Dependency-Check Report

Dependency	CPE	Coordinates	Highest Severity	CVE Count	CPE Confidence	Evidence Count
tomcat-juli-8.5.35.jar	cpe:/a:apache_software_foundation:tomcat:8.5.35	org.apache.tomcat:tomcat-juli:8.5.35 ✓		0	Low	21
tomcat-api-8.5.35.jar	cpe:/a:apache_software_foundation:tomcat:8.5.35 cpe:/a:apache:tomcat:8.5.35 cpe:/a:apache_tomcat:apache_tomcat:8.5.35	org.apache.tomcat:tomcat-api:8.5.35 ✓	High	3	Low	21
tomcat-jni-8.5.35.jar	cpe:/a:apache:tomcat_native:8.5.35 cpe:/a:apache_software_foundation:tomcat:8.5.35 cpe:/a:apache:tomcat:8.5.35 cpe:/a:apache_tomcat:apache_tomcat:8.5.35	org.apache.tomcat:tomcat-jni:8.5.35 ✓	High	3	Low	21
tomcat-coyote-8.5.35.jar	cpe:/a:apache:coyote_http_connector:8.5.35 cpe:/a:apache_software_foundation:tomcat:8.5.35 cpe:/a:apache:tomcat:8.5.35 cpe:/a:apache:tomcat_connectors:8.5.35 cpe:/a:apache_tomcat:apache_tomcat:8.5.35	org.apache.tomcat:tomcat-coyote:8.5.35 ✓	High	3	Low	21
mime-util-2.1.3.jar		eu.medsea.mimeutil:mime-util:2.1.3 ✓		0		30
jakarta-regexp-1.4.jar		jakarta-regexp:jakarta-regexp:1.4 ✓		0		14
xpp3-1.1.6.jar		org.ogce:xpp3:1.1.6 ✓		0		24
jcl-over-slf4j-1.7.7.jar		org.slf4j:jcl-over-slf4j:1.7.7 ✓		0		31
slf4j-api-1.7.7.jar		org.slf4j:slf4j-api:1.7.7 ✓		0		31
exo.kernel.commons-5.2.x-SNAPSHOT.jar		org.exoplatform.kernel:exo.kernel.commons:5.2.x-SNAPSHOT		0		24
commons-beanutils-1.8.3.jar	cpe:/a:apache:commons_beanutils:1.8.3	commons-beanutils:commons-beanutils:1.8.3 ✓	High	1	Low	34
common-common-2.2.2.Final.jar		org.gatein.common:common-common:2.2.2.Final ✓		0		31
wci-wci-5.2.x-SNAPSHOT.jar		org.exoplatform.gatein.wci:wci-wci:5.2.x-SNAPSHOT		0		29
jibx-run-1.2.6.jar		org.jibx:jibx-run:1.2.6 ✓		0		29
javax.inject-1.jar		javax.inject:javax.inject:1 ✓		0		20
jsr250-api-1.0.jar		javax.annotation:jsr250-api:1.0 ✓		0		20
cdi-api-1.0-SP4.jar		javax.enterprise:cdi-api:1.0-SP4 ✓		0		31
exo.kernel.container-5.2.x-SNAPSHOT.jar		org.exoplatform.kernel:exo.kernel.container:5.2.x-SNAPSHOT		0		24
wci-tomcat8-5.2.x-SNAPSHOT.jar		org.exoplatform.gatein.wci:wci-tomcat8:5.2.x-SNAPSHOT		0		27

Description: Tomcat Core Logging Package

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-juli/8.5.35/tomcat-juli-8.5.35.jar
MD5: c3b6b2bc241e6572ada480e972702800
SHA1: 69d0606072b31b57ba706d1ffc102064ad8f694b
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.apache.tomcat	Highest
Vendor	pom	groupid	apache.tomcat	Highest
Vendor	pom	artifactid	tomcat-juli	Low
Vendor	pom	description	Tomcat Core Logging Package	Medium
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	pom	url	https://tomcat.apache.org/	Highest
Vendor	central	groupid	org.apache.tomcat	Highest
Vendor	file	name	tomcat-juli	High
Product	central	artifactid	tomcat-juli	Highest
Product	Manifest	Implementation-Title	Apache Tomcat	High
Product	Manifest	specification-title	Apache Tomcat	Medium
Product	pom	url	https://tomcat.apache.org/	Medium
Product	pom	groupid	apache.tomcat	Low
Product	pom	description	Tomcat Core Logging Package	Medium
Product	pom	artifactid	tomcat-juli	Highest
Product	file	name	tomcat-juli	High
Version	Manifest	Implementation-Version	8.5.35	High
Version	central	version	8.5.35	Highest
Version	pom	version	8.5.35	Highest
Version	file	version	8.5.35	Highest

Identifiers

cpe: cpe:/a:apache_software_foundation:tomcat:8.5.35 Confidence:Low
maven: org.apache.tomcat:tomcat-juli:8.5.35 ✓ Confidence:Highest

Description: Definition of interfaces shared by Catalina and Jasper

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-api/8.5.35/tomcat-api-8.5.35.jar
MD5: 589ecb726f3bc8232d6618e97740dc40
SHA1: cdfda95188ce0322becbef1da00f2ec24c73a44b
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.apache.tomcat	Highest
Vendor	pom	description	Definition of interfaces shared by Catalina and Jasper	Medium
Vendor	pom	groupid	apache.tomcat	Highest
Vendor	file	name	tomcat-api	High
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	pom	artifactid	tomcat-api	Low
Vendor	pom	url	https://tomcat.apache.org/	Highest
Vendor	central	groupid	org.apache.tomcat	Highest
Product	central	artifactid	tomcat-api	Highest
Product	Manifest	Implementation-Title	Apache Tomcat	High
Product	Manifest	specification-title	Apache Tomcat	Medium
Product	pom	description	Definition of interfaces shared by Catalina and Jasper	Medium
Product	pom	url	https://tomcat.apache.org/	Medium
Product	pom	groupid	apache.tomcat	Low
Product	file	name	tomcat-api	High
Product	pom	artifactid	tomcat-api	Highest
Version	Manifest	Implementation-Version	8.5.35	High
Version	central	version	8.5.35	Highest
Version	pom	version	8.5.35	Highest
Version	file	version	8.5.35	Highest

Related Dependencies

tomcat-annotations-api-8.5.35.jar
- File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-annotations-api/8.5.35/tomcat-annotations-api-8.5.35.jar
- SHA1: 5e03d5b26a8cdf7368831d35baa323aaae3213b4
- MD5: 1f1b4bd07c4255c6d7f3dcffac2eac71
- maven: org.apache.tomcat:tomcat-annotations-api:8.5.35 ✓
- cpe: cpe:/a:apache:tomcat:8.5.35
tomcat-util-scan-8.5.35.jar
- File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-util-scan/8.5.35/tomcat-util-scan-8.5.35.jar
- SHA1: fbffeee41de90d11567cf481dca854358fccba32
- MD5: b11c457552852dfe259d96ab5fe51fa9
- maven: org.apache.tomcat:tomcat-util-scan:8.5.35 ✓
- cpe: cpe:/a:apache:tomcat:8.5.35
tomcat-jaspic-api-8.5.35.jar
- File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-jaspic-api/8.5.35/tomcat-jaspic-api-8.5.35.jar
- SHA1: e467215cba84c11e9b0b72d60f433c6b0b466098
- MD5: f22760c7d43b93cac2bd65b5e5f97378
- maven: org.apache.tomcat:tomcat-jaspic-api:8.5.35 ✓
- cpe: cpe:/a:apache:tomcat:8.5.35
tomcat-el-api-8.5.35.jar
- File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-el-api/8.5.35/tomcat-el-api-8.5.35.jar
- SHA1: 1ba528480619dfb3ccf3e80759ee225163238872
- MD5: d5c47f9c6038ea2b4acfb355f52ec93c
- maven: org.apache.tomcat:tomcat-el-api:8.5.35 ✓
- cpe: cpe:/a:apache:tomcat:8.5.35
tomcat-servlet-api-8.5.35.jar
- File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-servlet-api/8.5.35/tomcat-servlet-api-8.5.35.jar
- SHA1: 39f8dd9a5815b150e7a3ab2a87d5c070b0f3c635
- MD5: 2f9ec32baeaba61caaf1441825844dba
- maven: org.apache.tomcat:tomcat-servlet-api:8.5.35 ✓
- cpe: cpe:/a:apache:tomcat:8.5.35
tomcat-jsp-api-8.5.35.jar
- File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-jsp-api/8.5.35/tomcat-jsp-api-8.5.35.jar
- SHA1: e4ed0de27118645d1e6949939707fe92b19178fd
- MD5: 9883f07cc987802e29cd867377d30d17
- maven: org.apache.tomcat:tomcat-jsp-api:8.5.35 ✓
- cpe: cpe:/a:apache:tomcat:8.5.35
tomcat-util-8.5.35.jar
- File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-util/8.5.35/tomcat-util-8.5.35.jar
- SHA1: db19d23e78ba440becb52fab76c63e67d4992d39
- MD5: 83d5719ff70f18d18c2217a78d915710
- maven: org.apache.tomcat:tomcat-util:8.5.35 ✓
- cpe: cpe:/a:apache:tomcat:8.5.35
tomcat-catalina-8.5.35.jar
- File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-catalina/8.5.35/tomcat-catalina-8.5.35.jar
- SHA1: c871d21a7687eb609f0d42087d8b8a69561195e0
- MD5: 382a49c251429f5d9d9f3d92222cb625
- maven: org.apache.tomcat:tomcat-catalina:8.5.35 ✓
- cpe: cpe:/a:apache:tomcat:8.5.35

Identifiers

cpe: cpe:/a:apache_software_foundation:tomcat:8.5.35 Confidence:Low
maven: org.apache.tomcat:tomcat-api:8.5.35 ✓ Confidence:Highest
cpe: cpe:/a:apache:tomcat:8.5.35 Confidence:Low
cpe: cpe:/a:apache_tomcat:apache_tomcat:8.5.35 Confidence:Low

Published Vulnerabilities

CVE-2016-5425

Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

BID - 93472
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
EXPLOIT-DB - 40488
MISC - http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
MISC - http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html
MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora, OracleLinux, RedHat etc.)
REDHAT - RHSA-2016:2046
SECTRACK - 1036979

Vulnerable Software & Versions:

cpe:/a:apache:tomcat

CVE-2016-6325

Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

BID - 93478
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
REDHAT - RHSA-2016:2045
REDHAT - RHSA-2016:2046
REDHAT - RHSA-2017:0455
REDHAT - RHSA-2017:0456
REDHAT - RHSA-2017:0457

Vulnerable Software & Versions:

cpe:/a:apache:tomcat:-

CVE-2017-6056

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

BID - 96293
CONFIRM - https://bugs.debian.org/851304
CONFIRM - https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
CONFIRM - https://lists.debian.org/debian-security-announce/2017/msg00038.html
CONFIRM - https://lists.debian.org/debian-security-announce/2017/msg00039.html
CONFIRM - https://security.netapp.com/advisory/ntap-20180731-0002/
DEBIAN - DSA-3787
DEBIAN - DSA-3788
REDHAT - RHSA-2017:0517
REDHAT - RHSA-2017:0826
REDHAT - RHSA-2017:0827
REDHAT - RHSA-2017:0828
REDHAT - RHSA-2017:0829
SECTRACK - 1037860

Vulnerable Software & Versions:

cpe:/a:apache:tomcat

Description: Interface code to the native connector

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-jni/8.5.35/tomcat-jni-8.5.35.jar
MD5: 8fb29c42b9ff472d8fc78d9f3c320215
SHA1: 23dfd85acc1bccf73a0b1e7822fd1b898c4719a6
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.apache.tomcat	Highest
Vendor	file	name	tomcat-jni	High
Vendor	pom	artifactid	tomcat-jni	Low
Vendor	pom	groupid	apache.tomcat	Highest
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	pom	url	https://tomcat.apache.org/	Highest
Vendor	central	groupid	org.apache.tomcat	Highest
Vendor	pom	description	Interface code to the native connector	Medium
Product	Manifest	Implementation-Title	Apache Tomcat	High
Product	Manifest	specification-title	Apache Tomcat	Medium
Product	file	name	tomcat-jni	High
Product	pom	url	https://tomcat.apache.org/	Medium
Product	pom	groupid	apache.tomcat	Low
Product	central	artifactid	tomcat-jni	Highest
Product	pom	artifactid	tomcat-jni	Highest
Product	pom	description	Interface code to the native connector	Medium
Version	Manifest	Implementation-Version	8.5.35	High
Version	central	version	8.5.35	Highest
Version	pom	version	8.5.35	Highest
Version	file	version	8.5.35	Highest

Identifiers

maven: org.apache.tomcat:tomcat-jni:8.5.35 ✓ Confidence:Highest
cpe: cpe:/a:apache:tomcat_native:8.5.35 Confidence:Low
cpe: cpe:/a:apache_software_foundation:tomcat:8.5.35 Confidence:Low
cpe: cpe:/a:apache:tomcat:8.5.35 Confidence:Low
cpe: cpe:/a:apache_tomcat:apache_tomcat:8.5.35 Confidence:Low

Published Vulnerabilities

CVE-2016-5425

Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

BID - 93472
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
EXPLOIT-DB - 40488
MISC - http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
MISC - http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html
MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora, OracleLinux, RedHat etc.)
REDHAT - RHSA-2016:2046
SECTRACK - 1036979

Vulnerable Software & Versions:

cpe:/a:apache:tomcat

CVE-2016-6325

Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

BID - 93478
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
REDHAT - RHSA-2016:2045
REDHAT - RHSA-2016:2046
REDHAT - RHSA-2017:0455
REDHAT - RHSA-2017:0456
REDHAT - RHSA-2017:0457

Vulnerable Software & Versions:

cpe:/a:apache:tomcat:-

CVE-2017-6056

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

BID - 96293
CONFIRM - https://bugs.debian.org/851304
CONFIRM - https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
CONFIRM - https://lists.debian.org/debian-security-announce/2017/msg00038.html
CONFIRM - https://lists.debian.org/debian-security-announce/2017/msg00039.html
CONFIRM - https://security.netapp.com/advisory/ntap-20180731-0002/
DEBIAN - DSA-3787
DEBIAN - DSA-3788
REDHAT - RHSA-2017:0517
REDHAT - RHSA-2017:0826
REDHAT - RHSA-2017:0827
REDHAT - RHSA-2017:0828
REDHAT - RHSA-2017:0829
SECTRACK - 1037860

Vulnerable Software & Versions:

cpe:/a:apache:tomcat

Description: Tomcat Connectors and HTTP parser

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/org/apache/tomcat/tomcat-coyote/8.5.35/tomcat-coyote-8.5.35.jar
MD5: 53791305852201a76cb079c2f49918f5
SHA1: da94c8aa9c321d79372657103693da3c1729dbee
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.apache.tomcat	Highest
Vendor	file	name	tomcat-coyote	High
Vendor	pom	artifactid	tomcat-coyote	Low
Vendor	pom	groupid	apache.tomcat	Highest
Vendor	pom	description	Tomcat Connectors and HTTP parser	Medium
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	pom	url	https://tomcat.apache.org/	Highest
Vendor	central	groupid	org.apache.tomcat	Highest
Product	file	name	tomcat-coyote	High
Product	Manifest	Implementation-Title	Apache Tomcat	High
Product	Manifest	specification-title	Apache Tomcat	Medium
Product	pom	url	https://tomcat.apache.org/	Medium
Product	pom	groupid	apache.tomcat	Low
Product	pom	artifactid	tomcat-coyote	Highest
Product	pom	description	Tomcat Connectors and HTTP parser	Medium
Product	central	artifactid	tomcat-coyote	Highest
Version	Manifest	Implementation-Version	8.5.35	High
Version	central	version	8.5.35	Highest
Version	pom	version	8.5.35	Highest
Version	file	version	8.5.35	Highest

Identifiers

maven: org.apache.tomcat:tomcat-coyote:8.5.35 ✓ Confidence:Highest
cpe: cpe:/a:apache:coyote_http_connector:8.5.35 Confidence:Low
cpe: cpe:/a:apache_software_foundation:tomcat:8.5.35 Confidence:Low
cpe: cpe:/a:apache:tomcat:8.5.35 Confidence:Low
cpe: cpe:/a:apache:tomcat_connectors:8.5.35 Confidence:Low
cpe: cpe:/a:apache_tomcat:apache_tomcat:8.5.35 Confidence:Low

Published Vulnerabilities

CVE-2016-5425

Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.

BID - 93472
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
EXPLOIT-DB - 40488
MISC - http://legalhackers.com/advisories/Tomcat-RedHat-Pkgs-Root-PrivEsc-Exploit-CVE-2016-5425.html
MISC - http://packetstormsecurity.com/files/139041/Apache-Tomcat-8-7-6-Privilege-Escalation.html
MLIST - [oss-security] 20161010 CVE-2016-5425 - Apache Tomcat packaging on RedHat-based distros - Root Privilege Escalation (affecting CentOS, Fedora, OracleLinux, RedHat etc.)
REDHAT - RHSA-2016:2046
SECTRACK - 1036979

Vulnerable Software & Versions:

cpe:/a:apache:tomcat

CVE-2016-6325

Severity: High
CVSS Score: 7.2 (AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls

The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.

BID - 93478
CONFIRM - http://www.oracle.com/technetwork/topics/security/linuxbulletinoct2016-3090545.html
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1367447
REDHAT - RHSA-2016:2045
REDHAT - RHSA-2016:2046
REDHAT - RHSA-2017:0455
REDHAT - RHSA-2017:0456
REDHAT - RHSA-2017:0457

Vulnerable Software & Versions:

cpe:/a:apache:tomcat:-

CVE-2017-6056

Severity: Medium
CVSS Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling

It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.

BID - 96293
CONFIRM - https://bugs.debian.org/851304
CONFIRM - https://bz.apache.org/bugzilla/show_bug.cgi?id=60578
CONFIRM - https://lists.debian.org/debian-security-announce/2017/msg00038.html
CONFIRM - https://lists.debian.org/debian-security-announce/2017/msg00039.html
CONFIRM - https://security.netapp.com/advisory/ntap-20180731-0002/
DEBIAN - DSA-3787
DEBIAN - DSA-3788
REDHAT - RHSA-2017:0517
REDHAT - RHSA-2017:0826
REDHAT - RHSA-2017:0827
REDHAT - RHSA-2017:0828
REDHAT - RHSA-2017:0829
SECTRACK - 1037860

Vulnerable Software & Versions:

cpe:/a:apache:tomcat

Description: mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/eu/medsea/mimeutil/mime-util/2.1.3/mime-util-2.1.3.jar
MD5: 3d4f3e1a96eb79683197f1c8b182f4a6
SHA1: 0c9cfae15c74f62491d4f28def0dff1dabe52a47
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	eu.medsea.mimeutil	Highest
Vendor	Manifest	bundle-symbolicname	eu.medsea.mimeutil.mime-util	Medium
Vendor	central	groupid	eu.medsea.mimeutil	Highest
Vendor	manifest	Bundle-Description	mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.	Low
Vendor	pom	name	Mime Detection Utility	High
Vendor	pom	organization url	http://www.medsea.eu	Medium
Vendor	Manifest	bundle-docurl	http://www.medsea.eu	Low
Vendor	pom	organization name	Medsea Business Solutions S.L.	High
Vendor	file	name	mime-util	High
Vendor	pom	artifactid	mime-util	Low
Vendor	pom	description	mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.	Low
Vendor	pom	url	http://www.medsea.eu/mime-util/	Highest
Vendor	Manifest	url	http://www.medsea.eu/mime-util/	Low
Product	Manifest	bundle-symbolicname	eu.medsea.mimeutil.mime-util	Medium
Product	pom	url	http://www.medsea.eu/mime-util/	Medium
Product	pom	organization name	Medsea Business Solutions S.L.	Low
Product	manifest	Bundle-Description	mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.	Low
Product	pom	groupid	eu.medsea.mimeutil	Low
Product	pom	name	Mime Detection Utility	High
Product	Manifest	bundle-docurl	http://www.medsea.eu	Low
Product	central	artifactid	mime-util	Highest
Product	file	name	mime-util	High
Product	pom	organization url	http://www.medsea.eu	Low
Product	pom	artifactid	mime-util	Highest
Product	Manifest	Bundle-Name	Mime Detection Utility	Medium
Product	pom	description	mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.	Low
Product	Manifest	url	http://www.medsea.eu/mime-util/	Low
Version	file	version	2.1.3	Highest
Version	central	version	2.1.3	Highest
Version	pom	version	2.1.3	Highest

Identifiers

maven: eu.medsea.mimeutil:mime-util:2.1.3 ✓ Confidence:Highest

File Path: /home/ciagent/.m2/repository/jakarta-regexp/jakarta-regexp/1.4/jakarta-regexp-1.4.jar
MD5: 5d8b8c601c21b37aa6142d38f45c0297
SHA1: 0ea514a179ac1dd7e81c7e6594468b9b9910d298
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	apache	Low
Vendor	central	groupid	jakarta-regexp	Highest
Vendor	pom	artifactid	jakarta-regexp	Low
Vendor	file	name	jakarta-regexp	High
Vendor	jar	package name	regexp	Low
Vendor	pom	groupid	jakarta-regexp	Highest
Product	pom	groupid	jakarta-regexp	Low
Product	pom	artifactid	jakarta-regexp	Highest
Product	file	name	jakarta-regexp	High
Product	jar	package name	regexp	Low
Product	central	artifactid	jakarta-regexp	Highest
Version	pom	version	1.4	Highest
Version	file	version	1.4	Highest
Version	central	version	1.4	Highest

Identifiers

maven: jakarta-regexp:jakarta-regexp:1.4 ✓ Confidence:Highest

Description: XML Pull parser library developed by Extreme Computing Lab, Indiana University

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/org/ogce/xpp3/1.1.6/xpp3-1.1.6.jar
MD5: 626a429318310e92e3466151e050bdc5
SHA1: dc87e00ddb69341b46a3eb1c331c6fcebf6c8546
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	XPP3	High
Vendor	central	groupid	org.ogce	Highest
Vendor	jar	package name	xmlpull	Low
Vendor	pom	description	XML Pull parser library developed by Extreme Computing Lab, Indiana University	Medium
Vendor	jar	package name	v1	Low
Vendor	pom	url	http://www.extreme.indiana.edu/xpp/	Highest
Vendor	pom	artifactid	xpp3	Low
Vendor	jar	package name	builder	Low
Vendor	pom	groupid	org.ogce	Highest
Vendor	pom	groupid	ogce	Highest
Vendor	file	name	xpp3	High
Product	pom	name	XPP3	High
Product	central	artifactid	xpp3	Highest
Product	pom	description	XML Pull parser library developed by Extreme Computing Lab, Indiana University	Medium
Product	jar	package name	v1	Low
Product	pom	groupid	ogce	Low
Product	pom	artifactid	xpp3	Highest
Product	jar	package name	builder	Low
Product	pom	url	http://www.extreme.indiana.edu/xpp/	Medium
Product	jar	package name	xpath	Low
Product	file	name	xpp3	High
Version	pom	version	1.1.6	Highest
Version	file	version	1.1.6	Highest
Version	central	version	1.1.6	Highest

Identifiers

maven: org.ogce:xpp3:1.1.6 ✓ Confidence:Highest

Description: JCL 1.1.1 implemented over SLF4J

File Path: /home/ciagent/.m2/repository/org/slf4j/jcl-over-slf4j/1.7.7/jcl-over-slf4j-1.7.7.jar
MD5: 32ad130f946ef0460af416397b7fc7b7
SHA1: 56003dcd0a31deea6391b9e2ef2f2dc90b205a92
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.slf4j	Highest
Vendor	pom	url	http://www.slf4j.org	Highest
Vendor	manifest	Bundle-Description	JCL 1.1.1 implemented over SLF4J	Medium
Vendor	Manifest	bundle-symbolicname	jcl.over.slf4j	Medium
Vendor	pom	artifactid	jcl-over-slf4j	Low
Vendor	central	groupid	org.slf4j	Highest
Vendor	file	name	jcl-over-slf4j	High
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.3	Low
Vendor	pom	groupid	slf4j	Highest
Vendor	pom	description	JCL 1.1.1 implemented over SLF4J	Medium
Vendor	pom	parent-groupid	org.slf4j	Medium
Vendor	pom	parent-artifactid	slf4j-parent	Low
Vendor	pom	name	JCL 1.1.1 implemented over SLF4J	High
Product	manifest	Bundle-Description	JCL 1.1.1 implemented over SLF4J	Medium
Product	Manifest	bundle-symbolicname	jcl.over.slf4j	Medium
Product	pom	url	http://www.slf4j.org	Medium
Product	file	name	jcl-over-slf4j	High
Product	pom	parent-artifactid	slf4j-parent	Medium
Product	central	artifactid	jcl-over-slf4j	Highest
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.3	Low
Product	pom	parent-groupid	org.slf4j	Low
Product	Manifest	Bundle-Name	jcl-over-slf4j	Medium
Product	Manifest	Implementation-Title	jcl-over-slf4j	High
Product	pom	description	JCL 1.1.1 implemented over SLF4J	Medium
Product	pom	groupid	slf4j	Low
Product	pom	artifactid	jcl-over-slf4j	Highest
Product	pom	name	JCL 1.1.1 implemented over SLF4J	High
Version	file	version	1.7.7	Highest
Version	central	version	1.7.7	Highest
Version	Manifest	Implementation-Version	1.7.7	High
Version	pom	version	1.7.7	Highest

Identifiers

maven: org.slf4j:jcl-over-slf4j:1.7.7 ✓ Confidence:Highest

Description: The slf4j API

File Path: /home/ciagent/.m2/repository/org/slf4j/slf4j-api/1.7.7/slf4j-api-1.7.7.jar
MD5: ca4280bf93d64367723ae5c8d42dd0b9
SHA1: 2b8019b6249bb05d81d3a3094e468753e2b21311
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.slf4j	Highest
Vendor	pom	url	http://www.slf4j.org	Highest
Vendor	central	groupid	org.slf4j	Highest
Vendor	pom	artifactid	slf4j-api	Low
Vendor	manifest	Bundle-Description	The slf4j API	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.3	Low
Vendor	pom	name	SLF4J API Module	High
Vendor	pom	groupid	slf4j	Highest
Vendor	pom	parent-groupid	org.slf4j	Medium
Vendor	file	name	slf4j-api	High
Vendor	Manifest	bundle-symbolicname	slf4j.api	Medium
Vendor	pom	description	The slf4j API	Medium
Vendor	pom	parent-artifactid	slf4j-parent	Low
Product	central	artifactid	slf4j-api	Highest
Product	pom	url	http://www.slf4j.org	Medium
Product	pom	parent-artifactid	slf4j-parent	Medium
Product	manifest	Bundle-Description	The slf4j API	Medium
Product	pom	artifactid	slf4j-api	Highest
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.3	Low
Product	pom	parent-groupid	org.slf4j	Low
Product	pom	name	SLF4J API Module	High
Product	Manifest	Implementation-Title	slf4j-api	High
Product	pom	groupid	slf4j	Low
Product	file	name	slf4j-api	High
Product	Manifest	bundle-symbolicname	slf4j.api	Medium
Product	Manifest	Bundle-Name	slf4j-api	Medium
Product	pom	description	The slf4j API	Medium
Version	file	version	1.7.7	Highest
Version	central	version	1.7.7	Highest
Version	Manifest	Implementation-Version	1.7.7	High
Version	pom	version	1.7.7	Highest

Identifiers

maven: org.slf4j:slf4j-api:1.7.7 ✓ Confidence:Highest

Description: Implementation of Commons Utils of Exoplatform SAS 'eXo Kernel' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.commons/5.2.x-SNAPSHOT/exo.kernel.commons-5.2.x-SNAPSHOT.jar
MD5: 32f3e3030115ff5f49339f43cbf27eae
SHA1: c0ea42d7a974d853aaf2ed2124e90c84431dc2ae
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	eXo PLF:: Kernel :: Commons Utils	High
Vendor	pom	artifactid	exo.kernel.commons	Low
Vendor	pom	parent-artifactid	kernel-parent	Low
Vendor	Manifest	Implementation-Vendor	eXo Platform SAS	High
Vendor	file	name	exo.kernel.commons	High
Vendor	Manifest	specification-vendor	eXo Platform SAS	Low
Vendor	Manifest	Implementation-Vendor-Id	org.exoplatform.kernel	Medium
Vendor	pom	groupid	org.exoplatform.kernel	Highest
Vendor	pom	description	Implementation of Commons Utils of Exoplatform SAS 'eXo Kernel' project.	Medium
Vendor	pom	groupid	exoplatform.kernel	Highest
Vendor	pom	parent-groupid	org.exoplatform.kernel	Medium
Product	pom	artifactid	exo.kernel.commons	Highest
Product	pom	name	eXo PLF:: Kernel :: Commons Utils	High
Product	pom	parent-artifactid	kernel-parent	Medium
Product	file	name	exo.kernel.commons	High
Product	Manifest	Implementation-Title	eXo PLF:: Kernel :: Commons Utils	High
Product	pom	parent-groupid	org.exoplatform.kernel	Low
Product	pom	description	Implementation of Commons Utils of Exoplatform SAS 'eXo Kernel' project.	Medium
Product	Manifest	specification-title	exo-kernel	Medium
Product	pom	groupid	exoplatform.kernel	Low
Version	file	version	5.2	Highest
Version	pom	version	5.2.x-20190113.131703-49	Highest
Version	pom	version	5.2.x-SNAPSHOT	Highest
Version	Manifest	Implementation-Version	5.2.x-SNAPSHOT	High

Identifiers

maven: org.exoplatform.kernel:exo.kernel.commons:5.2.x-SNAPSHOT Confidence:High

Description: BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
MD5: b45be74134796c89db7126083129532f
SHA1: 686ef3410bcf4ab8ce7fd0b899e832aaba5facf7
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	Manifest	bundle-symbolicname	org.apache.commons.beanutils	Medium
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	manifest	Bundle-Description	BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.	Medium
Vendor	central	groupid	commons-beanutils	Highest
Vendor	pom	name	Commons BeanUtils	High
Vendor	pom	artifactid	commons-beanutils	Low
Vendor	pom	groupid	commons-beanutils	Highest
Vendor	pom	description	BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	url	http://commons.apache.org/beanutils/	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/beanutils/	Low
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	file	name	commons-beanutils	High
Product	pom	artifactid	commons-beanutils	Highest
Product	pom	parent-groupid	org.apache.commons	Low
Product	central	artifactid	commons-beanutils	Highest
Product	Manifest	bundle-symbolicname	org.apache.commons.beanutils	Medium
Product	manifest	Bundle-Description	BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.	Medium
Product	pom	url	http://commons.apache.org/beanutils/	Medium
Product	Manifest	specification-title	Commons BeanUtils	Medium
Product	Manifest	Implementation-Title	Commons BeanUtils	High
Product	pom	name	Commons BeanUtils	High
Product	Manifest	Bundle-Name	Commons BeanUtils	Medium
Product	pom	groupid	commons-beanutils	Low
Product	pom	description	BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.	Medium
Product	Manifest	bundle-docurl	http://commons.apache.org/beanutils/	Low
Product	file	name	commons-beanutils	High
Product	pom	parent-artifactid	commons-parent	Medium
Version	Manifest	Implementation-Version	1.8.3	High
Version	pom	version	1.8.3	Highest
Version	file	version	1.8.3	Highest
Version	central	version	1.8.3	Highest

Identifiers

maven: commons-beanutils:commons-beanutils:1.8.3 ✓ Confidence:Highest
cpe: cpe:/a:apache:commons_beanutils:1.8.3 Confidence:Low

Published Vulnerabilities

CVE-2014-0114

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

BID - 67121
BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
CONFIRM - http://advisories.mageia.org/MGASA-2014-0219.html
CONFIRM - http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674128
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674812
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675266
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675387
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675689
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675898
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675972
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676110
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676303
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676375
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676931
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677110
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg27042296
CONFIRM - http://www.ibm.com/support/docview.wss?uid=swg21675496
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0008.html
CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html
CONFIRM - https://access.redhat.com/solutions/869353
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1091938
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1116665
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
CONFIRM - https://issues.apache.org/jira/browse/BEANUTILS-463
CONFIRM - https://security.netapp.com/advisory/ntap-20140911-0001/
CONFIRM - https://security.netapp.com/advisory/ntap-20180629-0006/
CONFIRM - https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
DEBIAN - DSA-2940
FEDORA - FEDORA-2014-9380
FULLDISC - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
GENTOO - GLSA-201607-09
HP - HPSBGN03041
HP - HPSBMU03090
HP - HPSBST03160
MANDRIVA - MDVSA-2014:095
MLIST - [apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114
MLIST - [oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE
MLIST - [oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE
REDHAT - RHSA-2018:2669
SECUNIA - 57477
SECUNIA - 58710
SECUNIA - 58947
SECUNIA - 59118
SECUNIA - 59228
SECUNIA - 59245
SECUNIA - 59246
SECUNIA - 59430
SECUNIA - 59464
SECUNIA - 59479
SECUNIA - 59480
SECUNIA - 59718

Vulnerable Software & Versions: (show all)

cpe:/a:apache:commons_beanutils:1.9.1 and all previous versions
...
cpe:/a:apache:commons_beanutils:1.9.1 and all previous versions
cpe:/a:apache:struts:1.0
cpe:/a:apache:struts:1.0.2
cpe:/a:apache:struts:1.1
cpe:/a:apache:struts:1.1:b1
cpe:/a:apache:struts:1.1:b2
cpe:/a:apache:struts:1.1:b3
cpe:/a:apache:struts:1.1:rc1
cpe:/a:apache:struts:1.1:rc2
cpe:/a:apache:struts:1.2.2
cpe:/a:apache:struts:1.2.4
cpe:/a:apache:struts:1.2.6
cpe:/a:apache:struts:1.2.7
cpe:/a:apache:struts:1.2.8
cpe:/a:apache:struts:1.2.9
cpe:/a:apache:struts:1.3.5
cpe:/a:apache:struts:1.3.8
cpe:/a:apache:struts:1.3.10

File Path: /home/ciagent/.m2/repository/org/gatein/common/common-common/2.2.2.Final/common-common-2.2.2.Final.jar
MD5: 8ce16b5e3991285cd27e553740d09d1f
SHA1: 44522d899e31a5a10dbd70f7b0ca2fe5a614f740
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	implementation-url	www.gatein.org/common-parent/common-common/	Low
Vendor	pom	parent-artifactid	common-parent	Low
Vendor	pom	name	GateIn - Common component (common)	High
Vendor	Manifest	Implementation-Vendor-Id	org.gatein.common	Medium
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	build-timestamp	Mon, 17 Mar 2014 20:43:14 +0100	Low
Vendor	pom	groupid	gatein.common	Highest
Vendor	pom	parent-groupid	org.gatein.common	Medium
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	artifactid	common-common	Low
Vendor	central	groupid	org.gatein.common	Highest
Vendor	pom	groupid	org.gatein.common	Highest
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	file	name	common-common	High
Product	Manifest	specification-title	GateIn - Common component (common)	Medium
Product	Manifest	implementation-url	www.gatein.org/common-parent/common-common/	Low
Product	pom	artifactid	common-common	Highest
Product	pom	name	GateIn - Common component (common)	High
Product	Manifest	build-timestamp	Mon, 17 Mar 2014 20:43:14 +0100	Low
Product	pom	parent-artifactid	common-parent	Medium
Product	pom	groupid	gatein.common	Low
Product	central	artifactid	common-common	Highest
Product	Manifest	os-name	Linux	Medium
Product	pom	parent-groupid	org.gatein.common	Low
Product	Manifest	Implementation-Title	GateIn - Common component (common)	High
Product	file	name	common-common	High
Version	pom	version	2.2.2.Final	Highest
Version	file	version	2.2.2	Highest
Version	Manifest	Implementation-Version	2.2.2.Final	High
Version	central	version	2.2.2.Final	Highest

Identifiers

maven: org.gatein.common:common-common:2.2.2.Final ✓ Confidence:Highest

File Path: /home/ciagent/.m2/repository/org/exoplatform/gatein/wci/wci-wci/5.2.x-SNAPSHOT/wci-wci-5.2.x-SNAPSHOT.jar
MD5: 9be7f8aea19a80a647423fa43a36c72b
SHA1: 7c6923487afec73cb54ed4e7cca915b5f8cba968
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	Manifest	Implementation-Vendor-Id	org.exoplatform.gatein.wci	Medium
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	pom	parent-artifactid	wci-parent	Low
Vendor	Manifest	build-timestamp	Sun, 13 Jan 2019 13:04:07 +0000	Low
Vendor	pom	groupid	org.exoplatform.gatein.wci	Highest
Vendor	file	name	wci-wci	High
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	parent-groupid	org.exoplatform.gatein.wci	Medium
Vendor	pom	artifactid	wci-wci	Low
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	groupid	exoplatform.gatein.wci	Highest
Vendor	Manifest	implementation-url	www.gatein.org/wci-parent/wci-wci/	Low
Vendor	pom	name	GateIn - Web Container Integration component (wci)	High
Product	pom	artifactid	wci-wci	Highest
Product	Manifest	Implementation-Title	GateIn - Web Container Integration component (wci)	High
Product	pom	groupid	exoplatform.gatein.wci	Low
Product	Manifest	implementation-url	www.gatein.org/wci-parent/wci-wci/	Low
Product	pom	parent-groupid	org.exoplatform.gatein.wci	Low
Product	pom	name	GateIn - Web Container Integration component (wci)	High
Product	Manifest	specification-title	GateIn - Web Container Integration component (wci)	Medium
Product	Manifest	build-timestamp	Sun, 13 Jan 2019 13:04:07 +0000	Low
Product	file	name	wci-wci	High
Product	Manifest	os-name	Linux	Medium
Product	pom	parent-artifactid	wci-parent	Medium
Version	pom	version	5.2.x-20190113.130413-39	Highest
Version	file	version	5.2	Highest
Version	pom	version	5.2.x-SNAPSHOT	Highest
Version	Manifest	Implementation-Version	5.2.x-SNAPSHOT	High

Identifiers

maven: org.exoplatform.gatein.wci:wci-wci:5.2.x-SNAPSHOT Confidence:High

Description: JiBX runtime code

License:

http://jibx.sourceforge.net/jibx-license.html

File Path: /home/ciagent/.m2/repository/org/jibx/jibx-run/1.2.6/jibx-run-1.2.6.jar
MD5: 4ef53e4279c8440aff2d16c0af024231
SHA1: 544f3ac7887d7eed20ca0420ee1963df6c7ecebb
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	jibx-run	High
Vendor	pom	artifactid	jibx-run	Low
Vendor	pom	name	jibx-run - JiBX runtime	High
Vendor	pom	groupid	jibx	Highest
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Vendor	pom	parent-artifactid	main-reactor	Low
Vendor	pom	parent-groupid	org.jibx.config	Medium
Vendor	Manifest	bundle-docurl	http://www.jibx.org	Low
Vendor	pom	groupid	org.jibx	Highest
Vendor	Manifest	bundle-symbolicname	jibx-run	Medium
Vendor	pom	description	JiBX runtime code	Medium
Vendor	central	groupid	org.jibx	Highest
Vendor	manifest	Bundle-Description	JiBX runtime code	Medium
Product	file	name	jibx-run	High
Product	pom	parent-groupid	org.jibx.config	Low
Product	pom	groupid	jibx	Low
Product	pom	name	jibx-run - JiBX runtime	High
Product	pom	artifactid	jibx-run	Highest
Product	central	artifactid	jibx-run	Highest
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.5))"	Low
Product	Manifest	bundle-docurl	http://www.jibx.org	Low
Product	Manifest	bundle-symbolicname	jibx-run	Medium
Product	Manifest	Bundle-Name	jibx-run - JiBX runtime	Medium
Product	pom	description	JiBX runtime code	Medium
Product	pom	parent-artifactid	main-reactor	Medium
Product	manifest	Bundle-Description	JiBX runtime code	Medium
Version	pom	version	1.2.6	Highest
Version	file	version	1.2.6	Highest
Version	central	version	1.2.6	Highest

Identifiers

maven: org.jibx:jibx-run:1.2.6 ✓ Confidence:Highest

Description: The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	inject	Low
Vendor	pom	description	The javax.inject API	Medium
Vendor	pom	name	javax.inject	High
Vendor	jar	package name	javax	Low
Vendor	file	name	javax.inject-1	High
Vendor	central	groupid	javax.inject	Highest
Vendor	pom	artifactid	javax.inject	Low
Vendor	pom	groupid	javax.inject	Highest
Vendor	pom	url	http://code.google.com/p/atinject/	Highest
Product	jar	package name	inject	Low
Product	pom	description	The javax.inject API	Medium
Product	pom	name	javax.inject	High
Product	file	name	javax.inject-1	High
Product	pom	artifactid	javax.inject	Highest
Product	pom	url	http://code.google.com/p/atinject/	Medium
Product	pom	groupid	javax.inject	Low
Product	central	artifactid	javax.inject	Highest
Version	pom	version	1	Highest
Version	central	version	1	Highest
Version	file	version	1	Medium

Identifiers

maven: javax.inject:javax.inject:1 ✓ Confidence:Highest

Description: JSR-250 Reference Implementation by Glassfish

License:

COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html

File Path: /home/ciagent/.m2/repository/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar
MD5: 4cd56b2e4977e541186de69f5126b4a6
SHA1: 5025422767732a1ab45d93abfea846513d742dcf
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	jar	package name	annotation	Low
Vendor	jar	package name	javax	Low
Vendor	pom	description	JSR-250 Reference Implementation by Glassfish	Medium
Vendor	central	groupid	javax.annotation	Highest
Vendor	pom	url	http://jcp.org/aboutJava/communityprocess/final/jsr250/index.html	Highest
Vendor	pom	name	JSR-250 Common Annotations for the JavaTM Platform	High
Vendor	pom	artifactid	jsr250-api	Low
Vendor	file	name	jsr250-api	High
Vendor	pom	groupid	javax.annotation	Highest
Product	pom	groupid	javax.annotation	Low
Product	jar	package name	annotation	Low
Product	pom	description	JSR-250 Reference Implementation by Glassfish	Medium
Product	pom	artifactid	jsr250-api	Highest
Product	pom	name	JSR-250 Common Annotations for the JavaTM Platform	High
Product	pom	url	http://jcp.org/aboutJava/communityprocess/final/jsr250/index.html	Medium
Product	file	name	jsr250-api	High
Product	central	artifactid	jsr250-api	Highest
Version	pom	version	1.0	Highest
Version	central	version	1.0	Highest
Version	file	version	1.0	Highest

Identifiers

maven: javax.annotation:jsr250-api:1.0 ✓ Confidence:Highest

Description: APIs for JSR-299: Contexts and Dependency Injection for Java EE

License:

Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html

File Path: /home/ciagent/.m2/repository/javax/enterprise/cdi-api/1.0-SP4/cdi-api-1.0-SP4.jar
MD5: 6c1e2b4036d64b6ba1a1136a00c7cdaa
SHA1: 6e38490033eb8b36c4cf1f7605163424a574dcf0
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	file	name	cdi-api	High
Vendor	Manifest	implementation-url	http://www.seamframework.org/Weld	Low
Vendor	pom	url	http://www.seamframework.org/Weld	Highest
Vendor	Manifest	Implementation-Vendor	Seam Framework	High
Vendor	Manifest	specification-vendor	Seam Framework	Low
Vendor	pom	parent-artifactid	weld-parent	Low
Vendor	pom	organization name	Seam Framework	High
Vendor	pom	groupid	javax.enterprise	Highest
Vendor	pom	organization url	http://seamframework.org	Medium
Vendor	pom	parent-groupid	org.jboss.weld	Medium
Vendor	pom	name	CDI APIs	High
Vendor	central	groupid	javax.enterprise	Highest
Vendor	pom	description	APIs for JSR-299: Contexts and Dependency Injection for Java EE	Medium
Vendor	pom	artifactid	cdi-api	Low
Product	pom	organization name	Seam Framework	Low
Product	file	name	cdi-api	High
Product	pom	parent-artifactid	weld-parent	Medium
Product	Manifest	implementation-url	http://www.seamframework.org/Weld	Low
Product	Manifest	Implementation-Title	CDI APIs	High
Product	pom	url	http://www.seamframework.org/Weld	Medium
Product	Manifest	specification-title	CDI APIs	Medium
Product	pom	groupid	javax.enterprise	Low
Product	pom	organization url	http://seamframework.org	Low
Product	central	artifactid	cdi-api	Highest
Product	pom	name	CDI APIs	High
Product	pom	parent-groupid	org.jboss.weld	Low
Product	pom	description	APIs for JSR-299: Contexts and Dependency Injection for Java EE	Medium
Product	pom	artifactid	cdi-api	Highest
Version	file	version	1.0.sp4	Highest
Version	central	version	1.0-SP4	Highest
Version	pom	version	1.0-SP4	Highest

Identifiers

maven: javax.enterprise:cdi-api:1.0-SP4 ✓ Confidence:Highest

Description: Implementation of Container for Exoplatform SAS 'eXo Kernel' project.

File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.container/5.2.x-SNAPSHOT/exo.kernel.container-5.2.x-SNAPSHOT.jar
MD5: 08b5875655d3b9b61dea9bf5723988a9
SHA1: a1de9405ed33efea83d23e1c3119997978803814
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	description	Implementation of Container for Exoplatform SAS 'eXo Kernel' project.	Medium
Vendor	pom	parent-artifactid	kernel-parent	Low
Vendor	Manifest	Implementation-Vendor	eXo Platform SAS	High
Vendor	Manifest	specification-vendor	eXo Platform SAS	Low
Vendor	file	name	exo.kernel.container	High
Vendor	Manifest	Implementation-Vendor-Id	org.exoplatform.kernel	Medium
Vendor	pom	artifactid	exo.kernel.container	Low
Vendor	pom	groupid	org.exoplatform.kernel	Highest
Vendor	pom	groupid	exoplatform.kernel	Highest
Vendor	pom	name	eXo PLF:: Kernel :: Container	High
Vendor	pom	parent-groupid	org.exoplatform.kernel	Medium
Product	pom	description	Implementation of Container for Exoplatform SAS 'eXo Kernel' project.	Medium
Product	pom	parent-artifactid	kernel-parent	Medium
Product	file	name	exo.kernel.container	High
Product	pom	parent-groupid	org.exoplatform.kernel	Low
Product	pom	artifactid	exo.kernel.container	Highest
Product	pom	name	eXo PLF:: Kernel :: Container	High
Product	Manifest	Implementation-Title	eXo PLF:: Kernel :: Container	High
Product	Manifest	specification-title	exo-kernel	Medium
Product	pom	groupid	exoplatform.kernel	Low
Version	file	version	5.2	Highest
Version	pom	version	5.2.x-20190113.131819-48	Highest
Version	pom	version	5.2.x-SNAPSHOT	Highest
Version	Manifest	Implementation-Version	5.2.x-SNAPSHOT	High

Identifiers

maven: org.exoplatform.kernel:exo.kernel.container:5.2.x-SNAPSHOT Confidence:High

File Path: /home/ciagent/.m2/repository/org/exoplatform/gatein/wci/wci-tomcat8/5.2.x-SNAPSHOT/wci-tomcat8-5.2.x-SNAPSHOT.jar
MD5: 1d5e66f4b045720af801a1bddc8176fe
SHA1: ae213f27b1197c2d70d4f7f90de71c126418d4a1
Referenced In Project/Scope: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	Implementation-Vendor	JBoss by Red Hat	High
Vendor	pom	artifactid	wci-tomcat8	Low
Vendor	Manifest	Implementation-Vendor-Id	org.exoplatform.gatein.wci	Medium
Vendor	file	name	wci-tomcat8	High
Vendor	Manifest	java-vendor	Oracle Corporation	Medium
Vendor	Manifest	implementation-url	www.gatein.org/wci-parent/wci-tomcat/wci-tomcat8/	Low
Vendor	Manifest	build-timestamp	Sun, 13 Jan 2019 13:04:07 +0000	Low
Vendor	pom	groupid	org.exoplatform.gatein.wci	Highest
Vendor	pom	parent-artifactid	wci-tomcat	Low
Vendor	Manifest	os-name	Linux	Medium
Vendor	pom	parent-groupid	org.exoplatform.gatein.wci	Medium
Vendor	Manifest	specification-vendor	JBoss by Red Hat	Low
Vendor	pom	groupid	exoplatform.gatein.wci	Highest
Vendor	pom	name	GateIn - WCI Tomcat 8 compatibility component	High
Product	pom	groupid	exoplatform.gatein.wci	Low
Product	Manifest	Implementation-Title	GateIn - WCI Tomcat 8 compatibility component	High
Product	pom	parent-artifactid	wci-tomcat	Medium
Product	file	name	wci-tomcat8	High
Product	pom	parent-groupid	org.exoplatform.gatein.wci	Low
Product	Manifest	specification-title	GateIn - WCI Tomcat 8 compatibility component	Medium
Product	pom	name	GateIn - WCI Tomcat 8 compatibility component	High
Product	Manifest	implementation-url	www.gatein.org/wci-parent/wci-tomcat/wci-tomcat8/	Low
Product	Manifest	build-timestamp	Sun, 13 Jan 2019 13:04:07 +0000	Low
Product	pom	artifactid	wci-tomcat8	Highest
Product	Manifest	os-name	Linux	Medium
Version	file	version	5.2	Highest
Version	Manifest	Implementation-Version	5.2.x-SNAPSHOT	High

Identifiers

maven: org.exoplatform.gatein.wci:wci-tomcat8:5.2.x-SNAPSHOT Confidence:High

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: eXo PLF:: Platform Public Distributions - Tomcat Portal Containers Creator

org.exoplatform.platform.distributions:plf-tomcat-pc-creator-listener:5.2.x-SNAPSHOT

Dependencies

tomcat-juli-8.5.35.jar

Evidence

Identifiers

tomcat-api-8.5.35.jar

Evidence

Related Dependencies

Identifiers

Published Vulnerabilities

tomcat-jni-8.5.35.jar

Evidence

Identifiers

Published Vulnerabilities

tomcat-coyote-8.5.35.jar

Evidence

Identifiers

Published Vulnerabilities

mime-util-2.1.3.jar

Evidence

Identifiers

jakarta-regexp-1.4.jar

Evidence

Identifiers

xpp3-1.1.6.jar

Evidence

Identifiers

jcl-over-slf4j-1.7.7.jar

Evidence

Identifiers

slf4j-api-1.7.7.jar

Evidence

Identifiers

exo.kernel.commons-5.2.x-SNAPSHOT.jar

Evidence

Identifiers

commons-beanutils-1.8.3.jar

Evidence

Identifiers

Published Vulnerabilities

common-common-2.2.2.Final.jar

Evidence

Identifiers

wci-wci-5.2.x-SNAPSHOT.jar

Evidence

Identifiers

jibx-run-1.2.6.jar

Evidence

Identifiers

javax.inject-1.jar

Evidence

Identifiers

jsr250-api-1.0.jar

Evidence

Identifiers

cdi-api-1.0-SP4.jar

Evidence

Identifiers

exo.kernel.container-5.2.x-SNAPSHOT.jar

Evidence

Identifiers

wci-tomcat8-5.2.x-SNAPSHOT.jar

Evidence

Identifiers