons-codec-1.9.jar
Library home page: http://commons.apache.org/proper/commons-codec/
Dependency Hierarchy:
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability
Publish Date: 2007-10-07
URL: WS-2009-0001
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.1/jquery.min.js
Path to vulnerable library: yang-db/fuse-service/src/main/resources/public/assets/bigdesk/js/lib/jquery/jquery-1.7.1.min.js,yang-db/fuse-service/src/main/resources/public/assets/bigdesk/js/lib/jquery/jquery-1.7.1.min.js
Dependency Hierarchy:
Found in HEAD commit: 4db703cb2d966e7364ff254943ec700a656233d1
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.