Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 3.1.2
Report Generated On: Jan 20, 2019 at 09:48:47 +00:00
Dependencies Scanned: 2 (2 unique)
Vulnerable Dependencies: 1
Vulnerabilities Found: 1
Vulnerabilities Suppressed: 0
...
NVD CVE 2002: 30/11/2018 09:08:39
NVD CVE 2003: 18/12/2018 09:11:59
NVD CVE 2004: 18/01/2019 09:12:18
NVD CVE 2005: 18/01/2019 09:10:58
NVD CVE 2006: 18/01/2019 09:08:46
NVD CVE 2007: 18/01/2019 19:33:33
NVD CVE 2008: 18/01/2019 19:33:34
NVD CVE 2009: 18/01/2019 19:33:33
NVD CVE 2010: 18/01/2019 08:55:14
NVD CVE 2011: 18/01/2019 19:33:33
NVD CVE 2012: 18/01/2019 19:33:32
NVD CVE 2013: 18/01/2019 19:33:33
NVD CVE 2014: 18/01/2019 08:38:51
NVD CVE 2015: 18/01/2019 19:33:35
NVD CVE 2016: 18/01/2019 08:30:13
NVD CVE 2017: 18/01/2019 08:24:37
NVD CVE 2018: 18/01/2019 19:33:32
NVD CVE 2019: 18/01/2019 08:00:08
NVD CVE Checked: 20/01/2019 09:27:01
NVD CVE Modified: 18/01/2019 19:04:29
VersionCheckOn: 1545557199441

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	CPE	Coordinates	Highest Severity	CVE Count	CPE Confidence	Evidence Count
jcr-parent-5.2.x-SNAPSHOT-source-release.zip: standard.jar	cpe:/a:apache:standard_taglibs:1.1.2	taglibs:standard:1.1.2 ✓	High	1	Low	23
jcr-parent-5.2.x-SNAPSHOT-source-release.zip: jstl.jar		jstl:jstl:1.1.2 ✓		0		24

Dependencies

jcr-parent-5.2.x-SNAPSHOT-source-release.zip: standard.jar

File Path: /home/ciagent/.m2/repository/org/exoplatform/jcr/jcr-parent/5.2.x-SNAPSHOT/jcr-parent-5.2.x-SNAPSHOT-source-release.zip/jcr-parent-5.2.x-SNAPSHOT/applications/exo.jcr.applications.browser/src/main/webapp/WEB-INF/lib/standard.jar
MD5: 65351d0487ad57edda9171bb3b46b98c
SHA1: a17e8a4d9a1f7fcc5eed606721c9ed6b7f18acf7
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Sources:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	apache	Low
Vendor	file	name	standard	High
Vendor	jar	package name	standard	Low
Vendor	Manifest	extension-name	org.apache.taglibs.standard	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	central	groupid	taglibs	Highest
Vendor	pom	artifactid	standard	Low
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	jar	package name	taglibs	Low
Vendor	pom	groupid	taglibs	Highest
Product	file	name	standard	High
Product	jar	package name	standard	Low
Product	central	artifactid	standard	Highest
Product	pom	artifactid	standard	Highest
Product	Manifest	Implementation-Title	jakarta-taglibs 'standard': an implementation of JSTL	High
Product	Manifest	specification-title	JavaServer Pages Standard Tag Library (JSTL)	Medium
Product	Manifest	extension-name	org.apache.taglibs.standard	Medium
Product	jar	package name	tag	Low
Product	jar	package name	taglibs	Low
Product	pom	groupid	taglibs	Low
Version	Manifest	Implementation-Version	1.1.2	High
Version	pom	version	1.1.2	Highest
Version	central	version	1.1.2	Highest

Identifiers

maven: taglibs:standard:1.1.2 ✓ Confidence:Highest
cpe: cpe:/a:apache:standard_taglibs:1.1.2 Confidence:Low

Published Vulnerabilities

CVE-2015-0254

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)

Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.

BID - 72809
BUGTRAQ - 20150227 [SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html
MISC - http://packetstormsecurity.com/files/130575/Apache-Standard-Taglibs-1.2.1-XXE-Remote-Command-Execution.html
MLIST - [tomcat-taglibs-user] 20150227 [SECURITY] CVE-2015-0254 XXE and RCE via XSL extension in JSTL XML tags
REDHAT - RHSA-2015:1695
REDHAT - RHSA-2016:1376
REDHAT - RHSA-2016:1838
REDHAT - RHSA-2016:1839
REDHAT - RHSA-2016:1840
REDHAT - RHSA-2016:1841
SECTRACK - 1034934
SUSE - openSUSE-SU-2015:1751
UBUNTU - USN-2551-1

Vulnerable Software & Versions:

cpe:/a:apache:standard_taglibs:1.2.1 and all previous versions

jcr-parent-5.2.x-SNAPSHOT-source-release.zip: jstl.jar

File Path: /home/ciagent/.m2/repository/org/exoplatform/jcr/jcr-parent/5.2.x-SNAPSHOT/jcr-parent-5.2.x-SNAPSHOT-source-release.zip/jcr-parent-5.2.x-SNAPSHOT/applications/exo.jcr.applications.browser/src/main/webapp/WEB-INF/lib/jstl.jar
MD5: c2ced5f8505fe9d1cae685201e9cba07
SHA1: 3375e43c620df4f1114959400ff9bb90d12a2feb
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Sources:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	central	groupid	javax.servlet	High
Vendor	pom	artifactid	jstl	Low
Vendor	jar	package name	javax	Low
Vendor	Manifest	Implementation-Vendor	Sun Microsystems, Inc.	High
Vendor	file	name	jstl	High
Vendor	jar	package name	jsp	Low
Vendor	pom	groupid	javax.servlet	Highest
Vendor	Manifest	Implementation-Vendor-Id	com.sun	Medium
Vendor	Manifest	extension-name	javax.servlet.jsp.jstl	Medium
Vendor	jar	package name	servlet	Low
Vendor	central	groupid	jstl	High
Product	jar	package name	jstl	Low
Product	pom	artifactid	jstl	Highest
Product	file	name	jstl	High
Product	central	artifactid	jstl	High
Product	Manifest	Implementation-Title	JavaServer Pages Standard Tag Library API Reference Implementation	High
Product	jar	package name	jsp	Low
Product	Manifest	specification-title	JavaServer Pages Standard Tag Library (JSTL)	Medium
Product	pom	groupid	javax.servlet	Low
Product	Manifest	extension-name	javax.servlet.jsp.jstl	Medium
Product	jar	package name	servlet	Low
Version	Manifest	Implementation-Version	1.1.2	High
Version	central	version	1.1.2	High
Version	pom	version	1.1.2	Highest

Identifiers

maven: jstl:jstl:1.1.2 ✓ Confidence:Highest
maven: javax.servlet:jstl:1.1.2 ✓ Confidence:Highest

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: eXo PLF:: Platform Public Distributions - Sources

org.exoplatform.platform.distributions:plf-community-sources:5.2.x-SNAPSHOT

Dependencies

jcr-parent-5.2.x-SNAPSHOT-source-release.zip: standard.jar

Evidence

Identifiers

Published Vulnerabilities

jcr-parent-5.2.x-SNAPSHOT-source-release.zip: jstl.jar

Evidence

Identifiers