yoswein / 789 Goto Github PK
View Code? Open in Web Editor NEWThis project forked from ioana-nicolae/789
789
This project forked from ioana-nicolae/789
789
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.8.v20171121/jetty-http-9.4.8.v20171121.jar
Dependency Hierarchy:
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.8.v20171121/jetty-server-9.4.8.v20171121.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Publish Date: 2018-06-26
URL: CVE-2017-7656
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535667
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.2.25.v20180606,9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.2.25.v20180606.,9.3.24.v20180605,9.4.11.v20180605
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.8.v20171121/jetty-http-9.4.8.v20171121.jar
Dependency Hierarchy:
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.8.v20171121/jetty-server-9.4.8.v20171121.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Publish Date: 2018-06-26
URL: CVE-2017-7658
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7658
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty.aggregate:jetty-client:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606;org.eclipse.jetty:jetty-http:9.4.11.v20180605,9.3.24.v20180605,9.2.25.v20180606
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/FasterXML/jackson-databind/blob/master/release-notes/VERSION-2.x
Release Date: 2020-10-20
Fix Resolution: 2.9.10
⛑️ Automatic Remediation is available for this issue
YAML support for the Go language.
Dependency Hierarchy:
YAML support for the Go language.
Dependency Hierarchy:
YAML support for the Go language.
Dependency Hierarchy:
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
The Kubernetes API Server component in versions 1.1-1.14, and versions prior to 1.15.10, 1.16.7 and 1.17.3 allows an authorized user who sends malicious YAML payloads to cause the kube-apiserver to consume excessive CPU cycles while parsing YAML.
Publish Date: 2020-04-01
URL: CVE-2019-11254
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/go-yaml/yaml/tree/v2.2.8
Release Date: 2020-04-01
Fix Resolution: v2.2.8
An issue was discovered in net/http in Go 1.11.5. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the second argument to http.NewRequest with \r\n followed by an HTTP header or a Redis command.
Publish Date: 2019-03-13
URL: CVE-2019-9741
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2019-9741
Release Date: 2019-03-13
Fix Resolution: 1.12.1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.JNDIConnectionSource.
Publish Date: 2021-01-06
URL: CVE-2020-36188
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2996
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.7,2.8.11.3,2.7.9.5,2.6.7.3
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution: 2.10
⛑️ Automatic Remediation is available for this issue
The Go programming language
Library home page: https://github.com/golang/go.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
Go before 1.14.12 and 1.15.x before 1.15.5 allows Argument Injection.
Publish Date: 2020-11-18
URL: CVE-2020-28367
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
Release Date: 2020-11-18
Fix Resolution: 1.14.12, 1.15.5
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution: 2.9.9
⛑️ Automatic Remediation is available for this issue
a web proxy tool
Library home page: https://github.com/XX-net/XX-Net.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/.poetry/lib/poetry/_vendor/py2.7/cryptography/hazmat/backends/openssl/ciphers.py
In the cryptography package before 3.3.2 for Python, certain sequences of update calls to symmetrically encrypt multi-GB values could result in an integer overflow and buffer overflow, as demonstrated by the Fernet class.
Publish Date: 2021-02-07
URL: CVE-2020-36242
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst
Release Date: 2021-02-07
Fix Resolution: cryptography - 3.3.2
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution: 2.9.7
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.aoju.bus.proxy.provider.remoting.RmiProvider (aka bus-proxy).
Publish Date: 2020-03-26
URL: CVE-2020-10968
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-10968
Release Date: 2020-03-26
Fix Resolution: jackson-databind-2.9.10.4
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-21
Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6
⛑️ Automatic Remediation is available for this issue
The Go programming language
Library home page: https://github.com/golang/go.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
Go before 1.14.12 and 1.15.x before 1.15.5 allows Code Injection.
Publish Date: 2020-11-18
URL: CVE-2020-28366
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/NpBGTTmKzpM
Release Date: 2020-11-18
Fix Resolution: 1.14.12, 1.15.5
GNU Compiler Collection (GCC)
Library home page: https://source.codeaurora.org/external/qoriq/qoriq-yocto-sdk/gcc/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/goroot/src/net/http/fcgi/child.go
canner/goroot/src/net/http/fcgi/child.go
canner/goroot/src/net/http/fcgi/child.go
Go before 1.14.8 and 1.15.x before 1.15.1 allows XSS because text/html is the default for CGI/FCGI handlers that lack a Content-Type header.
Publish Date: 2020-09-02
URL: CVE-2020-24553
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/8wqlSbkLdPs
Release Date: 2020-08-21
Fix Resolution: 1.15.1,1.14.8
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2460
Release Date: 2019-10-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10
⛑️ Automatic Remediation is available for this issue
The Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.8.v20171121/jetty-http-9.4.8.v20171121.jar
Dependency Hierarchy:
The core jetty server artifact.
Library home page: http://www.eclipse.org/jetty
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-server/9.4.8.v20171121/jetty-server-9.4.8.v20171121.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Publish Date: 2018-06-26
URL: CVE-2017-7657
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.eclipse.org/bugs/show_bug.cgi?id=535668
Release Date: 2018-06-26
Fix Resolution: org.eclipse.jetty:jetty-server:9.3.24.v20180605,9.4.11.v20180605;org.eclipse.jetty:jetty-http:9.3.24.v20180605,9.4.11.v20180605
The Go programming language
Library home page: https://github.com/golang/go.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/goroot/src/net/http/h2_bundle.go
canner/goroot/src/net/http/h2_bundle.go
Some HTTP/2 implementations are vulnerable to ping floods, potentially leading to a denial of service. The attacker sends continual pings to an HTTP/2 peer, causing the peer to build an internal queue of responses. Depending on how efficiently this data is queued, this can consume excess CPU, memory, or both.
Publish Date: 2019-08-13
URL: CVE-2019-9512
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9512
Release Date: 2019-08-13
Fix Resolution: io.netty:netty-codec-http2:4.1.39.Final
Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/goroot/src/encoding/xml/xml.go
canner/goroot/src/encoding/xml/xml.go
encoding/xml in Go before 1.15.9 and 1.16.x before 1.16.1 has an infinite loop if a custom TokenReader (for xml.NewTokenDecoder) returns EOF in the middle of an element. This can occur in the Decode, DecodeElement, or Skip method.
Publish Date: 2021-03-11
URL: CVE-2021-27918
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-announce/c/MfiLYjG-RAw
Release Date: 2021-03-11
Fix Resolution: 1.15.9, 1.16.1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Publish Date: 2018-02-06
URL: CVE-2017-15095
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095
Release Date: 2018-02-06
Fix Resolution: 2.8.10,2.9.1
⛑️ Automatic Remediation is available for this issue
Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/goroot/src/crypto/x509/verify.go
canner/goroot/src/crypto/x509/verify.go
canner/goroot/src/crypto/x509/root_windows.go
canner/goroot/src/crypto/x509/root_windows.go
In Go before 1.13.13 and 1.14.x before 1.14.5, Certificate.Verify may lack a check on the VerifyOptions.KeyUsages EKU requirements (if VerifyOptions.Roots equals nil and the installation is on Windows). Thus, X.509 certificate verification is incomplete.
Publish Date: 2020-07-17
URL: CVE-2020-14039
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14039
Release Date: 2020-07-17
Fix Resolution: 1.13.13,1.14.5
Gogs is a painless self-hosted Git service
Library home page: https://github.com/gogs/gogs.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
In all versions of the package github.com/unknwon/cae/tz, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.
Publish Date: 2020-06-23
URL: CVE-2020-7668
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7668
Release Date: 2020-07-07
Fix Resolution: v1.0.1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to javax.swing.JEditorPane.
Publish Date: 2020-03-26
URL: CVE-2020-10969
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-10969
Release Date: 2020-03-26
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.6;com.fasterxml.jackson.core:jackson-databind:2.7.9.7
a web proxy tool
Library home page: https://github.com/XX-net/XX-Net.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py
canner/.poetry/lib/poetry/_vendor/py3.6/cryptography/hazmat/backends/openssl/rsa.py
python-cryptography 3.2 is vulnerable to Bleichenbacher timing attacks in the RSA decryption API, via timed processing of valid PKCS#1 v1.5 ciphertext.
Publish Date: 2021-01-11
URL: CVE-2020-25659
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-hggm-jpg3-v476
Release Date: 2020-09-17
Fix Resolution: 3.2
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9.2. This occurs when Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the logback jar in the classpath.
Publish Date: 2019-07-30
URL: CVE-2019-14439
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14439
Release Date: 2019-07-30
Fix Resolution: 2.9.9.2
⛑️ Automatic Remediation is available for this issue
GNU Compiler Collection (GCC)
Library home page: https://source.codeaurora.org/external/qoriq/qoriq-yocto-sdk/gcc/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
Go before 1.14.12 and 1.15.x before 1.15.4 allows Denial of Service.
Publish Date: 2020-11-18
URL: CVE-2020-28362
Base Score Metrics:
Type: Upgrade version
Origin: https://groups.google.com/g/golang-nuts/c/c-ssaaS7RMI
Release Date: 2020-11-18
Fix Resolution: 1.14.12, 1.15.5
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12023
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-21
Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.jelly.impl.Embedded (aka commons-jelly).
Publish Date: 2020-04-07
URL: CVE-2020-11620
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11620
Release Date: 2020-04-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4
⛑️ Automatic Remediation is available for this issue
Library home page: https://source.codeaurora.org/quic/lc/aosp/toolchain/gcc/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/goroot/src/encoding/binary/varint.go
canner/goroot/src/encoding/binary/varint.go
canner/goroot/src/encoding/binary/varint.go
canner/goroot/src/encoding/binary/varint.go
Go before 1.13.15 and 14.x before 1.14.7 can have an infinite read loop in ReadUvarint and ReadVarint in encoding/binary via invalid inputs.
Publish Date: 2020-08-06
URL: CVE-2020-16845
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/golang/go/tree/go1.14.7
Release Date: 2020-08-05
Fix Resolution: go1.13.15,go1.14.7
Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
Go before 1.12.11 and 1.3.x before 1.13.2 can panic upon an attempt to process network traffic containing an invalid DSA public key. There are several attack scenarios, such as traffic from a client to a server that verifies client certificates.
Publish Date: 2019-10-24
URL: CVE-2019-17596
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17596
Release Date: 2019-10-24
Fix Resolution: Go-1.12.11,1.13.2
The Go programming language
Library home page: https://github.com/golang/go.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/goroot/src/net/http/h2_bundle.go
canner/goroot/src/net/http/h2_bundle.go
Some HTTP/2 implementations are vulnerable to a reset flood, potentially leading to a denial of service. The attacker opens a number of streams and sends an invalid request over each stream that should solicit a stream of RST_STREAM frames from the peer. Depending on how the peer queues the RST_STREAM frames, this can consume excess memory, CPU, or both.
Publish Date: 2019-08-13
URL: CVE-2019-9514
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9514
Release Date: 2019-08-13
Fix Resolution: 7.1.7,8.0.4
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.commons.dbcp2.cpdsadapter.DriverAdapterCPDS.
Publish Date: 2021-01-07
URL: CVE-2020-36180
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#3004
Release Date: 2021-01-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
⛑️ Automatic Remediation is available for this issue
The Go programming language
Library home page: https://github.com/golang/go.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/goroot/src/cmd/go/internal/work/action.go
canner/goroot/src/cmd/go/internal/work/action.go
Go before 1.14.14 and 1.15.x before 1.15.7 on Windows is vulnerable to Command Injection and remote code execution when using the "go get" command to fetch modules that make use of cgo (for example, cgo can execute a gcc program from an untrusted download).
Publish Date: 2021-01-26
URL: CVE-2021-3115
Base Score Metrics:
Type: Upgrade version
Origin: https://security-tracker.debian.org/tracker/CVE-2021-3115
Release Date: 2021-01-11
Fix Resolution: go1.14.14,go1.15.7
Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
A security issue has been found in Go. Due to a pre-allocation optimization in zip.NewReader, a malformed archive which indicates it has a significant number of files can cause either a panic or memory exhaustion.
Publish Date: 2021-05-20
URL: CVE-2021-33196
Base Score Metrics:
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.4 mishandles the interaction between serialization gadgets and typing, related to org.springframework.aop.config.MethodLocatingFactoryBean (aka spring-aop).
Publish Date: 2020-04-07
URL: CVE-2020-11619
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11619
Release Date: 2020-04-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.4
⛑️ Automatic Remediation is available for this issue
Library home page: https://source.codeaurora.org/external/ubicom/ubi32-gcc/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/goroot/src/crypto/elliptic/p224.go
canner/goroot/src/crypto/elliptic/p224.go
In Go before 1.14.14 and 1.15.x before 1.15.7, crypto/elliptic/p224.go can generate incorrect outputs, related to an underflow of the lowest limb during the final complete reduction in the P-224 field.
Publish Date: 2021-01-26
URL: CVE-2021-3114
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1918750
Release Date: 2021-01-11
Fix Resolution: go1.14.14, go1.15.7
GNU Compiler Collection (GCC)
Library home page: https://source.codeaurora.org/external/qoriq/qoriq-yocto-sdk/gcc/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
Go before 1.12.10 and 1.13.x before 1.13.1 allow HTTP Request Smuggling.
Publish Date: 2019-09-30
URL: CVE-2019-16276
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16276
Release Date: 2019-09-30
Fix Resolution: 1.12.10;1.13.1
The Go programming language
Library home page: https://github.com/golang/go.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
Go before 1.13.13 and 1.14.x before 1.14.5 has a data race in some net/http servers, as demonstrated by the httputil.ReverseProxy Handler, because it reads a request body and writes a response at the same time.
Publish Date: 2020-07-17
URL: CVE-2020-15586
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15586
Release Date: 2020-07-17
Fix Resolution: 1.13.13,1.14.5
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x through 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has JDOM 1.x or 2.x jar in the classpath, an attacker can send a specifically crafted JSON message that allows them to read arbitrary local files on the server.
Publish Date: 2019-06-19
URL: CVE-2019-12814
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2341
Release Date: 2019-06-19
Fix Resolution: 2.7.9.6, 2.8.11.4, 2.9.9.1, 2.10.0
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.docx4j.org.apache.xalan.lib.sql.JNDIConnectionPool.
Publish Date: 2021-01-07
URL: CVE-2020-36183
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#3003
Release Date: 2021-01-07
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Publish Date: 2018-02-06
URL: CVE-2017-7525
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-7525
Release Date: 2018-02-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.6.7.1,2.7.9.1,2.8.9
⛑️ Automatic Remediation is available for this issue
Library home page: https://source.codeaurora.org/quic/lc/external/github.com/python/cpython/
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/.poetry/lib/poetry/_vendor/py3.8/urllib3/connection.py
canner/.poetry/lib/poetry/_vendor/py3.8/urllib3/connection.py
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to org.apache.tomcat.dbcp.dbcp.cpdsadapter.DriverAdapterCPDS.
Publish Date: 2021-01-06
URL: CVE-2020-36181
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#3004
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
⛑️ Automatic Remediation is available for this issue
Gogs is a painless self-hosted Git service
Library home page: https://github.com/gogs/gogs.git
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
canner/gopath/src/github.com/gpmgo/gopm/modules/cae/cae.go
In all versions of the package github.com/unknwon/cae/zip, the ExtractTo function doesn't securely escape file paths in zip archives which include leading or non-leading "..". This allows an attacker to add or replace files system-wide.
Publish Date: 2020-06-23
URL: CVE-2020-7664
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7664
Release Date: 2020-07-07
Fix Resolution: v1.0.1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.10.8 mishandles the interaction between serialization gadgets and typing, related to com.newrelic.agent.deps.ch.qos.logback.core.db.DriverManagerConnectionSource.
Publish Date: 2021-01-06
URL: CVE-2020-36189
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2996
Release Date: 2021-01-06
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.9.10.8
⛑️ Automatic Remediation is available for this issue
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Dependency Hierarchy:
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/00/b6/9cfa56b4081ad13874b0c6f96af8ce16cfbc1cb06bedf8e9164ce5551ec1/pip-19.3.1-py2.py3-none-any.whl
Path to vulnerable library: canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.3.1-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
** DISPUTED ** An issue was discovered in pip (all versions) because it installs the version with the highest version number, even if the user had intended to obtain a private package from a private index. This only affects use of the --extra-index-url option, and exploitation requires that the package does not already exist in the public index (and thus the attacker can put the package there with an arbitrary version number). NOTE: it has been reported that this is intended functionality and the user is responsible for using --extra-index-url securely.
Publish Date: 2020-05-08
URL: CVE-2018-20225
Base Score Metrics:
The PyPA recommended tool for installing Python packages.
Library home page: https://files.pythonhosted.org/packages/5c/e0/be401c003291b56efc55aeba6a80ab790d3d4cece2778288d65323009420/pip-19.1.1-py2.py3-none-any.whl
Path to vulnerable library: canner/.poetry/lib/poetry/_vendor/py2.7/virtualenv_support/pip-19.1.1-py2.py3-none-any.whl
Dependency Hierarchy:
Found in HEAD commit: c06e1c927da2ac15e6f35ca3b161d3f575039a28
Found in base branch: master
The pip package before 19.2 for Python allows Directory Traversal when a URL is given in an install command, because a Content-Disposition header can have ../ in a filename, as demonstrated by overwriting the /root/.ssh/authorized_keys file. This occurs in _download_http_url in _internal/download.py.
Publish Date: 2020-09-04
URL: CVE-2019-20916
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20916
Release Date: 2020-09-04
Fix Resolution: 19.2
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Publish Date: 2019-07-09
URL: CVE-2018-11307
Base Score Metrics:
Type: Upgrade version
Origin: FasterXML/jackson-databind#2032
Release Date: 2019-03-17
Fix Resolution: jackson-databind-2.9.6
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: 789/rename/pom.xml
Path to vulnerable library: er/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.8/jackson-databind-2.8.8.jar
Dependency Hierarchy:
Found in HEAD commit: 3b99e6a32ca3b5ad7dd8008dfbdd6528692235f4
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1
⛑️ Automatic Remediation is available for this issue
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.