Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Description: Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.
License:
Day License: http://www.day.com/maven/jsr170/licenses/day-spec-license.htm
File Path: /home/ciagent/.m2/repository/javax/jcr/jcr/1.0.1/jcr-1.0.1.jar MD5: 4639c7b994528948dab1a4feb1f68d6f SHA1: 567ee103cf7592e3cf036e1bf4e2e06b9f08e1a1
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
extension-name
jcr
Medium
Vendor
pom
groupid
javax.jcr
Highest
Vendor
pom
organization name
Day Software Management AG
High
Vendor
pom
name
Content Repository for Java Technology API
High
Vendor
file
name
jcr
High
Vendor
Manifest
specification-vendor
Day Software Management AG
Low
Vendor
pom
organization url
http://www.day.com/
Medium
Vendor
pom
description
Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.
Low
Vendor
pom
artifactid
jcr
Low
Vendor
pom
url
http://www.jcp.org/en/jsr/detail?id=170
Highest
Vendor
Manifest
Implementation-Vendor
Day Software Management AG
High
Product
Manifest
specification-title
Content Repository for Java Technology API
Medium
Product
Manifest
extension-name
jcr
Medium
Product
pom
organization url
http://www.day.com/
Low
Product
pom
name
Content Repository for Java Technology API
High
Product
pom
url
http://www.jcp.org/en/jsr/detail?id=170
Medium
Product
file
name
jcr
High
Product
Manifest
Implementation-Title
javax.jcr
High
Product
pom
description
Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.
The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.
Description:
The Digester package lets you configure an XML to Java object mapping module
which triggers certain actions called rules whenever a particular
pattern of nested XML elements is recognized.
File Path: /home/ciagent/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar MD5: 528445033f22da28f5047b6abcd1c7c9 SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
bundle-docurl
http://commons.apache.org/digester/
Low
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
pom
description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Low
Vendor
pom
artifactid
commons-digester
Low
Vendor
central
groupid
commons-digester
Highest
Vendor
pom
url
http://commons.apache.org/digester/
Highest
Vendor
pom
name
Commons Digester
High
Vendor
manifest
Bundle-Description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Low
Vendor
Manifest
bundle-symbolicname
org.apache.commons.digester
Medium
Vendor
pom
groupid
commons-digester
Highest
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
file
name
commons-digester
High
Vendor
pom
parent-artifactid
commons-parent
Low
Product
pom
artifactid
commons-digester
Highest
Product
Manifest
bundle-docurl
http://commons.apache.org/digester/
Low
Product
Manifest
specification-title
Commons Digester
Medium
Product
pom
parent-artifactid
commons-parent
Medium
Product
pom
description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Low
Product
Manifest
Bundle-Name
Commons Digester
Medium
Product
central
artifactid
commons-digester
Highest
Product
Manifest
Implementation-Title
Commons Digester
High
Product
pom
groupid
commons-digester
Low
Product
pom
url
http://commons.apache.org/digester/
Medium
Product
pom
name
Commons Digester
High
Product
manifest
Bundle-Description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Description:
A framework for constructing recognizers, compilers,
and translators from grammatical descriptions containing
Java, C#, C++, or Python actions.
License:
BSD License: http://www.antlr.org/license.html
File Path: /home/ciagent/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar MD5: f8f1352c52a4c6a500b597596501fc64 SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
antlr
High
Vendor
pom
artifactid
antlr
Low
Vendor
jar
package name
antlr
Low
Vendor
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Low
Vendor
central
groupid
antlr
Highest
Vendor
pom
name
AntLR Parser Generator
High
Vendor
pom
groupid
antlr
Highest
Vendor
pom
url
http://www.antlr.org/
Highest
Product
file
name
antlr
High
Product
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-91 XML Injection (aka Blind XPath Injection)
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)
Description:
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Description:
The Apache FontBox library is an open source Java tool to obtain low level information
from font files. FontBox is a subproject of Apache PDFBox.
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
Description:
The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
specification. JempBox is a subproject of Apache PDFBox.
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
Description:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: /home/ciagent/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar MD5: 353cf6a2bdba09595ccfa073b78c7fcb SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
commons-codec
Highest
Vendor
Manifest
bundle-symbolicname
org.apache.commons.codec
Medium
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
manifest
Bundle-Description
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Low
Vendor
file
name
commons-codec
High
Vendor
pom
url
http://commons.apache.org/proper/commons-codec/
Highest
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
artifactid
commons-codec
Low
Vendor
Manifest
bundle-docurl
http://commons.apache.org/proper/commons-codec/
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Product
Manifest
bundle-symbolicname
org.apache.commons.codec
Medium
Product
manifest
Bundle-Description
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Description: This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
Description:
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Low
Vendor
Manifest
bundle-symbolicname
org.apache.commons.compress
Medium
Vendor
pom
groupid
apache.commons
Highest
Vendor
pom
groupid
org.apache.commons
Highest
Vendor
pom
url
http://commons.apache.org/compress/
Highest
Vendor
pom
name
Commons Compress
High
Vendor
pom
artifactid
commons-compress
Low
Vendor
manifest
Bundle-Description
Apache Commons Compress software defines an API for working with compression and archive formats.These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Low
Product
Manifest
bundle-symbolicname
org.apache.commons.compress
Medium
Product
Manifest
Bundle-Name
Commons Compress
Medium
Product
pom
parent-groupid
org.apache.commons
Low
Product
pom
name
Commons Compress
High
Product
pom
url
http://commons.apache.org/compress/
Medium
Product
manifest
Bundle-Description
Apache Commons Compress software defines an API for working with compression and archive formats.These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Description: The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. If the S/MIME API is used, the JavaMail API and the Java activation framework will also be needed.
File Path: /home/ciagent/.m2/repository/org/bouncycastle/bcmail-jdk15/1.45/bcmail-jdk15-1.45.jar MD5: 13321fc7eff7bcada7b4fedfb592025c SHA1: 3aed7e642dd8d39dc14ed1dec3ff79e084637148
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
Bouncy Castle CMS and S/MIME API
High
Vendor
pom
url
http://www.bouncycastle.org/java.html
Highest
Vendor
pom
groupid
bouncycastle
Highest
Vendor
pom
artifactid
bcmail-jdk15
Low
Vendor
Manifest
extension-name
org.bouncycastle.bcmail
Medium
Vendor
Manifest
specification-vendor
BouncyCastle.org
Low
Vendor
Manifest
Implementation-Vendor-Id
org.bouncycastle
Medium
Vendor
pom
groupid
org.bouncycastle
Highest
Vendor
central
groupid
org.bouncycastle
Highest
Vendor
Manifest
Implementation-Vendor
BouncyCastle.org
High
Vendor
pom
description
The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider ...
Low
Vendor
file
name
bcmail-jdk15
High
Product
pom
groupid
bouncycastle
Low
Product
pom
name
Bouncy Castle CMS and S/MIME API
High
Product
central
artifactid
bcmail-jdk15
Highest
Product
pom
description
The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider ...
Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.
File Path: /home/ciagent/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar MD5: 2062f8e3d15748443ea60a94b266371c SHA1: 7741883cb07b4634e8b5fd3337113b6ea770a9bb
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
artifactid
bcprov-jdk15
Low
Vendor
pom
description
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.
Low
Vendor
pom
url
http://www.bouncycastle.org/java.html
Highest
Vendor
pom
groupid
bouncycastle
Highest
Vendor
Manifest
specification-vendor
BouncyCastle.org
Low
Vendor
Manifest
Implementation-Vendor-Id
org.bouncycastle
Medium
Vendor
Manifest
extension-name
org.bouncycastle.bcprovider
Medium
Vendor
pom
groupid
org.bouncycastle
Highest
Vendor
central
groupid
org.bouncycastle
Highest
Vendor
Manifest
Implementation-Vendor
BouncyCastle.org
High
Vendor
pom
name
Bouncy Castle Provider
High
Vendor
file
name
bcprov-jdk15
High
Product
Manifest
extension-name
org.bouncycastle.bcprovider
Medium
Product
pom
groupid
bouncycastle
Low
Product
pom
description
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Description: TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
File Path: /home/ciagent/.m2/repository/org/ccil/cowan/tagsoup/tagsoup/1.2.1/tagsoup-1.2.1.jar MD5: ae73a52cdcbec10cd61d9ef22fab5936 SHA1: 5584627487e984c03456266d3f8802eb85a9ce97
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
org.ccil.cowan.tagsoup
Highest
Vendor
pom
artifactid
tagsoup
Low
Vendor
pom
groupid
ccil.cowan.tagsoup
Highest
Vendor
pom
url
http://home.ccil.org/~cowan/XML/tagsoup/
Highest
Vendor
file
name
tagsoup
High
Vendor
pom
description
TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
Low
Vendor
central
groupid
org.ccil.cowan.tagsoup
Highest
Vendor
pom
name
TagSoup
High
Product
pom
url
http://home.ccil.org/~cowan/XML/tagsoup/
Medium
Product
central
artifactid
tagsoup
Highest
Product
file
name
tagsoup
High
Product
pom
artifactid
tagsoup
Highest
Product
pom
description
TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
Severity:
Low
CVSS Score: 2.1
(AV:N/AC:H/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter.
Description:
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
File Path: /home/ciagent/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar MD5: f807f86d7d9db25edbfc782aca7ca2a9 SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
xercesImpl
High
Vendor
pom
url
http://xerces.apache.org/xerces2-j
Highest
Vendor
pom
groupid
xerces
Highest
Vendor
manifest: org/apache/xerces/xni/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: javax/xml/datatype/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: javax/xml/transform/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/apache/xerces/impl/Version.class
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
central
groupid
xerces
Highest
Vendor
manifest: javax/xml/xpath/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
artifactid
xercesImpl
Low
Vendor
manifest: org/xml/sax/
Implementation-Vendor
David Megginson
Medium
Vendor
pom
parent-groupid
org.apache
Medium
Vendor
manifest: javax/xml/validation/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
description
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Low
Vendor
manifest: javax/xml/parsers/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/w3c/dom/ls/
Implementation-Vendor
World Wide Web Consortium
Medium
Vendor
manifest: org/w3c/dom/
Implementation-Vendor
World Wide Web Consortium
Medium
Vendor
pom
parent-artifactid
apache
Low
Vendor
pom
name
Xerces2 Java Parser
High
Product
file
name
xercesImpl
High
Product
manifest: org/w3c/dom/ls/
Specification-Title
Document Object Model, Level 3 Load and Save
Medium
Product
manifest: org/apache/xerces/xni/
Implementation-Title
org.apache.xerces.xni
Medium
Product
manifest: org/apache/xerces/xni/
Specification-Title
Xerces Native Interface
Medium
Product
manifest: javax/xml/validation/
Implementation-Title
javax.xml.validation
Medium
Product
manifest: org/w3c/dom/
Specification-Title
Document Object Model, Level 3 Core
Medium
Product
manifest: javax/xml/datatype/
Implementation-Title
javax.xml.datatype
Medium
Product
manifest: javax/xml/validation/
Specification-Title
Java API for XML Processing
Medium
Product
pom
groupid
xerces
Low
Product
manifest: javax/xml/parsers/
Specification-Title
Java API for XML Processing
Medium
Product
manifest: javax/xml/xpath/
Implementation-Title
javax.xml.xpath
Medium
Product
central
artifactid
xercesImpl
Highest
Product
manifest: org/w3c/dom/ls/
Implementation-Title
org.w3c.dom.ls
Medium
Product
pom
artifactid
xercesImpl
Highest
Product
pom
url
http://xerces.apache.org/xerces2-j
Medium
Product
pom
parent-artifactid
apache
Medium
Product
manifest: org/xml/sax/
Implementation-Title
org.xml.sax
Medium
Product
manifest: org/xml/sax/
Specification-Title
Simple API for XML
Medium
Product
manifest: org/apache/xerces/impl/Version.class
Implementation-Title
org.apache.xerces.impl.Version
Medium
Product
manifest: javax/xml/parsers/
Implementation-Title
javax.xml.parsers
Medium
Product
manifest: javax/xml/datatype/
Specification-Title
Java API for XML Processing
Medium
Product
pom
description
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Description: All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
(0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
a set of parsers and generators for the various flavors of feeds, as well as converters
to convert from one format to another. The parsers can give you back Java objects that
are either specific for the format you want to work with, or a generic normalized
SyndFeed object that lets you work on with the data without bothering about the
underlying format.
File Path: /home/ciagent/.m2/repository/rome/rome/1.0/rome-1.0.jar MD5: 53d38c030287b939f4e6d745ba1269a7 SHA1: 022b33347f315833e9348cec2751af1a5d5656e4
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
rome
Highest
Vendor
pom
artifactid
rome
Low
Vendor
Manifest
bundle-symbolicname
rome.rome
Medium
Vendor
pom
description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Low
Vendor
central
groupid
rome
Highest
Vendor
Manifest
originally-created-by
1.6.0_10 (Sun Microsystems Inc.)
Low
Vendor
file
name
rome
High
Vendor
manifest
Bundle-Description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Low
Vendor
Manifest
bundle-docurl
http://java.sun.com/
Low
Vendor
pom
name
ROME, RSS and atOM utilitiEs for Java
High
Vendor
Manifest
embed-directory
META-INF/lib
Low
Vendor
pom
organization url
http://java.sun.com/
Medium
Vendor
pom
organization name
Sun Microsystems
High
Vendor
pom
url
https://rome.dev.java.net/
Highest
Product
pom
url
https://rome.dev.java.net/
Medium
Product
pom
organization url
http://java.sun.com/
Low
Product
Manifest
bundle-symbolicname
rome.rome
Medium
Product
pom
description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Low
Product
Manifest
originally-created-by
1.6.0_10 (Sun Microsystems Inc.)
Low
Product
pom
organization name
Sun Microsystems
Low
Product
Manifest
Bundle-Name
ROME, RSS and atOM utilitiEs for Java
Medium
Product
file
name
rome
High
Product
manifest
Bundle-Description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Description:
JHighlight is an embeddable pure Java syntax highlighting
library that supports Java, HTML, XHTML, XML and LZX
languages and outputs to XHTML.
It also supports RIFE templates tags and highlights them
clearly so that you can easily identify the difference
between your RIFE markup and the actual marked up source.
License:
CDDL, v1.0: http://www.opensource.org/licenses/cddl1.php
LGPL, v2.1 or later: http://www.opensource.org/licenses/lgpl-license.php
File Path: /home/ciagent/.m2/repository/com/uwyn/jhighlight/1.0/jhighlight-1.0.jar MD5: 0ad5cf1bc56657f5e9e327e5e768da0a SHA1: 0b1774029ee29472df8c25e5ba796431f7689fd6
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
uwyn
Highest
Vendor
pom
description
JHighlight is an embeddable pure Java syntax highlighting library that supports Java, HTML, XHTML, XML and LZX languages and outputs to XHTML. It also supports RIFE templates tags and highlights them clearly so that you can easily identify the difference between your RIFE markup and the actual marked up source.
Low
Vendor
pom
url
https://jhighlight.dev.java.net/
Highest
Vendor
pom
organization name
Uwyn
High
Vendor
jar
package name
jhighlight
Low
Vendor
central
groupid
com.uwyn
Highest
Vendor
pom
groupid
com.uwyn
Highest
Vendor
file
name
jhighlight
High
Vendor
pom
organization url
http://uwyn.com/
Medium
Vendor
pom
name
JHighlight
High
Vendor
jar
package name
uwyn
Low
Vendor
pom
artifactid
jhighlight
Low
Product
pom
organization url
http://uwyn.com/
Low
Product
pom
url
https://jhighlight.dev.java.net/
Medium
Product
file
name
jhighlight
High
Product
pom
organization name
Uwyn
Low
Product
pom
description
JHighlight is an embeddable pure Java syntax highlighting library that supports Java, HTML, XHTML, XML and LZX languages and outputs to XHTML. It also supports RIFE templates tags and highlights them clearly so that you can easily identify the difference between your RIFE markup and the actual marked up source.
Description: This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/ws/commons/ws-commons-util/1.0.1/ws-commons-util-1.0.1.jar MD5: 66919d22287ddab742a135da764c2cd6 SHA1: 126e80ff798fece634bc94e61f8be8a8da00be60
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
extension-name
ws-commons-util
Medium
Vendor
Manifest
Implementation-Vendor
Apache Software Foundation
High
Vendor
pom
name
Apache WebServices Common Utilities
High
Vendor
pom
groupid
org.apache.ws.commons
Highest
Vendor
pom
organization name
Apache Software Foundation
High
Vendor
file
name
ws-commons-util
High
Vendor
pom
organization url
http://www.apache.org/
Medium
Vendor
pom
url
http://ws.apache.org/commons/util
Highest
Vendor
central
groupid
ws-commons-util
High
Vendor
pom
groupid
apache.ws.commons
Highest
Vendor
pom
artifactid
ws-commons-util
Low
Vendor
central
groupid
org.apache.ws.commons
High
Vendor
Manifest
specification-vendor
Apache Software Foundation
Low
Vendor
pom
description
This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
Low
Product
pom
organization name
Apache Software Foundation
Low
Product
Manifest
extension-name
ws-commons-util
Medium
Product
pom
organization url
http://www.apache.org/
Low
Product
pom
name
Apache WebServices Common Utilities
High
Product
file
name
ws-commons-util
High
Product
central
artifactid
ws-commons-util
High
Product
pom
url
http://ws.apache.org/commons/util
Medium
Product
Manifest
specification-title
This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
Medium
Product
Manifest
Implementation-Title
ws-commons-util
High
Product
pom
description
This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Description: StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.html
File Path: /home/ciagent/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar MD5: b58ca53e518a92a1991eb63b61917582 SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
stringtemplate
High
Vendor
pom
artifactid
stringtemplate
Low
Vendor
jar
package name
antlr
Low
Vendor
pom
url
http://www.stringtemplate.org
Highest
Vendor
jar
package name
language
Low
Vendor
pom
description
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output. StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. It evolved over years of effort developing jGuru.com. StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic is that un...
Low
Vendor
central
groupid
org.antlr
Highest
Vendor
pom
name
ANTLR StringTemplate
High
Vendor
pom
groupid
antlr
Highest
Vendor
pom
groupid
org.antlr
Highest
Vendor
jar
package name
stringtemplate
Low
Product
file
name
stringtemplate
High
Product
jar
package name
language
Low
Product
pom
url
http://www.stringtemplate.org
Medium
Product
pom
description
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output. StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. It evolved over years of effort developing jGuru.com. StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic is that un...
Description: A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
File Path: /home/ciagent/.m2/repository/org/antlr/antlr-runtime/3.5/antlr-runtime-3.5.jar MD5: aa6d7c8b425df59f5f5bc98c58cfd9fc SHA1: 0baa82bff19059401e90e1b90020beb9c96305d7
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
url
http://www.antlr.org
Highest
Vendor
file
name
antlr-runtime
High
Vendor
pom
name
ANTLR 3 Runtime
High
Vendor
pom
groupid
org.antlr
Highest
Vendor
Manifest
Implementation-Vendor-Id
org.antlr
Medium
Vendor
pom
artifactid
antlr-runtime
Low
Vendor
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Low
Vendor
central
groupid
org.antlr
Highest
Vendor
pom
parent-groupid
org.antlr
Medium
Vendor
Manifest
Implementation-Vendor
ANTLR
High
Vendor
pom
groupid
antlr
Highest
Vendor
pom
parent-artifactid
antlr-master
Low
Product
file
name
antlr-runtime
High
Product
pom
name
ANTLR 3 Runtime
High
Product
pom
url
http://www.antlr.org
Medium
Product
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/ciagent/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar MD5: 4d5c1693079575b362edf41500630bbd SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
commons-lang
High
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
pom
name
Commons Lang
High
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
file
name
commons-lang
High
Vendor
manifest
Bundle-Description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Vendor
Manifest
bundle-docurl
http://commons.apache.org/lang/
Low
Vendor
pom
description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Vendor
pom
url
http://commons.apache.org/lang/
Highest
Vendor
pom
groupid
commons-lang
Highest
Vendor
central
groupid
org.netbeans.external
High
Vendor
pom
artifactid
commons-lang
Low
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
Manifest
bundle-symbolicname
org.apache.commons.lang
Medium
Vendor
pom
parent-artifactid
commons-parent
Low
Product
pom
name
Commons Lang
High
Product
central
artifactid
org-apache-commons-lang
High
Product
file
name
commons-lang
High
Product
pom
parent-artifactid
commons-parent
Medium
Product
manifest
Bundle-Description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Product
Manifest
bundle-docurl
http://commons.apache.org/lang/
Low
Product
pom
description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
Description: mime-util is a simple to use, small, light weight and fast open source java utility library that can detect
MIME types from files, input streams, URL's and byte arrays.
Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/eu/medsea/mimeutil/mime-util/2.1.3/mime-util-2.1.3.jar MD5: 3d4f3e1a96eb79683197f1c8b182f4a6 SHA1: 0c9cfae15c74f62491d4f28def0dff1dabe52a47
Referenced In Project/Scope:
eXo PLF:: Calendar Common Statistics:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
Mime Detection Utility
High
Vendor
Manifest
url
http://www.medsea.eu/mime-util/
Low
Vendor
Manifest
bundle-symbolicname
eu.medsea.mimeutil.mime-util
Medium
Vendor
Manifest
bundle-docurl
http://www.medsea.eu
Low
Vendor
file
name
mime-util
High
Vendor
pom
url
http://www.medsea.eu/mime-util/
Highest
Vendor
pom
organization url
http://www.medsea.eu
Medium
Vendor
pom
organization name
Medsea Business Solutions S.L.
High
Vendor
pom
groupid
eu.medsea.mimeutil
Highest
Vendor
pom
artifactid
mime-util
Low
Vendor
manifest
Bundle-Description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Low
Vendor
pom
description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Low
Vendor
central
groupid
eu.medsea.mimeutil
Highest
Product
pom
name
Mime Detection Utility
High
Product
Manifest
url
http://www.medsea.eu/mime-util/
Low
Product
Manifest
bundle-symbolicname
eu.medsea.mimeutil.mime-util
Medium
Product
Manifest
bundle-docurl
http://www.medsea.eu
Low
Product
file
name
mime-util
High
Product
pom
organization url
http://www.medsea.eu
Low
Product
Manifest
Bundle-Name
Mime Detection Utility
Medium
Product
pom
artifactid
mime-util
Highest
Product
central
artifactid
mime-util
Highest
Product
manifest
Bundle-Description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Low
Product
pom
url
http://www.medsea.eu/mime-util/
Medium
Product
pom
groupid
eu.medsea.mimeutil
Low
Product
pom
organization name
Medsea Business Solutions S.L.
Low
Product
pom
description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.