Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: eXo PLF:: Calendar Common Statistics

org.exoplatform.calendar:calendar-statistics:5.3.x-SNAPSHOT

Scan Information (show all):

Display: Showing Vulnerable Dependencies (click to show all)

Dependency CPE Coordinates Highest Severity CVE Count CPE Confidence Evidence Count
aspectjrt-1.8.8.jar org.aspectj:aspectjrt:1.8.8    0 21
jcr-1.0.1.jar cpe:/a:content_project:content:1.0.1 javax.jcr:jcr:1.0.1 Medium 1 Low 25
commons-chain-1.2.jar commons-chain:commons-chain:1.2    0 34
commons-digester-2.1.jar commons-digester:commons-digester:2.1    0 34
exo.kernel.component.command-5.3.x-SNAPSHOT.jar org.exoplatform.kernel:exo.kernel.component.command:5.3.x-SNAPSHOT   0 22
quartz-2.2.2.jar org.quartz-scheduler:quartz:2.2.2    0 43
mail-1.4.7.jar cpe:/a:sun:javamail:1.4.7 javax.mail:mail:1.4.7    0 Low 41
commons-dbcp-1.4.jar commons-dbcp:commons-dbcp:1.4    0 34
commons-pool-1.6.jar commons-pool:commons-pool:1.6    0 36
exo.kernel.component.common-5.3.x-SNAPSHOT.jar org.exoplatform.kernel:exo.kernel.component.common:5.3.x-SNAPSHOT   0 24
exo.kernel.component.cache-5.3.x-SNAPSHOT.jar org.exoplatform.kernel:exo.kernel.component.cache:5.3.x-SNAPSHOT   0 22
exo.core.component.security.core-5.3.x-SNAPSHOT.jar org.exoplatform.core:exo.core.component.security.core:5.3.x-SNAPSHOT   0 22
antlr-2.7.7.jar antlr:antlr:2.7.7    0 18
dom4j-1.6.1.jar cpe:/a:dom4j_project:dom4j:1.6.1 dom4j:dom4j:1.6.1  Medium 1 Highest 31
hibernate-jpa-2.0-api-1.0.1.Final.jar org.hibernate.javax.persistence:hibernate-jpa-2.0-api:1.0.1.Final    0 26
jboss-logging-annotations-1.2.0.Beta1.jar org.jboss.logging:jboss-logging-annotations:1.2.0.Beta1    0 30
hibernate-commons-annotations-4.0.5.Final.jar org.hibernate.common:hibernate-commons-annotations:4.0.5.Final    0 30
hibernate-core-4.2.21.Final.jar org.hibernate:hibernate-core:4.2.21.Final    0 32
xstream-1.4.10.jar cpe:/a:xstream_project:xstream:1.4.10 com.thoughtworks.xstream:xstream:1.4.10  High 2 Highest 53
exo.core.component.organization.api-5.3.x-SNAPSHOT.jar cpe:/a:api-platform:core:5.3 org.exoplatform.core:exo.core.component.organization.api:5.3.x-SNAPSHOT   0 Low 22
commons-io-2.4.jar commons-io:commons-io:2.4    0 36
fontbox-1.8.14.jar cpe:/a:apache:pdfbox:1.8.14 org.apache.pdfbox:fontbox:1.8.14  Medium 2 Highest 37
jempbox-1.8.14.jar cpe:/a:apache:pdfbox:1.8.14 org.apache.pdfbox:jempbox:1.8.14  Medium 2 Highest 35
pdfbox-1.8.14.jar cpe:/a:apache:pdfbox:1.8.14 org.apache.pdfbox:pdfbox:1.8.14  Medium 2 Highest 35
htmllexer-2.1.jar org.htmlparser:htmllexer:2.1    0 23
htmlparser-2.1.jar org.htmlparser:htmlparser:2.1    0 23
commons-codec-1.10.jar commons-codec:commons-codec:1.10    0 38
poi-3.13.jar cpe:/a:apache:poi:3.13 org.apache.poi:poi:3.13  High 2 Highest 28
tika-core-1.5.jar cpe:/a:apache:tika:1.5 org.apache.tika:tika-core:1.5  High 8 Highest 33
vorbis-java-core-0.1-tests.jar org.gagravarr:vorbis-java-core:0.1    0 23
vorbis-java-tika-0.1.jar cpe:/a:apache:tika:0.1 org.gagravarr:vorbis-java-tika:0.1  High 6 Highest 23
netcdf-4.2-min.jar edu.ucar:netcdf:4.2-min    0 21
apache-mime4j-core-0.7.2.jar cpe:/a:apache:james:0.7.2 org.apache.james:apache-mime4j-core:0.7.2    0 Low 33
xz-1.2.jar cpe:/a:tukaani:xz:1.2 org.tukaani:xz:1.2  Medium 1 Low 27
commons-compress-1.5.jar cpe:/a:apache:commons_compress:1.5
cpe:/a:apache:commons-compress:1.5
org.apache.commons:commons-compress:1.5    0 Low 39
bcmail-jdk15-1.45.jar cpe:/a:no-cms_project:no-cms:1.45 org.bouncycastle:bcmail-jdk15:1.45    0 Low 24
bcprov-jdk15-1.45.jar cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.45
cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.45
org.bouncycastle:bcprov-jdk15:1.45  Medium 1 Low 24
tagsoup-1.2.1.jar org.ccil.cowan.tagsoup:tagsoup:1.2.1    0 18
asm-debug-all-4.1.jar org.ow2.asm:asm-debug-all:4.1    0 28
isoparser-1.0-RC-1.jar cpe:/a:boxes_project:boxes:7.x-1.0 com.googlecode.mp4parser:isoparser:1.0-RC-1  Low 1 Highest 24
xmpcore-5.1.2.jar com.adobe.xmp:xmpcore:5.1.2    0 30
xercesImpl-2.9.1.jar cpe:/a:apache:xerces2_java:2.9.1 xerces:xercesImpl:2.9.1  High 1 Low 50
metadata-extractor-2.6.2.jar com.drewnoakes:metadata-extractor:2.6.2    0 21
rome-1.0.jar rome:rome:1.0    0 32
vorbis-java-core-0.1.jar org.gagravarr:vorbis-java-core:0.1    0 21
juniversalchardet-1.0.3.jar org.zenframework.z8.dependencies.commons:juniversalchardet-1.0.3:2.0    0 27
jhighlight-1.0.jar com.uwyn:jhighlight:1.0    0 25
xmlbeans-2.6.0.jar org.apache.xmlbeans:xmlbeans:2.6.0    0 24
exo.core.component.document-5.3.x-SNAPSHOT.jar org.exoplatform.core:exo.core.component.document:5.3.x-SNAPSHOT   0 22
exo.core.component.database-5.3.x-SNAPSHOT.jar org.exoplatform.core:exo.core.component.database:5.3.x-SNAPSHOT   0 22
lucene-core-3.6.2.jar org.apache.lucene:lucene-core:3.6.2    0 26
lucene-analyzers-3.6.2.jar org.apache.lucene:lucene-analyzers:3.6.2    0 26
lucene-spellchecker-3.6.2.jar org.apache.lucene:lucene-spellchecker:3.6.2    0 26
jta-1.1.jar javax.transaction:transaction-api:1.1    0 22
concurrent-1.3.4.jar concurrent:concurrent:1.3.4    0 23
commons-collections-3.2.2.jar cpe:/a:apache:commons_collections:3.2.2 commons-collections:commons-collections:3.2.2    0 Low 40
jgroups-3.6.13.Final.jar org.jgroups:jgroups:3.6.13.Final    0 32
jbossjta-4.16.6.Final.jar org.jboss.jbossts:jbossjta:4.16.6.Final    0 22
ws-commons-util-1.0.1.jar cpe:/a:ws_project:ws:1.0.1 ws-commons-util:ws-commons-util:1.0.1  Medium 1 Low 30
jboss-common-core-2.2.22.GA.jar org.jboss:jboss-common-core:2.2.22.GA    0 30
stringtemplate-3.2.1.jar org.antlr:stringtemplate:3.2.1    0 23
antlr-runtime-3.5.jar org.antlr:antlr-runtime:3.5    0 26
jboss-logging-3.3.0.Final.jar org.jboss.logging:jboss-logging:3.3.0.Final    0 44
commons-lang-2.6.jar org.netbeans.external:org-apache-commons-lang:RELEASE90    0 34
exo.kernel.component.ext.cache.impl.infinispan.v8-5.3.x-SNAPSHOT.jar cpe:/a:infinispan:infinispan:5.3.0 org.exoplatform.kernel:exo.kernel.component.ext.cache.impl.infinispan.v8:5.3.x-SNAPSHOT Medium 3 Highest 22
jboss-marshalling-osgi-2.0.0.Beta3.jar org.jboss.marshalling:jboss-marshalling-osgi:2.0.0.Beta3    0 29
infinispan-core-8.2.6.Final.jar cpe:/a:infinispan:infinispan:8.2.6 org.infinispan:infinispan-core:8.2.6.Final  Medium 3 Highest 35
exo.jcr.component.core-5.3.x-SNAPSHOT.jar org.exoplatform.jcr:exo.jcr.component.core:5.3.x-SNAPSHOT   0 24
mime-util-2.1.3.jar eu.medsea.mimeutil:mime-util:2.1.3    0 30
jakarta-regexp-1.4.jar jakarta-regexp:jakarta-regexp:1.4    0 14
xpp3-1.1.6.jar org.ogce:xpp3:1.1.6    0 24
jcl-over-slf4j-1.7.18.jar org.slf4j:jcl-over-slf4j:1.7.18    0 31
slf4j-api-1.7.18.jar org.slf4j:slf4j-api:1.7.18    0 31
exo.kernel.commons-5.3.x-SNAPSHOT.jar org.exoplatform.kernel:exo.kernel.commons:5.3.x-SNAPSHOT   0 22
commons-beanutils-1.8.3.jar cpe:/a:apache:commons_beanutils:1.8.3 commons-beanutils:commons-beanutils:1.8.3  High 2 Low 34
common-logging-2.2.2.Final.jar org.gatein.common:common-logging:2.2.2.Final    0 31
common-common-2.2.2.Final.jar org.gatein.common:common-common:2.2.2.Final    0 31
wci-wci-5.3.x-SNAPSHOT.jar org.exoplatform.gatein.wci:wci-wci:5.3.x-SNAPSHOT   0 27
jibx-run-1.2.6.jar org.jibx:jibx-run:1.2.6    0 29
javax.inject-1.jar javax.inject:javax.inject:1    0 20
jsr250-api-1.0.jar javax.annotation:jsr250-api:1.0    0 20
cdi-api-1.0-SP4.jar javax.enterprise:cdi-api:1.0-SP4    0 31
exo.kernel.container-5.3.x-SNAPSHOT.jar org.exoplatform.kernel:exo.kernel.container:5.3.x-SNAPSHOT   0 22
jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling/pom.xml org.jboss.marshalling:jboss-marshalling:2.0.0.Beta3   0 13
jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling-river/pom.xml org.jboss.marshalling:jboss-marshalling-river:2.0.0.Beta3   0 13
jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling-serial/pom.xml org.jboss.marshalling:jboss-marshalling-serial:2.0.0.Beta3   0 13

Dependencies

aspectjrt-1.8.8.jar

Description: The runtime needed to execute a program using AspectJ

License:

Eclipse Public License - v 1.0: http://www.eclipse.org/legal/epl-v10.html
File Path: /home/ciagent/.m2/repository/org/aspectj/aspectjrt/1.8.8/aspectjrt-1.8.8.jar
MD5: 2e448cd7ae0bdc357cb2b6e892ba9c9d
SHA1: 7c5b26f24375685e34a50c2d765ebc40a96a5280
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jcr-1.0.1.jar

Description: Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.

License:

Day License: http://www.day.com/maven/jsr170/licenses/day-spec-license.htm
File Path: /home/ciagent/.m2/repository/javax/jcr/jcr/1.0.1/jcr-1.0.1.jar
MD5: 4639c7b994528948dab1a4feb1f68d6f
SHA1: 567ee103cf7592e3cf036e1bf4e2e06b9f08e1a1
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • cpe: cpe:/a:content_project:content:1.0.1   Confidence:Low   
  • maven: javax.jcr:jcr:1.0.1   Confidence:High

CVE-2017-16111  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.

Vulnerable Software & Versions:

commons-chain-1.2.jar

Description:  An implementation of the GoF Chain of Responsibility pattern

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-chain/commons-chain/1.2/commons-chain-1.2.jar
MD5: e18e2c87826644e4c8c08635572c154f
SHA1: 744a13e8766e338bd347b6fbc28c6db12979d0c6
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

commons-digester-2.1.jar

Description:  The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar
MD5: 528445033f22da28f5047b6abcd1c7c9
SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

exo.kernel.component.command-5.3.x-SNAPSHOT.jar

Description: Implementation of Command Service of Exoplatform SAS 'eXo Kernel' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.component.command/5.3.x-SNAPSHOT/exo.kernel.component.command-5.3.x-SNAPSHOT.jar
MD5: 1a7dd2ecb3c1cd5a72142791636c598a
SHA1: 4cd3e62eb5fa7e9a45503127329e089823129afa
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.kernel:exo.kernel.component.command:5.3.x-SNAPSHOT   Confidence:High

quartz-2.2.2.jar

Description: Enterprise Job Scheduler

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
Apache Software License, Version 2.0
File Path: /home/ciagent/.m2/repository/org/quartz-scheduler/quartz/2.2.2/quartz-2.2.2.jar
MD5: 6acfd6ada2f4ad0abf4de916654dcaea
SHA1: 6fd24da6803ab7c3a08bc519a62219a9bebeb0df
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

mail-1.4.7.jar

Description: JavaMail API (compat)

License:

http://www.sun.com/cddl, https://glassfish.java.net/public/CDDL+GPL_1_1.html
File Path: /home/ciagent/.m2/repository/javax/mail/mail/1.4.7/mail-1.4.7.jar
MD5: 77f53ff0c78ba43c4812ecc9f53e20f8
SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

commons-dbcp-1.4.jar

Description: Commons Database Connection Pooling

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-dbcp/commons-dbcp/1.4/commons-dbcp-1.4.jar
MD5: b004158fab904f37f5831860898b3cd9
SHA1: 30be73c965cc990b153a100aaaaafcf239f82d39
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:runtime

Identifiers

commons-pool-1.6.jar

Description: Commons Object Pooling Library

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-pool/commons-pool/1.6/commons-pool-1.6.jar
MD5: 5ca02245c829422176d23fa530e919cc
SHA1: 4572d589699f09d866a226a14b7f4323c6d8f040
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:runtime

Identifiers

exo.kernel.component.common-5.3.x-SNAPSHOT.jar

Description: Implementation of Common Service of Exoplatform SAS 'eXo Kernel' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.component.common/5.3.x-SNAPSHOT/exo.kernel.component.common-5.3.x-SNAPSHOT.jar
MD5: d6b89bb676ad571d7966948e2703b45d
SHA1: f9d16a5bfdc94c5624a028e3c29e580efb53b9ca
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.kernel:exo.kernel.component.common:5.3.x-SNAPSHOT   Confidence:High

exo.kernel.component.cache-5.3.x-SNAPSHOT.jar

Description: Implementation of Cache Service of Exoplatform SAS 'eXo Kernel' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.component.cache/5.3.x-SNAPSHOT/exo.kernel.component.cache-5.3.x-SNAPSHOT.jar
MD5: d246da05cfe23217bb9ec089e25edf65
SHA1: 26e5d60fdb52a55b953749ae88f0bf9992a313f7
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.kernel:exo.kernel.component.cache:5.3.x-SNAPSHOT   Confidence:High

exo.core.component.security.core-5.3.x-SNAPSHOT.jar

Description: Implementation of 'eXo Security' component of Exoplatform SAS 'eXo Core' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.security.core/5.3.x-SNAPSHOT/exo.core.component.security.core-5.3.x-SNAPSHOT.jar
MD5: 071993a644f6709e1c5a36f6f093633e
SHA1: c5246451a7c9a95dbabcfe7495c6231e4ae9b849
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.core:exo.core.component.security.core:5.3.x-SNAPSHOT   Confidence:High

antlr-2.7.7.jar

Description:  A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

License:

BSD License: http://www.antlr.org/license.html
File Path: /home/ciagent/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar
MD5: f8f1352c52a4c6a500b597596501fc64
SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

dom4j-1.6.1.jar

Description: dom4j: the flexible XML framework for Java

File Path: /home/ciagent/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
MD5: 4d8f51d3fe3900efc6e395be48030d6d
SHA1: 5d3ccc056b6f056dbf0dddfdf43894b9065a8f94
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2018-1000632  

Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-91 XML Injection (aka Blind XPath Injection)

dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.

Vulnerable Software & Versions: (show all)

hibernate-jpa-2.0-api-1.0.1.Final.jar

Description:  Hibernate definition of the Java Persistence 2.0 (JSR 317) API.

License:

license.txt
File Path: /home/ciagent/.m2/repository/org/hibernate/javax/persistence/hibernate-jpa-2.0-api/1.0.1.Final/hibernate-jpa-2.0-api-1.0.1.Final.jar
MD5: d7e7d8f60fc44a127ba702d43e71abec
SHA1: 3306a165afa81938fc3d8a0948e891de9f6b192b
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jboss-logging-annotations-1.2.0.Beta1.jar

File Path: /home/ciagent/.m2/repository/org/jboss/logging/jboss-logging-annotations/1.2.0.Beta1/jboss-logging-annotations-1.2.0.Beta1.jar
MD5: 938e552e319015a8863dd91284aada54
SHA1: 2f437f37bb265d9f8f1392823dbca12d2bec06d6
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

hibernate-commons-annotations-4.0.5.Final.jar

Description: Common reflection code used in support of annotation processing

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/ciagent/.m2/repository/org/hibernate/common/hibernate-commons-annotations/4.0.5.Final/hibernate-commons-annotations-4.0.5.Final.jar
MD5: 5dadbafd7c7bc1168c10a2ba87e927a2
SHA1: 2a581b9edb8168e45060d8bad8b7f46712d2c52c
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

hibernate-core-4.2.21.Final.jar

Description: A module of the Hibernate O/RM project

License:

GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/ciagent/.m2/repository/org/hibernate/hibernate-core/4.2.21.Final/hibernate-core-4.2.21.Final.jar
MD5: 492567c1f36fb3a5968ca2d3c452edaf
SHA1: bb587d00287c13d9e4324bc76c13abbd493efa81
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

xstream-1.4.10.jar

Description: XStream is a serialization library from Java objects to XML and back.

License:

http://x-stream.github.io/license.html
File Path: /home/ciagent/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar
MD5: d00eec778910f95b26201395ac64cca0
SHA1: dfecae23647abc9d9fd0416629a4213a3882b101
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2013-7285  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Vulnerable Software & Versions: (show all)

CVE-2019-10173  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

It was found that xstream API version 1.4.10 before 1.4.11 introduced a regression for a previous deserialization flaw. If the security framework has not been initialized, it may allow a remote attacker to run arbitrary shell commands when unmarshalling XML or any supported format. e.g. JSON. (regression of CVE-2013-7285)

Vulnerable Software & Versions:

exo.core.component.organization.api-5.3.x-SNAPSHOT.jar

Description: API of Organization Service of Exoplatform SAS 'eXo Core' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.organization.api/5.3.x-SNAPSHOT/exo.core.component.organization.api-5.3.x-SNAPSHOT.jar
MD5: a322059283b3d334deaf17f6206a0fb7
SHA1: f50faa1d5facbc878c883845e348483c487a4629
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • cpe: cpe:/a:api-platform:core:5.3   Confidence:Low   
  • maven: org.exoplatform.core:exo.core.component.organization.api:5.3.x-SNAPSHOT   Confidence:High

commons-io-2.4.jar

Description:  The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

fontbox-1.8.14.jar

Description:  The Apache FontBox library is an open source Java tool to obtain low level information from font files. FontBox is a subproject of Apache PDFBox.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/pdfbox/fontbox/1.8.14/fontbox-1.8.14.jar
MD5: 901640f7e2bd12508ae4a7cccba3df79
SHA1: 9c7caec614a6a132bedc83f1d6d247bb96ca0df3
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2018-11797  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.

Vulnerable Software & Versions: (show all)

CVE-2018-8036  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.

Vulnerable Software & Versions: (show all)

jempbox-1.8.14.jar

Description:  The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM) specification. JempBox is a subproject of Apache PDFBox.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/pdfbox/jempbox/1.8.14/jempbox-1.8.14.jar
MD5: 393135759731daf4e301903b3de2fbbb
SHA1: 7f94c7cd4efc21e78729436cc4cf0c09eeea0f38
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2018-11797  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.

Vulnerable Software & Versions: (show all)

CVE-2018-8036  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.

Vulnerable Software & Versions: (show all)

pdfbox-1.8.14.jar

Description:  The Apache PDFBox library is an open source Java tool for working with PDF documents.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/pdfbox/pdfbox/1.8.14/pdfbox-1.8.14.jar
MD5: c90740e185fc2f8013d1119f509ea4f3
SHA1: 7550298240c8540b721733ede6dc88fcf4fa2b0f
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2018-11797  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.

Vulnerable Software & Versions: (show all)

CVE-2018-8036  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-400 Uncontrolled Resource Consumption ('Resource Exhaustion')

In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.

Vulnerable Software & Versions: (show all)

htmllexer-2.1.jar

Description: HTML Lexer is the low level lexical analyzer.

File Path: /home/ciagent/.m2/repository/org/htmlparser/htmllexer/2.1/htmllexer-2.1.jar
MD5: 1cb7184766a0c52f4d98d671bb08be19
SHA1: 2ebf2c073e649b7e674cddd0558ff102a486402f
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

htmlparser-2.1.jar

Description: HTML Parser is the high level syntactical analyzer.

File Path: /home/ciagent/.m2/repository/org/htmlparser/htmlparser/2.1/htmlparser-2.1.jar
MD5: aa05b921026c228f92ef8b4a13c26f8d
SHA1: c752e5984b7767533cbd3fdffa48cecb52fa226c
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

commons-codec-1.10.jar

Description:  The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

poi-3.13.jar

Description: Apache POI - Java API To Access Microsoft Format Files

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/poi/poi/3.13/poi-3.13.jar
MD5: 1b43f32e2211546040597a9e2d07b869
SHA1: 0f59f504ba8c521e61e25f417ec652fd485010f3
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2016-5000  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Vulnerable Software & Versions:

CVE-2017-5644  

Severity: High
CVSS Score: 7.1 (AV:N/AC:M/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Vulnerable Software & Versions:

tika-core-1.5.jar

Description: This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/tika/tika-core/1.5/tika-core-1.5.jar
MD5: e864bf637f51283dc525087b015d7b1a
SHA1: 194ca0fb3d73b07737524806fbc3bec89063c03a
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2016-6809  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

Vulnerable Software & Versions:

CVE-2018-11761  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.

Vulnerable Software & Versions: (show all)

CVE-2018-11762  

Severity: Medium
CVSS Score: 5.8 (AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')

In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.

Vulnerable Software & Versions: (show all)

CVE-2018-11796  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.

Vulnerable Software & Versions: (show all)

CVE-2018-1335  

Severity: High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-1338  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-1339  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-8017  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

In Apache Tika 1.2 to 1.18, a carefully crafted file can trigger an infinite loop in the IptcAnpaParser.

Vulnerable Software & Versions: (show all)

vorbis-java-core-0.1-tests.jar

File Path: /home/ciagent/.m2/repository/org/gagravarr/vorbis-java-core/0.1/vorbis-java-core-0.1-tests.jar
MD5: d58f076c08a917277d03f3417aa867a6
SHA1: c849979e199d8a7c3da1a00799c623c00f94efac
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:test,provided

Identifiers

vorbis-java-tika-0.1.jar

File Path: /home/ciagent/.m2/repository/org/gagravarr/vorbis-java-tika/0.1/vorbis-java-tika-0.1.jar
MD5: 1fccc6796a0924ba4f32eb1d44b8616b
SHA1: 6966c8663a7f689021accb13cceaa6101f53ea3d
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2016-6809  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.

Vulnerable Software & Versions:

CVE-2018-11761  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.

Vulnerable Software & Versions: (show all)

CVE-2018-11796  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.

Vulnerable Software & Versions: (show all)

CVE-2018-1335  

Severity: High
CVSS Score: 9.3 (AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')

From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-1338  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's BPGParser in versions of Apache Tika before 1.18.

Vulnerable Software & Versions: (show all)

CVE-2018-1339  

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-399 Resource Management Errors

A carefully crafted (or fuzzed) file can trigger an infinite loop in Apache Tika's ChmParser in versions of Apache Tika before 1.18.

Vulnerable Software & Versions: (show all)

netcdf-4.2-min.jar

Description: The NetCDF-Java Library is a Java interface to NetCDF files, as well as to many other types of scientific data formats.

License:

(MIT-style) netCDF C library license.: http://www.unidata.ucar.edu/software/netcdf/copyright.html
File Path: /home/ciagent/.m2/repository/edu/ucar/netcdf/4.2-min/netcdf-4.2-min.jar
MD5: eb00b40b0511f0fc1dfcfc9cb89e3c53
SHA1: 0f3c3f3db4c54483aa1fbc4497e300879ce24da1
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

apache-mime4j-core-0.7.2.jar

Description: Java stream based MIME message parser

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/james/apache-mime4j-core/0.7.2/apache-mime4j-core-0.7.2.jar
MD5: 88f799546eca803c53eee01a4ce5edcd
SHA1: a81264fe0265ebe8fd1d8128aad06dc320de6eef
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

xz-1.2.jar

Description: XZ data compression

License:

Public Domain
File Path: /home/ciagent/.m2/repository/org/tukaani/xz/1.2/xz-1.2.jar
MD5: 04bd31459826c30c2a3c304e3b225ad4
SHA1: bfc66dda280a18ab341b5023248925265c00394c
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.tukaani:xz:1.2    Confidence:Highest
  • cpe: cpe:/a:tukaani:xz:1.2   Confidence:Low   

CVE-2015-4035  

Severity: Medium
CVSS Score: 4.6 (AV:L/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.

Vulnerable Software & Versions:

commons-compress-1.5.jar

Description:  Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/commons/commons-compress/1.5/commons-compress-1.5.jar
MD5: 5e18cfcf472548c2e0b90a4ea1cedf42
SHA1: d2bd2c0bd328f1dabdf33e10b6d223ebcbe93343
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • cpe: cpe:/a:apache:commons_compress:1.5   Confidence:Low   
  • maven: org.apache.commons:commons-compress:1.5    Confidence:Highest
  • cpe: cpe:/a:apache:commons-compress:1.5   Confidence:Low   

bcmail-jdk15-1.45.jar

Description: The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. If the S/MIME API is used, the JavaMail API and the Java activation framework will also be needed.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /home/ciagent/.m2/repository/org/bouncycastle/bcmail-jdk15/1.45/bcmail-jdk15-1.45.jar
MD5: 13321fc7eff7bcada7b4fedfb592025c
SHA1: 3aed7e642dd8d39dc14ed1dec3ff79e084637148
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

bcprov-jdk15-1.45.jar

Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

License:

Bouncy Castle Licence: http://www.bouncycastle.org/licence.html
File Path: /home/ciagent/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar
MD5: 2062f8e3d15748443ea60a94b266371c
SHA1: 7741883cb07b4634e8b5fd3337113b6ea770a9bb
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • cpe: cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.45   Confidence:Low   
  • maven: org.bouncycastle:bcprov-jdk15:1.45    Confidence:Highest
  • cpe: cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.45   Confidence:Low   

CVE-2015-7940  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."

Vulnerable Software & Versions: (show all)

tagsoup-1.2.1.jar

Description: TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/ccil/cowan/tagsoup/tagsoup/1.2.1/tagsoup-1.2.1.jar
MD5: ae73a52cdcbec10cd61d9ef22fab5936
SHA1: 5584627487e984c03456266d3f8802eb85a9ce97
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

asm-debug-all-4.1.jar

File Path: /home/ciagent/.m2/repository/org/ow2/asm/asm-debug-all/4.1/asm-debug-all-4.1.jar
MD5: 6c3a8842f484dd3d620002b361e3610e
SHA1: dd6ba5c392d4102458494e29f54f70ac534ec2a2
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

isoparser-1.0-RC-1.jar

Description: A generic parser and writer for all ISO 14496 based files (MP4, Quicktime, DCF, PDCF, ...)

License:

Apache 2: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/com/googlecode/mp4parser/isoparser/1.0-RC-1/isoparser-1.0-RC-1.jar
MD5: b0444fde2290319c9028564c3c3ff1ab
SHA1: 4a5768b1070b9488a433362d736720fd7a7b264f
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2013-0259  

Severity: Low
CVSS Score: 2.1 (AV:N/AC:H/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter.

Vulnerable Software & Versions: (show all)

xmpcore-5.1.2.jar

Description:  The XMP Library for Java is based on the C++ XMPCore library and the API is similar.

License:

The BSD License: http://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html
File Path: /home/ciagent/.m2/repository/com/adobe/xmp/xmpcore/5.1.2/xmpcore-5.1.2.jar
MD5: 0b2cf2a09d32abdedd17de864e93ad25
SHA1: 55615fa2582424e38705487d1d3969af8554f637
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

xercesImpl-2.9.1.jar

Description:  Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

File Path: /home/ciagent/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar
MD5: f807f86d7d9db25edbfc782aca7ca2a9
SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: xerces:xercesImpl:2.9.1    Confidence:Highest
  • cpe: cpe:/a:apache:xerces2_java:2.9.1   Confidence:Low   

CVE-2012-0881  

Severity: High
CVSS Score: 7.8 (AV:N/AC:L/Au:N/C:N/I:N/A:C)
CWE: CWE-399 Resource Management Errors

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Vulnerable Software & Versions:

metadata-extractor-2.6.2.jar

Description: Java library for reading metadata from image files.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/com/drewnoakes/metadata-extractor/2.6.2/metadata-extractor-2.6.2.jar
MD5: 8f3acbee87dbd5b0cdfacee3bb3aff8b
SHA1: 13930ff22d3f152bd969a63e88537d2f2adc2cd5
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

rome-1.0.jar

Description: All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.

File Path: /home/ciagent/.m2/repository/rome/rome/1.0/rome-1.0.jar
MD5: 53d38c030287b939f4e6d745ba1269a7
SHA1: 022b33347f315833e9348cec2751af1a5d5656e4
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

vorbis-java-core-0.1.jar

File Path: /home/ciagent/.m2/repository/org/gagravarr/vorbis-java-core/0.1/vorbis-java-core-0.1.jar
MD5: b88115be2754cb6883e652ba68ca46c8
SHA1: 662a02b94701947e6e66e7793d996043f05fad4a
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

juniversalchardet-1.0.3.jar

Description: Java port of universalchardet

License:

Mozilla Public License 1.1 (MPL 1.1): http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /home/ciagent/.m2/repository/com/googlecode/juniversalchardet/juniversalchardet/1.0.3/juniversalchardet-1.0.3.jar
MD5: d9ea0a9a275336c175b343f2e4cd8f27
SHA1: cd49678784c46aa8789c060538e0154013bb421b
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jhighlight-1.0.jar

Description:  JHighlight is an embeddable pure Java syntax highlighting library that supports Java, HTML, XHTML, XML and LZX languages and outputs to XHTML. It also supports RIFE templates tags and highlights them clearly so that you can easily identify the difference between your RIFE markup and the actual marked up source.

License:

CDDL, v1.0: http://www.opensource.org/licenses/cddl1.php
LGPL, v2.1 or later: http://www.opensource.org/licenses/lgpl-license.php
File Path: /home/ciagent/.m2/repository/com/uwyn/jhighlight/1.0/jhighlight-1.0.jar
MD5: 0ad5cf1bc56657f5e9e327e5e768da0a
SHA1: 0b1774029ee29472df8c25e5ba796431f7689fd6
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

xmlbeans-2.6.0.jar

Description: XmlBeans main jar

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/xmlbeans/xmlbeans/2.6.0/xmlbeans-2.6.0.jar
MD5: 6591c08682d613194dacb01e95c78c2c
SHA1: 29e80d2dd51f9dcdef8f9ffaee0d4dc1c9bbfc87
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

exo.core.component.document-5.3.x-SNAPSHOT.jar

Description: Implementation of Document Service of Exoplatform SAS 'eXo Core' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.document/5.3.x-SNAPSHOT/exo.core.component.document-5.3.x-SNAPSHOT.jar
MD5: 36a4e819c7f1b9b06d16d16f0d18591a
SHA1: 656c3fad7f712b4b5f3726e98156904ab9243630
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.core:exo.core.component.document:5.3.x-SNAPSHOT   Confidence:High

exo.core.component.database-5.3.x-SNAPSHOT.jar

Description: Implementation of Database Service of Exoplatform SAS eXo Core' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.database/5.3.x-SNAPSHOT/exo.core.component.database-5.3.x-SNAPSHOT.jar
MD5: 351cb644962c2cec3ddf3d006c01896e
SHA1: 798a841bc2c8e3484857b3576d6b59aa8839738b
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.core:exo.core.component.database:5.3.x-SNAPSHOT   Confidence:High

lucene-core-3.6.2.jar

Description: Apache Lucene Java Core

File Path: /home/ciagent/.m2/repository/org/apache/lucene/lucene-core/3.6.2/lucene-core-3.6.2.jar
MD5: ee396d04f5a35557b424025f5382c815
SHA1: 9ec77e2507f9cc01756964c71d91efd8154a8c47
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

lucene-analyzers-3.6.2.jar

Description: Additional Analyzers

File Path: /home/ciagent/.m2/repository/org/apache/lucene/lucene-analyzers/3.6.2/lucene-analyzers-3.6.2.jar
MD5: 13f8241b6991bd1349c05369a7c0f002
SHA1: 3a083510dcb0d0fc67f8456cdac6f48aa0da2993
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

lucene-spellchecker-3.6.2.jar

Description: Spell Checker

File Path: /home/ciagent/.m2/repository/org/apache/lucene/lucene-spellchecker/3.6.2/lucene-spellchecker-3.6.2.jar
MD5: a4b684913f93aea76f5dbd7e479f19c5
SHA1: 15db0c0cfee44e275f15ad046e46b9a05910ad24
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jta-1.1.jar

Description:  The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.

File Path: /home/ciagent/.m2/repository/javax/transaction/jta/1.1/jta-1.1.jar
MD5: 82a10ce714f411b28f13850059de09ee
SHA1: 2ca09f0b36ca7d71b762e14ea2ff09d5eac57558
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

concurrent-1.3.4.jar

License:

Public domain, Sun Microsoystems: >http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/intro.html
File Path: /home/ciagent/.m2/repository/concurrent/concurrent/1.3.4/concurrent-1.3.4.jar
MD5: f29b9d930d3426ebc56919eba10fbd4d
SHA1: 1cf394c2a388199db550cda311174a4c6a7d117c
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

commons-collections-3.2.2.jar

Description: Types that extend and augment the Java Collections Framework.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar
MD5: f54a8510f834a1a57166970bfc982e94
SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jgroups-3.6.13.Final.jar

Description:  Reliable cluster communication toolkit

License:

Apache License 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/ciagent/.m2/repository/org/jgroups/jgroups/3.6.13.Final/jgroups-3.6.13.Final.jar
MD5: d7a4d1065e9b09e3f48bfa88ab368a0c
SHA1: 1315a8a1aed98dcafc11a850957ced42dc26bf18
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jbossjta-4.16.6.Final.jar

Description: JBossTS - JBoss Transaction Service. JTA, JTS and XTS (WS-AT, WS-BA)

License:

LGPL 2.1: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/ciagent/.m2/repository/org/jboss/jbossts/jbossjta/4.16.6.Final/jbossjta-4.16.6.Final.jar
MD5: 9e3c8d7d93b92ab97489aeb5816370c8
SHA1: 99e79e03ced180bea4e3307511d350eb2b88c91c
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

ws-commons-util-1.0.1.jar

Description: This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/ws/commons/ws-commons-util/1.0.1/ws-commons-util-1.0.1.jar
MD5: 66919d22287ddab742a135da764c2cd6
SHA1: 126e80ff798fece634bc94e61f8be8a8da00be60
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2016-10542  

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.

Vulnerable Software & Versions:

jboss-common-core-2.2.22.GA.jar

Description: JBoss Common Core Utility classes

File Path: /home/ciagent/.m2/repository/org/jboss/jboss-common-core/2.2.22.GA/jboss-common-core-2.2.22.GA.jar
MD5: 8c415e1467075a90045a7b0fd19886a3
SHA1: ae1a22412d879c4ac48e35cf00f438bb263d41c3
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

stringtemplate-3.2.1.jar

Description: StringTemplate is a java template engine for generating source code, web pages, emails, or any other formatted text output. StringTemplate is particularly good at multi-targeted code generators, multiple site skins, and internationalization/localization. It evolved over years of effort developing jGuru.com. StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org and powers the ANTLR v3 code generator. Its distinguishing characteristic is that unlike other engines, it strictly enforces model-view separation. Strict separation makes websites and code generators more flexible and maintainable; it also provides an excellent defense against malicious template authors. There are currently about 600 StringTemplate source downloads a month.

License:

BSD licence: http://antlr.org/license.html
File Path: /home/ciagent/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar
MD5: b58ca53e518a92a1991eb63b61917582
SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

antlr-runtime-3.5.jar

Description: A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.

File Path: /home/ciagent/.m2/repository/org/antlr/antlr-runtime/3.5/antlr-runtime-3.5.jar
MD5: aa6d7c8b425df59f5f5bc98c58cfd9fc
SHA1: 0baa82bff19059401e90e1b90020beb9c96305d7
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jboss-logging-3.3.0.Final.jar

Description: The JBoss Logging Framework

License:

Apache License, version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/jboss/logging/jboss-logging/3.3.0.Final/jboss-logging-3.3.0.Final.jar
MD5: bc11af4b8ce7138cdc79b7ba8561638c
SHA1: 3616bb87707910296e2c195dc016287080bba5af
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

commons-lang-2.6.jar

Description:  Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

exo.kernel.component.ext.cache.impl.infinispan.v8-5.3.x-SNAPSHOT.jar

Description: Infinispan Implementation of Cache Service for Exoplatform SAS 'eXo Kernel' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.component.ext.cache.impl.infinispan.v8/5.3.x-SNAPSHOT/exo.kernel.component.ext.cache.impl.infinispan.v8-5.3.x-SNAPSHOT.jar
MD5: cf459153049afcb424d6852d48006f4b
SHA1: 2eba4f7d71d04c099a85379d7065b7ce78d48029
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.kernel:exo.kernel.component.ext.cache.impl.infinispan.v8:5.3.x-SNAPSHOT   Confidence:High
  • cpe: cpe:/a:infinispan:infinispan:5.3.0   Confidence:Highest   

CVE-2016-0750  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

Vulnerable Software & Versions: (show all)

CVE-2017-15089  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

Vulnerable Software & Versions: (show all)

CVE-2017-2638  

Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

Vulnerable Software & Versions: (show all)

jboss-marshalling-osgi-2.0.0.Beta3.jar

Description: JBoss Marshalling OSGi Bundle with API and implementations

License:

http://repository.jboss.org/licenses/cc0-1.0.txt
File Path: /home/ciagent/.m2/repository/org/jboss/marshalling/jboss-marshalling-osgi/2.0.0.Beta3/jboss-marshalling-osgi-2.0.0.Beta3.jar
MD5: 7652392087f6e70312cf0309ab563a4f
SHA1: a55fe6527a2d50dc48ad3f8b9093bd0cb01302b0
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

infinispan-core-8.2.6.Final.jar

Description: Infinispan core module

License:

http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/ciagent/.m2/repository/org/infinispan/infinispan-core/8.2.6.Final/infinispan-core-8.2.6.Final.jar
MD5: 06371c22b39aef4faf1da8d21b2102cb
SHA1: 84937a866a56760b9c50bfbca10442fa14be6375
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2016-0750  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.

Vulnerable Software & Versions: (show all)

CVE-2017-15089  

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.

Vulnerable Software & Versions: (show all)

CVE-2017-2638  

Severity: Medium
CVSS Score: 6.4 (AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication

It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.

Vulnerable Software & Versions: (show all)

exo.jcr.component.core-5.3.x-SNAPSHOT.jar

Description: Implementation of Core Service of Exoplatform SAS 'eXo Core' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/jcr/exo.jcr.component.core/5.3.x-SNAPSHOT/exo.jcr.component.core-5.3.x-SNAPSHOT.jar
MD5: c34faf606491d2ab1610fc473993ec86
SHA1: b568dd1a9a7d7bad1feb77d52b64dbf7a5527bef
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.jcr:exo.jcr.component.core:5.3.x-SNAPSHOT   Confidence:High

mime-util-2.1.3.jar

Description: mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/eu/medsea/mimeutil/mime-util/2.1.3/mime-util-2.1.3.jar
MD5: 3d4f3e1a96eb79683197f1c8b182f4a6
SHA1: 0c9cfae15c74f62491d4f28def0dff1dabe52a47
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jakarta-regexp-1.4.jar

File Path: /home/ciagent/.m2/repository/jakarta-regexp/jakarta-regexp/1.4/jakarta-regexp-1.4.jar
MD5: 5d8b8c601c21b37aa6142d38f45c0297
SHA1: 0ea514a179ac1dd7e81c7e6594468b9b9910d298
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

xpp3-1.1.6.jar

Description: XML Pull parser library developed by Extreme Computing Lab, Indiana University

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/ogce/xpp3/1.1.6/xpp3-1.1.6.jar
MD5: 626a429318310e92e3466151e050bdc5
SHA1: dc87e00ddb69341b46a3eb1c331c6fcebf6c8546
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jcl-over-slf4j-1.7.18.jar

Description: JCL 1.1.1 implemented over SLF4J

File Path: /home/ciagent/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.18/jcl-over-slf4j-1.7.18.jar
MD5: 86c8f80da62e4640564effb9dff7e003
SHA1: eca71be00af2579564e9f3a23ce0b245ca79ee5d
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

slf4j-api-1.7.18.jar

Description: The slf4j API

File Path: /home/ciagent/.m2/repository/org/slf4j/slf4j-api/1.7.18/slf4j-api-1.7.18.jar
MD5: 1b1d1af21206ac5ae44cd79a6c04dd92
SHA1: b631d286463ced7cc42ee2171fe3beaed2836823
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

exo.kernel.commons-5.3.x-SNAPSHOT.jar

Description: Implementation of Commons Utils of Exoplatform SAS 'eXo Kernel' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.commons/5.3.x-SNAPSHOT/exo.kernel.commons-5.3.x-SNAPSHOT.jar
MD5: 282b4bd581fc9a95b032fe6eda634568
SHA1: 5562effa2e420335521f5f7bd503646863d33b02
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.kernel:exo.kernel.commons:5.3.x-SNAPSHOT   Confidence:High

commons-beanutils-1.8.3.jar

Description: BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
MD5: b45be74134796c89db7126083129532f
SHA1: 686ef3410bcf4ab8ce7fd0b899e832aaba5facf7
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

CVE-2014-0114  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Vulnerable Software & Versions: (show all)

CVE-2019-10086  

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Vulnerable Software & Versions:

common-logging-2.2.2.Final.jar

File Path: /home/ciagent/.m2/repository/org/gatein/common/common-logging/2.2.2.Final/common-logging-2.2.2.Final.jar
MD5: 28b7108ee63899bca08636d360e7df11
SHA1: aee18008518671fb10982c0fe5f7383e98f71c47
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

common-common-2.2.2.Final.jar

File Path: /home/ciagent/.m2/repository/org/gatein/common/common-common/2.2.2.Final/common-common-2.2.2.Final.jar
MD5: 8ce16b5e3991285cd27e553740d09d1f
SHA1: 44522d899e31a5a10dbd70f7b0ca2fe5a614f740
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

wci-wci-5.3.x-SNAPSHOT.jar

File Path: /home/ciagent/.m2/repository/org/exoplatform/gatein/wci/wci-wci/5.3.x-SNAPSHOT/wci-wci-5.3.x-SNAPSHOT.jar
MD5: c5b844fb7a773e4dac04279121d46994
SHA1: 003a6a515d6f1ad92303eeb83284de3c92cb4ed9
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.gatein.wci:wci-wci:5.3.x-SNAPSHOT   Confidence:High

jibx-run-1.2.6.jar

Description: JiBX runtime code

License:

http://jibx.sourceforge.net/jibx-license.html
File Path: /home/ciagent/.m2/repository/org/jibx/jibx-run/1.2.6/jibx-run-1.2.6.jar
MD5: 4ef53e4279c8440aff2d16c0af024231
SHA1: 544f3ac7887d7eed20ca0420ee1963df6c7ecebb
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

javax.inject-1.jar

Description: The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

jsr250-api-1.0.jar

Description: JSR-250 Reference Implementation by Glassfish

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/ciagent/.m2/repository/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar
MD5: 4cd56b2e4977e541186de69f5126b4a6
SHA1: 5025422767732a1ab45d93abfea846513d742dcf
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

cdi-api-1.0-SP4.jar

Description: APIs for JSR-299: Contexts and Dependency Injection for Java EE

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/ciagent/.m2/repository/javax/enterprise/cdi-api/1.0-SP4/cdi-api-1.0-SP4.jar
MD5: 6c1e2b4036d64b6ba1a1136a00c7cdaa
SHA1: 6e38490033eb8b36c4cf1f7605163424a574dcf0
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

exo.kernel.container-5.3.x-SNAPSHOT.jar

Description: Implementation of Container for Exoplatform SAS 'eXo Kernel' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.container/5.3.x-SNAPSHOT/exo.kernel.container-5.3.x-SNAPSHOT.jar
MD5: 0db2a5178dfbd3a920f6d4f48ca8f194
SHA1: d7453b549cd5262ff637714d8efa149cc38c9951
Referenced In Project/Scope: eXo PLF:: Calendar Common Statistics:compile

Identifiers

  • maven: org.exoplatform.kernel:exo.kernel.container:5.3.x-SNAPSHOT   Confidence:High

jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling/pom.xml

Description: JBoss Marshalling API

File Path: /home/ciagent/.m2/repository/org/jboss/marshalling/jboss-marshalling-osgi/2.0.0.Beta3/jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling/pom.xml
MD5: 2b0e9541ec4a0f19e378eaabc5e85ea0
SHA1: da91abf3554dceed9454faa89acafc48c0649df5

Identifiers

  • maven: org.jboss.marshalling:jboss-marshalling:2.0.0.Beta3   Confidence:High

jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling-river/pom.xml

Description: JBoss Marshalling River Implementation

File Path: /home/ciagent/.m2/repository/org/jboss/marshalling/jboss-marshalling-osgi/2.0.0.Beta3/jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling-river/pom.xml
MD5: 1dda062cdd15bd160a4ee6cf1be9f93d
SHA1: 366411529f00ec1eb4451b9b45012bfc09bde34b

Identifiers

  • maven: org.jboss.marshalling:jboss-marshalling-river:2.0.0.Beta3   Confidence:High

jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling-serial/pom.xml

Description: JBoss Marshalling Serial Implementation

File Path: /home/ciagent/.m2/repository/org/jboss/marshalling/jboss-marshalling-osgi/2.0.0.Beta3/jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling-serial/pom.xml
MD5: 16b74097e7ec70db37b74205776ad0a7
SHA1: cf519c8805a14e6ce20933b7a89bfe0d5a7dbf0f

Identifiers

  • maven: org.jboss.marshalling:jboss-marshalling-serial:2.0.0.Beta3   Confidence:High


This report contains data retrieved from the National Vulnerability Database.
This report may contain data retrieved from the Node Security Platform.