Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
File Path: /home/ciagent/.m2/repository/commons-collections/commons-collections/3.2.2/commons-collections-3.2.2.jar MD5: f54a8510f834a1a57166970bfc982e94 SHA1: 8ad72fe39fa8c91eaaf12aadb21e0c3661fe26d5
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/javax/ws/rs/jsr311-api/1.1.1/jsr311-api-1.1.1.jar MD5: c9803468299ec255c047a280ddec510f SHA1: 59033da2a1afd56af1ac576750a8d0b1830d59e6
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/log4j/log4j/1.2.17/log4j-1.2.17.jar MD5: 04a41f0a068986f0f73485cf507c0f40 SHA1: 5af35056b4d257e4b64b9e8069c0746e8b08629f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.22/nekohtml-1.9.22.jar MD5: a97dfe2d0ceb81ffbdd15436961b0f23 SHA1: 4f54af68ecb345f2453fb6884672ad08414154e3
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: A Java 1.5 Parser with AST generation and visitor support. The AST records the source code structure, javadoc and comments. It is also possible to change the AST nodes or create new ones to modify the source code.
License:
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl.html
File Path: /home/ciagent/.m2/repository/com/google/code/javaparser/javaparser/1.0.8/javaparser-1.0.8.jar MD5: 32228e53ef6cc2ebe515bc40d7c9a4f9 SHA1: 9ca2f8ef2233babc53a8c2b6bb21869d94f5fcc1
Referenced In Project/Scope:
eXo PLF:: Social Service Component:runtime
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
Java 1.5 Parser and AST
High
Vendor
pom
artifactid
javaparser
Low
Vendor
pom
url
http://code.google.com/p/javaparser/
Highest
Vendor
jar
package name
japa
Low
Vendor
jar
package name
ast
Low
Vendor
file
name
javaparser
High
Vendor
jar
package name
parser
Low
Vendor
pom
description
A Java 1.5 Parser with AST generation and visitor support. The AST records the source code structure, javadoc and comments. It is also possible to change the AST nodes or create new ones to modify the source code.
Low
Vendor
pom
groupid
google.code.javaparser
Highest
Vendor
pom
groupid
com.google.code.javaparser
Highest
Product
pom
name
Java 1.5 Parser and AST
High
Product
pom
groupid
google.code.javaparser
Low
Product
pom
url
http://code.google.com/p/javaparser/
Medium
Product
jar
package name
ast
Low
Product
pom
artifactid
javaparser
Highest
Product
file
name
javaparser
High
Product
jar
package name
parser
Low
Product
pom
description
A Java 1.5 Parser with AST generation and visitor support. The AST records the source code structure, javadoc and comments. It is also possible to change the AST nodes or create new ones to modify the source code.
File Path: /home/ciagent/.m2/repository/org/chromattic/chromattic.testgenerator/1.3.0/chromattic.testgenerator-1.3.0.jar MD5: 971802dfdfdc6500f1ff0e583a7659a1 SHA1: e725269db29a0fc8c982df481e5ce09b84e5d6a8
Referenced In Project/Scope:
eXo PLF:: Social Service Component:test-compile
File Path: /home/ciagent/.m2/repository/org/chromattic/chromattic.metamodel/1.3.0/chromattic.metamodel-1.3.0.jar MD5: 0d534975c688ebabbc232601c6bc13da SHA1: fbaa10037faf34a2d4d8eeb4e6b5ce28c95a9455
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/chromattic/chromattic.api/1.3.0/chromattic.api-1.3.0.jar MD5: 11f2df6e3a3b4451719710c0f4c08103 SHA1: 4f60a9585bd6e68833eaaea1f1a615c682adbe27
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/chromattic/chromattic.spi/1.3.0/chromattic.spi-1.3.0.jar MD5: e440e3f5a8e5ad38720975546ab7f06d SHA1: 64c36f826b832acab48fea793b7c70b019a46181
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/chromattic/chromattic.common/1.3.0/chromattic.common-1.3.0.jar MD5: 15bfb4cc0312aefffb25952cdf18b2cd SHA1: 55470175c1ba46a917504acf97018e6ef2932659
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/reflext/reflext.api/1.1.0/reflext.api-1.1.0.jar MD5: fe732172fa2fb5ae4b63866ef15da41f SHA1: 28374c509099736aeedc52fef3d7b8e78238c2a0
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/reflext/reflext.core/1.1.0/reflext.core-1.1.0.jar MD5: cc65231f60a70dec43a57ccba5adce81 SHA1: 56316a714b99d7ac85d23d0f1a4680149c3273d6
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/reflext/reflext.spi/1.1.0/reflext.spi-1.1.0.jar MD5: 2c967ae0c3078d23b615f8825377f304 SHA1: 4df0428c39922079c53955602bce66735f9d20a8
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: The Reflext Framework Java Lang Reflect Plugin
File Path: /home/ciagent/.m2/repository/org/reflext/reflext.jlr/1.1.0/reflext.jlr-1.1.0.jar MD5: 1103f3b1ed3762e0bd100cbee6e7f345 SHA1: 79ad1a5053213cbb350d37ff12d5f767243c8c46
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.
License:
Day License: http://www.day.com/maven/jsr170/licenses/day-spec-license.htm
File Path: /home/ciagent/.m2/repository/javax/jcr/jcr/1.0.1/jcr-1.0.1.jar MD5: 4639c7b994528948dab1a4feb1f68d6f SHA1: 567ee103cf7592e3cf036e1bf4e2e06b9f08e1a1
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jcr
High
Vendor
pom
artifactid
jcr
Low
Vendor
pom
name
Content Repository for Java Technology API
High
Vendor
pom
groupid
javax.jcr
Highest
Vendor
Manifest
extension-name
jcr
Medium
Vendor
pom
organization name
Day Software Management AG
High
Vendor
pom
description
Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.
Low
Vendor
pom
url
http://www.jcp.org/en/jsr/detail?id=170
Highest
Vendor
Manifest
Implementation-Vendor
Day Software Management AG
High
Vendor
Manifest
specification-vendor
Day Software Management AG
Low
Vendor
pom
organization url
http://www.day.com/
Medium
Product
file
name
jcr
High
Product
Manifest
Implementation-Title
javax.jcr
High
Product
pom
groupid
javax.jcr
Low
Product
pom
organization name
Day Software Management AG
Low
Product
pom
organization url
http://www.day.com/
Low
Product
pom
name
Content Repository for Java Technology API
High
Product
Manifest
extension-name
jcr
Medium
Product
Manifest
specification-title
Content Repository for Java Technology API
Medium
Product
pom
description
Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.
The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.
File Path: /home/ciagent/.m2/repository/org/chromattic/chromattic.core/1.3.0/chromattic.core-1.3.0.jar MD5: 9ece56be0e1e1b3289bbe177e8e1b4ab SHA1: 1bc4ebc89d7b47af394b920f44a0b51409343034
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/ciagent/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar MD5: 4d5c1693079575b362edf41500630bbd SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
manifest
Bundle-Description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
pom
name
Commons Lang
High
Vendor
pom
groupid
commons-lang
Highest
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
pom
url
http://commons.apache.org/lang/
Highest
Vendor
central
groupid
commons-lang
High
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
central
groupid
org.netbeans.external
High
Vendor
Manifest
bundle-docurl
http://commons.apache.org/lang/
Low
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
Manifest
bundle-symbolicname
org.apache.commons.lang
Medium
Vendor
file
name
commons-lang
High
Vendor
pom
artifactid
commons-lang
Low
Product
manifest
Bundle-Description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Product
Manifest
Bundle-Name
Commons Lang
Medium
Product
pom
parent-artifactid
commons-parent
Medium
Product
pom
description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
File Path: /home/ciagent/.m2/repository/commons-chain/commons-chain/1.2/commons-chain-1.2.jar MD5: e18e2c87826644e4c8c08635572c154f SHA1: 744a13e8766e338bd347b6fbc28c6db12979d0c6
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
description
An implementation of the GoF Chain of Responsibility pattern
Medium
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
Manifest
bundle-docurl
http://commons.apache.org/chain/
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
pom
name
Commons Chain
High
Vendor
manifest
Bundle-Description
An implementation of the GoF Chain of Responsibility pattern
Medium
Vendor
file
name
commons-chain
High
Vendor
central
groupid
commons-chain
Highest
Vendor
pom
groupid
commons-chain
Highest
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
pom
url
http://commons.apache.org/chain/
Highest
Vendor
Manifest
bundle-symbolicname
org.apache.commons.chain
Medium
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
pom
artifactid
commons-chain
Low
Product
pom
description
An implementation of the GoF Chain of Responsibility pattern
Medium
Product
pom
parent-artifactid
commons-parent
Medium
Product
Manifest
bundle-docurl
http://commons.apache.org/chain/
Low
Product
pom
groupid
commons-chain
Low
Product
Manifest
specification-title
Commons Chain
Medium
Product
Manifest
Bundle-Name
Commons Chain
Medium
Product
pom
name
Commons Chain
High
Product
manifest
Bundle-Description
An implementation of the GoF Chain of Responsibility pattern
Description:
The Digester package lets you configure an XML to Java object mapping module
which triggers certain actions called rules whenever a particular
pattern of nested XML elements is recognized.
File Path: /home/ciagent/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar MD5: 528445033f22da28f5047b6abcd1c7c9 SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
commons-digester
Highest
Vendor
pom
artifactid
commons-digester
Low
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
file
name
commons-digester
High
Vendor
central
groupid
commons-digester
Highest
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
Manifest
bundle-symbolicname
org.apache.commons.digester
Medium
Vendor
pom
description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Low
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
pom
name
Commons Digester
High
Vendor
Manifest
bundle-docurl
http://commons.apache.org/digester/
Low
Vendor
pom
url
http://commons.apache.org/digester/
Highest
Vendor
manifest
Bundle-Description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Low
Product
pom
parent-artifactid
commons-parent
Medium
Product
pom
groupid
commons-digester
Low
Product
pom
artifactid
commons-digester
Highest
Product
file
name
commons-digester
High
Product
pom
parent-groupid
org.apache.commons
Low
Product
Manifest
bundle-symbolicname
org.apache.commons.digester
Medium
Product
Manifest
Bundle-Name
Commons Digester
Medium
Product
pom
description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Low
Product
central
artifactid
commons-digester
Highest
Product
pom
name
Commons Digester
High
Product
Manifest
specification-title
Commons Digester
Medium
Product
Manifest
bundle-docurl
http://commons.apache.org/digester/
Low
Product
Manifest
Implementation-Title
Commons Digester
High
Product
manifest
Bundle-Description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Description: Implementation of Command Service of Exoplatform SAS 'eXo Kernel' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.component.command/5.3.x-SNAPSHOT/exo.kernel.component.command-5.3.x-SNAPSHOT.jar MD5: c8e34b4521db08641687547b1fbc1ce5 SHA1: 1527c8dccb38e62fb298b68bda8263e9005bc6c1
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.kernel
Medium
Vendor
pom
parent-groupid
org.exoplatform.kernel
Medium
Vendor
pom
description
Implementation of Command Service of Exoplatform SAS 'eXo Kernel' project.
Medium
Vendor
pom
groupid
org.exoplatform.kernel
Highest
Vendor
file
name
exo.kernel.component.command
High
Vendor
pom
groupid
exoplatform.kernel
Highest
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
parent-artifactid
kernel-parent
Low
Vendor
pom
name
eXo PLF:: Kernel :: Component :: Command Service
High
Vendor
pom
artifactid
exo.kernel.component.command
Low
Product
Manifest
specification-title
exo-kernel
Medium
Product
pom
description
Implementation of Command Service of Exoplatform SAS 'eXo Kernel' project.
Description:
The Apache FontBox library is an open source Java tool to obtain low level information
from font files. FontBox is a subproject of Apache PDFBox.
File Path: /home/ciagent/.m2/repository/org/apache/pdfbox/fontbox/1.8.14/fontbox-1.8.14.jar MD5: 901640f7e2bd12508ae4a7cccba3df79 SHA1: 9c7caec614a6a132bedc83f1d6d247bb96ca0df3
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
Description:
The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
specification. JempBox is a subproject of Apache PDFBox.
File Path: /home/ciagent/.m2/repository/org/apache/pdfbox/jempbox/1.8.14/jempbox-1.8.14.jar MD5: 393135759731daf4e301903b3de2fbbb SHA1: 7f94c7cd4efc21e78729436cc4cf0c09eeea0f38
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
File Path: /home/ciagent/.m2/repository/org/apache/pdfbox/pdfbox/1.8.14/pdfbox-1.8.14.jar MD5: c90740e185fc2f8013d1119f509ea4f3 SHA1: 7550298240c8540b721733ede6dc88fcf4fa2b0f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
org.apache.pdfbox
Highest
Vendor
Manifest
bundle-symbolicname
org.apache.pdfbox
Medium
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
Manifest
Implementation-Vendor-Id
org.apache.pdfbox
Medium
Vendor
pom
description
The Apache PDFBox library is an open source Java tool for working with PDF documents.
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
Description: HTML Lexer is the low level lexical analyzer.
File Path: /home/ciagent/.m2/repository/org/htmlparser/htmllexer/2.1/htmllexer-2.1.jar MD5: 1cb7184766a0c52f4d98d671bb08be19 SHA1: 2ebf2c073e649b7e674cddd0558ff102a486402f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: HTML Parser is the high level syntactical analyzer.
File Path: /home/ciagent/.m2/repository/org/htmlparser/htmlparser/2.1/htmlparser-2.1.jar MD5: aa05b921026c228f92ef8b4a13c26f8d SHA1: c752e5984b7767533cbd3fdffa48cecb52fa226c
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
parent-artifactid
HTMLParserProject
Low
Vendor
pom
groupid
htmlparser
Highest
Vendor
pom
parent-groupid
org.htmlparser
Medium
Vendor
pom
artifactid
htmlparser
Low
Vendor
central
groupid
org.htmlparser
Highest
Vendor
pom
url
http://htmlparser.org
Highest
Vendor
jar
package name
htmlparser
Low
Vendor
file
name
htmlparser
High
Vendor
pom
groupid
org.htmlparser
Highest
Vendor
pom
description
HTML Parser is the high level syntactical analyzer.
Medium
Vendor
pom
name
HTML Parser Jar
High
Product
pom
artifactid
htmlparser
Highest
Product
central
artifactid
htmlparser
Highest
Product
pom
groupid
htmlparser
Low
Product
pom
parent-artifactid
HTMLParserProject
Medium
Product
pom
url
http://htmlparser.org
Medium
Product
file
name
htmlparser
High
Product
pom
description
HTML Parser is the high level syntactical analyzer.
Description: Apache POI - Java API To Access Microsoft Format Files
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/poi/poi/3.13/poi-3.13.jar MD5: 1b43f32e2211546040597a9e2d07b869 SHA1: 0f59f504ba8c521e61e25f417ec652fd485010f3
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
org.apache.poi
Highest
Vendor
file
name
poi
High
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
groupid
apache.poi
Highest
Vendor
pom
name
Apache POI
High
Vendor
pom
organization name
Apache Software Foundation
High
Vendor
pom
organization url
http://www.apache.org/
Medium
Vendor
Manifest
Implementation-Vendor-Id
org.apache.poi
Medium
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
pom
artifactid
poi
Low
Vendor
central
groupid
org.apache.poi
Highest
Vendor
pom
description
Apache POI - Java API To Access Microsoft Format Files
Medium
Vendor
pom
url
http://poi.apache.org/
Highest
Product
Manifest
specification-title
Apache POI
Medium
Product
pom
artifactid
poi
Highest
Product
file
name
poi
High
Product
central
artifactid
poi
Highest
Product
pom
name
Apache POI
High
Product
pom
description
Apache POI - Java API To Access Microsoft Format Files
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Description: This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
File Path: /home/ciagent/.m2/repository/org/apache/tika/tika-core/1.5/tika-core-1.5.jar MD5: e864bf637f51283dc525087b015d7b1a SHA1: 194ca0fb3d73b07737524806fbc3bec89063c03a
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
manifest
Bundle-Description
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Low
Vendor
pom
url
http://tika.apache.org/
Highest
Vendor
pom
artifactid
tika-core
Low
Vendor
pom
groupid
apache.tika
Highest
Vendor
Manifest
bundle-symbolicname
org.apache.tika.core
Medium
Vendor
pom
parent-groupid
org.apache.tika
Medium
Vendor
pom
organization name
The Apache Software Foundation
High
Vendor
file
name
tika-core
High
Vendor
Manifest
bundle-docurl
http://tika.apache.org/
Low
Vendor
pom
groupid
org.apache.tika
Highest
Vendor
pom
parent-artifactid
tika-parent
Low
Vendor
pom
description
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Low
Vendor
pom
organization url
http://www.apache.org
Medium
Vendor
central
groupid
org.apache.tika
Highest
Vendor
pom
name
Apache Tika core
High
Product
manifest
Bundle-Description
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Low
Product
pom
organization url
http://www.apache.org
Low
Product
Manifest
Bundle-Name
Apache Tika core
Medium
Product
Manifest
bundle-symbolicname
org.apache.tika.core
Medium
Product
pom
artifactid
tika-core
Highest
Product
file
name
tika-core
High
Product
Manifest
bundle-docurl
http://tika.apache.org/
Low
Product
pom
parent-groupid
org.apache.tika
Low
Product
central
artifactid
tika-core
Highest
Product
pom
groupid
apache.tika
Low
Product
pom
description
This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
File Path: /home/ciagent/.m2/repository/org/gagravarr/vorbis-java-core/0.1/vorbis-java-core-0.1-tests.jar MD5: d58f076c08a917277d03f3417aa867a6 SHA1: c849979e199d8a7c3da1a00799c623c00f94efac
Referenced In Project/Scope:
eXo PLF:: Social Service Component:test,provided
File Path: /home/ciagent/.m2/repository/org/gagravarr/vorbis-java-tika/0.1/vorbis-java-tika-0.1.jar MD5: 1fccc6796a0924ba4f32eb1d44b8616b SHA1: 6966c8663a7f689021accb13cceaa6101f53ea3d
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
Description: The NetCDF-Java Library is a Java interface to NetCDF files,
as well as to many other types of scientific data formats.
License:
(MIT-style) netCDF C library license.: http://www.unidata.ucar.edu/software/netcdf/copyright.html
File Path: /home/ciagent/.m2/repository/edu/ucar/netcdf/4.2-min/netcdf-4.2-min.jar MD5: eb00b40b0511f0fc1dfcfc9cb89e3c53 SHA1: 0f3c3f3db4c54483aa1fbc4497e300879ce24da1
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
edu.ucar
Highest
Vendor
file
name
netcdf
High
Vendor
pom
name
The NetCDF-Java Library
High
Vendor
Manifest
Implementation-Vendor
UCAR/Unidata
High
Vendor
pom
description
The NetCDF-Java Library is a Java interface to NetCDF files, as well as to many other types of scientific data formats.
Low
Vendor
pom
groupid
edu.ucar
Highest
Vendor
pom
artifactid
netcdf
Low
Vendor
Manifest
built-on
2010-11-24 05:51:29
Low
Vendor
pom
url
http://www.unidata.ucar.edu/software/netcdf-java/
Highest
Product
pom
groupid
edu.ucar
Low
Product
file
name
netcdf
High
Product
pom
name
The NetCDF-Java Library
High
Product
Manifest
Implementation-Title
NetCDF-Java-Library
High
Product
pom
artifactid
netcdf
Highest
Product
pom
description
The NetCDF-Java Library is a Java interface to NetCDF files, as well as to many other types of scientific data formats.
File Path: /home/ciagent/.m2/repository/org/apache/james/apache-mime4j-core/0.7.2/apache-mime4j-core-0.7.2.jar MD5: 88f799546eca803c53eee01a4ce5edcd SHA1: a81264fe0265ebe8fd1d8128aad06dc320de6eef
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/tukaani/xz/1.2/xz-1.2.jar MD5: 04bd31459826c30c2a3c304e3b225ad4 SHA1: bfc66dda280a18ab341b5023248925265c00394c
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
Description:
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
File Path: /home/ciagent/.m2/repository/org/apache/commons/commons-compress/1.5/commons-compress-1.5.jar MD5: 5e18cfcf472548c2e0b90a4ea1cedf42 SHA1: d2bd2c0bd328f1dabdf33e10b6d223ebcbe93343
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Apache Commons Compress software defines an API for working with compression and archive formats.These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Low
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
pom
description
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Apache Commons Compress software defines an API for working with compression and archive formats.These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Low
Product
pom
groupid
apache.commons
Low
Product
pom
description
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Description: The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. If the S/MIME API is used, the JavaMail API and the Java activation framework will also be needed.
File Path: /home/ciagent/.m2/repository/org/bouncycastle/bcmail-jdk15/1.45/bcmail-jdk15-1.45.jar MD5: 13321fc7eff7bcada7b4fedfb592025c SHA1: 3aed7e642dd8d39dc14ed1dec3ff79e084637148
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
bouncycastle
Highest
Vendor
central
groupid
org.bouncycastle
Highest
Vendor
file
name
bcmail-jdk15
High
Vendor
Manifest
Implementation-Vendor-Id
org.bouncycastle
Medium
Vendor
pom
name
Bouncy Castle CMS and S/MIME API
High
Vendor
pom
groupid
org.bouncycastle
Highest
Vendor
Manifest
extension-name
org.bouncycastle.bcmail
Medium
Vendor
pom
url
http://www.bouncycastle.org/java.html
Highest
Vendor
Manifest
specification-vendor
BouncyCastle.org
Low
Vendor
Manifest
Implementation-Vendor
BouncyCastle.org
High
Vendor
pom
description
The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider ...
Low
Vendor
pom
artifactid
bcmail-jdk15
Low
Product
pom
url
http://www.bouncycastle.org/java.html
Medium
Product
file
name
bcmail-jdk15
High
Product
pom
name
Bouncy Castle CMS and S/MIME API
High
Product
pom
artifactid
bcmail-jdk15
Highest
Product
pom
description
The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider ...
Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.
File Path: /home/ciagent/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar MD5: 2062f8e3d15748443ea60a94b266371c SHA1: 7741883cb07b4634e8b5fd3337113b6ea770a9bb
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
bouncycastle
Highest
Vendor
central
groupid
org.bouncycastle
Highest
Vendor
Manifest
Implementation-Vendor-Id
org.bouncycastle
Medium
Vendor
pom
name
Bouncy Castle Provider
High
Vendor
pom
groupid
org.bouncycastle
Highest
Vendor
pom
description
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.
Low
Vendor
pom
url
http://www.bouncycastle.org/java.html
Highest
Vendor
file
name
bcprov-jdk15
High
Vendor
Manifest
specification-vendor
BouncyCastle.org
Low
Vendor
Manifest
extension-name
org.bouncycastle.bcprovider
Medium
Vendor
pom
artifactid
bcprov-jdk15
Low
Vendor
Manifest
Implementation-Vendor
BouncyCastle.org
High
Product
pom
artifactid
bcprov-jdk15
Highest
Product
file
name
bcprov-jdk15
High
Product
pom
url
http://www.bouncycastle.org/java.html
Medium
Product
pom
name
Bouncy Castle Provider
High
Product
Manifest
extension-name
org.bouncycastle.bcprovider
Medium
Product
pom
description
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Description: TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
File Path: /home/ciagent/.m2/repository/org/ccil/cowan/tagsoup/tagsoup/1.2.1/tagsoup-1.2.1.jar MD5: ae73a52cdcbec10cd61d9ef22fab5936 SHA1: 5584627487e984c03456266d3f8802eb85a9ce97
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
description
TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
Low
Vendor
file
name
tagsoup
High
Vendor
central
groupid
org.ccil.cowan.tagsoup
Highest
Vendor
pom
name
TagSoup
High
Vendor
pom
groupid
org.ccil.cowan.tagsoup
Highest
Vendor
pom
url
http://home.ccil.org/~cowan/XML/tagsoup/
Highest
Vendor
pom
groupid
ccil.cowan.tagsoup
Highest
Vendor
pom
artifactid
tagsoup
Low
Product
pom
description
TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
File Path: /home/ciagent/.m2/repository/org/ow2/asm/asm-debug-all/4.1/asm-debug-all-4.1.jar MD5: 6c3a8842f484dd3d620002b361e3610e SHA1: dd6ba5c392d4102458494e29f54f70ac534ec2a2
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/googlecode/mp4parser/isoparser/1.0-RC-1/isoparser-1.0-RC-1.jar MD5: b0444fde2290319c9028564c3c3ff1ab SHA1: 4a5768b1070b9488a433362d736720fd7a7b264f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
url
http://code.google.com/p/mp4parser/
Highest
Vendor
central
groupid
com.googlecode.mp4parser
Highest
Vendor
file
name
isoparser
High
Vendor
jar
package name
iso
Low
Vendor
pom
description
A generic parser and writer for all ISO 14496 based files (MP4, Quicktime, DCF, PDCF, ...)
Medium
Vendor
jar
package name
boxes
Low
Vendor
pom
groupid
com.googlecode.mp4parser
Highest
Vendor
pom
artifactid
isoparser
Low
Vendor
pom
name
ISO Parser
High
Vendor
jar
package name
coremedia
Low
Vendor
pom
groupid
googlecode.mp4parser
Highest
Product
pom
artifactid
isoparser
Highest
Product
file
name
isoparser
High
Product
pom
url
http://code.google.com/p/mp4parser/
Medium
Product
jar
package name
iso
Low
Product
pom
groupid
googlecode.mp4parser
Low
Product
pom
description
A generic parser and writer for all ISO 14496 based files (MP4, Quicktime, DCF, PDCF, ...)
Severity:
Low
CVSS Score: 2.1
(AV:N/AC:H/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter.
Description:
The XMP Library for Java is based on the C++ XMPCore library
and the API is similar.
License:
The BSD License: http://www.adobe.com/devnet/xmp/library/eula-xmp-library-java.html
File Path: /home/ciagent/.m2/repository/com/adobe/xmp/xmpcore/5.1.2/xmpcore-5.1.2.jar MD5: 0b2cf2a09d32abdedd17de864e93ad25 SHA1: 55615fa2582424e38705487d1d3969af8554f637
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
builddate
2012 Jul 03 11:48:46-CEST
Low
Vendor
Manifest
implementation-engbuild
003
Low
Vendor
pom
groupid
adobe.xmp
Highest
Vendor
pom
artifactid
xmpcore
Low
Vendor
Manifest
implementation-micro
1
Low
Vendor
pom
description
The XMP Library for Java is based on the C++ XMPCore library
and the API is similar.
Medium
Vendor
Manifest
implementation-major
5
Low
Vendor
Manifest
Implementation-Vendor
Copyright 2006-2009 Adobe Systems Incorporated. All rights reserved
High
Vendor
file
name
xmpcore
High
Vendor
pom
url
http://www.adobe.com/devnet/xmp.html
Highest
Vendor
central
groupid
com.adobe.xmp
Highest
Vendor
pom
name
XMP Library for Java
High
Vendor
Manifest
implementation-minor
1
Low
Vendor
pom
groupid
com.adobe.xmp
Highest
Product
pom
groupid
adobe.xmp
Low
Product
pom
url
http://www.adobe.com/devnet/xmp.html
Medium
Product
Manifest
builddate
2012 Jul 03 11:48:46-CEST
Low
Product
Manifest
implementation-engbuild
003
Low
Product
Manifest
implementation-micro
1
Low
Product
central
artifactid
xmpcore
Highest
Product
pom
description
The XMP Library for Java is based on the C++ XMPCore library
and the API is similar.
Description: Java library for reading metadata from image files.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/com/drewnoakes/metadata-extractor/2.6.2/metadata-extractor-2.6.2.jar MD5: 8f3acbee87dbd5b0cdfacee3bb3aff8b SHA1: 13930ff22d3f152bd969a63e88537d2f2adc2cd5
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
jar
package name
metadata
Low
Vendor
pom
groupid
drewnoakes
Highest
Vendor
pom
description
Java library for reading metadata from image files.
Medium
Vendor
pom
url
http://code.google.com/p/metadata-extractor/
Highest
Vendor
file
name
metadata-extractor
High
Vendor
jar
package name
drew
Low
Vendor
central
groupid
com.drewnoakes
Highest
Vendor
pom
artifactid
metadata-extractor
Low
Vendor
pom
name
metadata-extractor
High
Vendor
pom
groupid
com.drewnoakes
Highest
Product
jar
package name
metadata
Low
Product
pom
description
Java library for reading metadata from image files.
File Path: /home/ciagent/.m2/repository/org/gagravarr/vorbis-java-core/0.1/vorbis-java-core-0.1.jar MD5: b88115be2754cb6883e652ba68ca46c8 SHA1: 662a02b94701947e6e66e7793d996043f05fad4a
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Mozilla Public License 1.1 (MPL 1.1): http://www.mozilla.org/MPL/MPL-1.1.html
File Path: /home/ciagent/.m2/repository/com/googlecode/juniversalchardet/juniversalchardet/1.0.3/juniversalchardet-1.0.3.jar MD5: d9ea0a9a275336c175b343f2e4cd8f27 SHA1: cd49678784c46aa8789c060538e0154013bb421b
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
JHighlight is an embeddable pure Java syntax highlighting
library that supports Java, HTML, XHTML, XML and LZX
languages and outputs to XHTML.
It also supports RIFE templates tags and highlights them
clearly so that you can easily identify the difference
between your RIFE markup and the actual marked up source.
License:
CDDL, v1.0: http://www.opensource.org/licenses/cddl1.php
LGPL, v2.1 or later: http://www.opensource.org/licenses/lgpl-license.php
File Path: /home/ciagent/.m2/repository/com/uwyn/jhighlight/1.0/jhighlight-1.0.jar MD5: 0ad5cf1bc56657f5e9e327e5e768da0a SHA1: 0b1774029ee29472df8c25e5ba796431f7689fd6
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
com.uwyn
Highest
Vendor
pom
name
JHighlight
High
Vendor
pom
url
https://jhighlight.dev.java.net/
Highest
Vendor
pom
artifactid
jhighlight
Low
Vendor
jar
package name
jhighlight
Low
Vendor
pom
groupid
uwyn
Highest
Vendor
pom
organization url
http://uwyn.com/
Medium
Vendor
jar
package name
uwyn
Low
Vendor
pom
organization name
Uwyn
High
Vendor
pom
description
JHighlight is an embeddable pure Java syntax highlighting library that supports Java, HTML, XHTML, XML and LZX languages and outputs to XHTML. It also supports RIFE templates tags and highlights them clearly so that you can easily identify the difference between your RIFE markup and the actual marked up source.
Low
Vendor
file
name
jhighlight
High
Vendor
central
groupid
com.uwyn
Highest
Product
pom
groupid
uwyn
Low
Product
pom
name
JHighlight
High
Product
pom
organization url
http://uwyn.com/
Low
Product
central
artifactid
jhighlight
Highest
Product
pom
organization name
Uwyn
Low
Product
pom
description
JHighlight is an embeddable pure Java syntax highlighting library that supports Java, HTML, XHTML, XML and LZX languages and outputs to XHTML. It also supports RIFE templates tags and highlights them clearly so that you can easily identify the difference between your RIFE markup and the actual marked up source.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/xmlbeans/xmlbeans/2.6.0/xmlbeans-2.6.0.jar MD5: 6591c08682d613194dacb01e95c78c2c SHA1: 29e80d2dd51f9dcdef8f9ffaee0d4dc1c9bbfc87
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: Implementation of Document Service of Exoplatform SAS 'eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.document/5.3.x-SNAPSHOT/exo.core.component.document-5.3.x-SNAPSHOT.jar MD5: f45710d396a164821cae9d6be2c43dea SHA1: 3816bb2203bb3f7c818df5a3a3949a093bd74d02
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
name
eXo PLF Core :: Component :: Document Service
High
Vendor
pom
description
Implementation of Document Service of Exoplatform SAS 'eXo Core' project.
Medium
Vendor
pom
groupid
org.exoplatform.core
Highest
Vendor
file
name
exo.core.component.document
High
Vendor
pom
parent-artifactid
core-parent
Low
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.core
Medium
Vendor
pom
artifactid
exo.core.component.document
Low
Vendor
pom
groupid
exoplatform.core
Highest
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
parent-groupid
org.exoplatform.core
Medium
Product
pom
artifactid
exo.core.component.document
Highest
Product
pom
name
eXo PLF Core :: Component :: Document Service
High
Product
pom
parent-groupid
org.exoplatform.core
Low
Product
pom
groupid
exoplatform.core
Low
Product
pom
parent-artifactid
core-parent
Medium
Product
pom
description
Implementation of Document Service of Exoplatform SAS 'eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/apache/lucene/lucene-core/3.6.2/lucene-core-3.6.2.jar MD5: ee396d04f5a35557b424025f5382c815 SHA1: 9ec77e2507f9cc01756964c71d91efd8154a8c47
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/apache/lucene/lucene-analyzers/3.6.2/lucene-analyzers-3.6.2.jar MD5: 13f8241b6991bd1349c05369a7c0f002 SHA1: 3a083510dcb0d0fc67f8456cdac6f48aa0da2993
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/apache/lucene/lucene-spellchecker/3.6.2/lucene-spellchecker-3.6.2.jar MD5: a4b684913f93aea76f5dbd7e479f19c5 SHA1: 15db0c0cfee44e275f15ad046e46b9a05910ad24
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.
File Path: /home/ciagent/.m2/repository/javax/transaction/jta/1.1/jta-1.1.jar MD5: 82a10ce714f411b28f13850059de09ee SHA1: 2ca09f0b36ca7d71b762e14ea2ff09d5eac57558
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
extension-name
javax.transaction
Medium
Vendor
pom
description
The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.
Low
Vendor
pom
name
Java Transaction API
High
Vendor
file
name
jta
High
Vendor
Manifest
specification-vendor
Sun Microsystems, Inc.
Low
Vendor
pom
url
http://java.sun.com/products/jta
Highest
Vendor
pom
artifactid
jta
Low
Vendor
pom
groupid
javax.transaction
Highest
Vendor
central
groupid
javax.transaction
High
Product
Manifest
extension-name
javax.transaction
Medium
Product
pom
description
The javax.transaction package. It is appropriate for inclusion in a classpath, and may be added to a Java 2 installation.
Public domain, Sun Microsoystems: >http://gee.cs.oswego.edu/dl/classes/EDU/oswego/cs/dl/util/concurrent/intro.html
File Path: /home/ciagent/.m2/repository/concurrent/concurrent/1.3.4/concurrent-1.3.4.jar MD5: f29b9d930d3426ebc56919eba10fbd4d SHA1: 1cf394c2a388199db550cda311174a4c6a7d117c
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/jgroups/jgroups/3.6.13.Final/jgroups-3.6.13.Final.jar MD5: d7a4d1065e9b09e3f48bfa88ab368a0c SHA1: 1315a8a1aed98dcafc11a850957ced42dc26bf18
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
org.jgroups
Highest
Vendor
Manifest
bundle-symbolicname
org.jgroups
Medium
Vendor
pom
description
Reliable cluster communication toolkit
Medium
Vendor
file
name
jgroups
High
Vendor
pom
groupid
org.jgroups
Highest
Vendor
pom
name
JGroups
High
Vendor
pom
groupid
jgroups
Highest
Vendor
pom
organization name
JBoss, a division of Red Hat
High
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.7
Low
Vendor
pom
url
http://www.jgroups.org
Highest
Vendor
pom
artifactid
jgroups
Low
Vendor
Manifest
bundle-docurl
http://www.jboss.org
Low
Vendor
pom
organization url
http://www.jboss.org
Medium
Vendor
manifest
Bundle-Description
Ant/ivy based build.xml file for JGroups. Needs ant to run
Medium
Product
pom
artifactid
jgroups
Highest
Product
Manifest
bundle-symbolicname
org.jgroups
Medium
Product
pom
description
Reliable cluster communication toolkit
Medium
Product
file
name
jgroups
High
Product
pom
organization name
JBoss, a division of Red Hat
Low
Product
Manifest
Bundle-Name
JGroups
Medium
Product
pom
name
JGroups
High
Product
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.7
Low
Product
pom
groupid
jgroups
Low
Product
pom
url
http://www.jgroups.org
Medium
Product
pom
organization url
http://www.jboss.org
Low
Product
Manifest
bundle-docurl
http://www.jboss.org
Low
Product
manifest
Bundle-Description
Ant/ivy based build.xml file for JGroups. Needs ant to run
File Path: /home/ciagent/.m2/repository/org/jboss/jbossts/jbossjta/4.16.6.Final/jbossjta-4.16.6.Final.jar MD5: 9e3c8d7d93b92ab97489aeb5816370c8 SHA1: 99e79e03ced180bea4e3307511d350eb2b88c91c
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/ws/commons/ws-commons-util/1.0.1/ws-commons-util-1.0.1.jar MD5: 66919d22287ddab742a135da764c2cd6 SHA1: 126e80ff798fece634bc94e61f8be8a8da00be60
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
Apache Software Foundation
Low
Vendor
file
name
ws-commons-util
High
Vendor
Manifest
extension-name
ws-commons-util
Medium
Vendor
Manifest
Implementation-Vendor
Apache Software Foundation
High
Vendor
pom
name
Apache WebServices Common Utilities
High
Vendor
pom
organization name
Apache Software Foundation
High
Vendor
pom
organization url
http://www.apache.org/
Medium
Vendor
pom
groupid
org.apache.ws.commons
Highest
Vendor
pom
artifactid
ws-commons-util
Low
Vendor
central
groupid
org.apache.ws.commons
High
Vendor
pom
description
This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
Low
Vendor
central
groupid
ws-commons-util
High
Vendor
pom
url
http://ws.apache.org/commons/util
Highest
Vendor
pom
groupid
apache.ws.commons
Highest
Product
file
name
ws-commons-util
High
Product
Manifest
extension-name
ws-commons-util
Medium
Product
pom
name
Apache WebServices Common Utilities
High
Product
pom
organization url
http://www.apache.org/
Low
Product
pom
groupid
apache.ws.commons
Low
Product
pom
description
This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
Low
Product
Manifest
Implementation-Title
ws-commons-util
High
Product
central
artifactid
ws-commons-util
High
Product
pom
artifactid
ws-commons-util
Highest
Product
pom
url
http://ws.apache.org/commons/util
Medium
Product
Manifest
specification-title
This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
File Path: /home/ciagent/.m2/repository/org/jboss/jboss-common-core/2.2.22.GA/jboss-common-core-2.2.22.GA.jar MD5: 8c415e1467075a90045a7b0fd19886a3 SHA1: ae1a22412d879c4ac48e35cf00f438bb263d41c3
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.html
File Path: /home/ciagent/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar MD5: b58ca53e518a92a1991eb63b61917582 SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
org.antlr
Highest
Vendor
pom
name
ANTLR StringTemplate
High
Vendor
pom
groupid
antlr
Highest
Vendor
pom
artifactid
stringtemplate
Low
Vendor
jar
package name
stringtemplate
Low
Vendor
jar
package name
language
Low
Vendor
file
name
stringtemplate
High
Vendor
pom
url
http://www.stringtemplate.org
Highest
Vendor
pom
description
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output. StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. It evolved over years of effort developing jGuru.com. StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic is that un...
Low
Vendor
central
groupid
org.antlr
Highest
Vendor
jar
package name
antlr
Low
Product
pom
artifactid
stringtemplate
Highest
Product
pom
groupid
antlr
Low
Product
pom
url
http://www.stringtemplate.org
Medium
Product
pom
name
ANTLR StringTemplate
High
Product
jar
package name
language
Low
Product
jar
package name
stringtemplate
Low
Product
central
artifactid
stringtemplate
Highest
Product
file
name
stringtemplate
High
Product
pom
description
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output. StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. It evolved over years of effort developing jGuru.com. StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic is that un...
Description: A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
File Path: /home/ciagent/.m2/repository/org/antlr/antlr-runtime/3.5/antlr-runtime-3.5.jar MD5: aa6d7c8b425df59f5f5bc98c58cfd9fc SHA1: 0baa82bff19059401e90e1b90020beb9c96305d7
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
Implementation-Vendor-Id
org.antlr
Medium
Vendor
pom
name
ANTLR 3 Runtime
High
Vendor
pom
groupid
org.antlr
Highest
Vendor
pom
groupid
antlr
Highest
Vendor
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Low
Vendor
Manifest
Implementation-Vendor
ANTLR
High
Vendor
pom
url
http://www.antlr.org
Highest
Vendor
pom
parent-groupid
org.antlr
Medium
Vendor
pom
artifactid
antlr-runtime
Low
Vendor
pom
parent-artifactid
antlr-master
Low
Vendor
file
name
antlr-runtime
High
Vendor
central
groupid
org.antlr
Highest
Product
pom
artifactid
antlr-runtime
Highest
Product
Manifest
Implementation-Title
ANTLR 3 Runtime
High
Product
pom
groupid
antlr
Low
Product
pom
parent-artifactid
antlr-master
Medium
Product
central
artifactid
antlr-runtime
Highest
Product
pom
parent-groupid
org.antlr
Low
Product
pom
name
ANTLR 3 Runtime
High
Product
file
name
antlr-runtime
High
Product
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
File Path: /home/ciagent/.m2/repository/org/infinispan/infinispan-cachestore-jdbc/8.2.6.Final/infinispan-cachestore-jdbc-8.2.6.Final.jar MD5: 3ca2e9d4e5ed44fc984fe94c2d943bf2 SHA1: 1703f2cae7b2cb483158dca831d68ee711f301ab
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
Description: Implementation of Core Service of Exoplatform SAS 'eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/jcr/exo.jcr.component.core/5.3.x-SNAPSHOT/exo.jcr.component.core-5.3.x-SNAPSHOT.jar MD5: 270fed54370dddb7b6f2a0ac0a53fb19 SHA1: 2e610d06ecc8ae00c94f7504cdef11211515dbd3
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
exo.jcr.component.core
High
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
parent-groupid
org.exoplatform.jcr
Medium
Vendor
pom
parent-artifactid
jcr-parent
Low
Vendor
pom
name
eXo PLF:: JCR :: Component :: Core Service
High
Vendor
pom
description
Implementation of Core Service of Exoplatform SAS 'eXo Core' project.
Medium
Vendor
pom
groupid
org.exoplatform.jcr
Highest
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.jcr
Medium
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
groupid
exoplatform.jcr
Highest
Vendor
pom
artifactid
exo.jcr.component.core
Low
Product
file
name
exo.jcr.component.core
High
Product
pom
groupid
exoplatform.jcr
Low
Product
pom
artifactid
exo.jcr.component.core
Highest
Product
pom
name
eXo PLF:: JCR :: Component :: Core Service
High
Product
pom
parent-groupid
org.exoplatform.jcr
Low
Product
pom
description
Implementation of Core Service of Exoplatform SAS 'eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/gatein/portal/exo.portal.webui.core/5.3.x-SNAPSHOT/exo.portal.webui.core-5.3.x-SNAPSHOT.jar MD5: 4e253065194ba0054c6d12ec0b724bad SHA1: 40016d9274ed13258c15197a39051966ad7c20f0
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/google/javascript/closure-compiler-externs/v20170910/closure-compiler-externs-v20170910.jar MD5: 573e49fb83760d25b675028eb612e2b2 SHA1: 036e801a929fcd121d212093923daf34986f5572
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/args4j/args4j/2.33/args4j-2.33.jar MD5: 0a6d515f76b15d29e3cd529de9319739 SHA1: bd87a75374a6d6523de82fef51fc3cfe9baf9fc9
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/google/errorprone/error_prone_annotations/2.0.18/error_prone_annotations-2.0.18.jar MD5: 98051758c08c9b7111b3268655069432 SHA1: 5f65affce1684999e2f4024983835efc3504012e
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/google/code/gson/gson/2.7/gson-2.7.jar MD5: 5134a2350f58890ffb9db0b40047195d SHA1: 751f548c85fa49f330cecbb1875893f971b33c4e
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/google/jsinterop/jsinterop-annotations/1.0.0/jsinterop-annotations-1.0.0.jar MD5: 93302e3d0cc146097ecd08039dc1de52 SHA1: 23c3a3c060ffe4817e67673cc8294e154b0a4a95
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/google/javascript/closure-compiler/v20170910/closure-compiler-v20170910.jar MD5: ca8e9f88ba9aad9c5e2c0f8f937fe869 SHA1: 3b87499e9ed3f068e69889182ab95cff92de0932
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: Groovy: A powerful, dynamic language for the JVM
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/codehaus/groovy/groovy-all/2.4.12/groovy-all-2.4.12.jar MD5: dddb0b3d3619875fa1c538c743ae8f99 SHA1: 760afc568cbd94c09d78f801ce51aed1326710af
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Public Domain: http://www.xmlpull.org/v1/download/unpacked/LICENSE.txt
File Path: /home/ciagent/.m2/repository/xmlpull/xmlpull/1.1.3.1/xmlpull-1.1.3.1.jar MD5: cc57dacc720eca721a50e78934b822d2 SHA1: 2b8e230d2ab644e4ecaa94db7cdedbc40c805dfa
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
License:
Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt
Public Domain: http://creativecommons.org/licenses/publicdomain
File Path: /home/ciagent/.m2/repository/xpp3/xpp3_min/1.1.4c/xpp3_min-1.1.4c.jar MD5: dcd95bcb84b09897b2b66d4684c040da SHA1: 19d4e90b43059058f6e056f794f0ea4030d60b86
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs ...
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs ...
File Path: /home/ciagent/.m2/repository/com/thoughtworks/xstream/xstream/1.4.10/xstream-1.4.10.jar MD5: d00eec778910f95b26201395ac64cca0 SHA1: dfecae23647abc9d9fd0416629a4213a3882b101
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
File Path: /home/ciagent/.m2/repository/org/exoplatform/commons/commons-webui-component/5.3.x-SNAPSHOT/commons-webui-component-5.3.x-SNAPSHOT.jar MD5: afe16b7e36ecbb581a371dafe5370c3b SHA1: 3b0b4a1f913cd523987ed381a1d4883f59c3f899
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/quartz-scheduler/quartz/2.2.2/quartz-2.2.2.jar MD5: 6acfd6ada2f4ad0abf4de916654dcaea SHA1: 6fd24da6803ab7c3a08bc519a62219a9bebeb0df
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/commons-pool/commons-pool/1.6/commons-pool-1.6.jar MD5: 5ca02245c829422176d23fa530e919cc SHA1: 4572d589699f09d866a226a14b7f4323c6d8f040
Referenced In Project/Scope:
eXo PLF:: Social Service Component:runtime
Description: Implementation of Common Service of Exoplatform SAS 'eXo Kernel' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.component.common/5.3.x-SNAPSHOT/exo.kernel.component.common-5.3.x-SNAPSHOT.jar MD5: c57430ba3cc88079d9fe4604fed4798c SHA1: d3f3536bcb0b5ed4306eaf6896f22d022f844899
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
description
Implementation of Common Service of Exoplatform SAS 'eXo Kernel' project.
Medium
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.kernel
Medium
Vendor
pom
parent-groupid
org.exoplatform.kernel
Medium
Vendor
pom
groupid
org.exoplatform.kernel
Highest
Vendor
pom
groupid
exoplatform.kernel
Highest
Vendor
pom
artifactid
exo.kernel.component.common
Low
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
parent-artifactid
kernel-parent
Low
Vendor
file
name
exo.kernel.component.common
High
Vendor
pom
name
eXo PLF:: Kernel :: Component :: Common Service
High
Product
pom
description
Implementation of Common Service of Exoplatform SAS 'eXo Kernel' project.
Description: Implementation of 'eXo Security' component of Exoplatform SAS 'eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.security.core/5.3.x-SNAPSHOT/exo.core.component.security.core-5.3.x-SNAPSHOT.jar MD5: 488f425f279a0c228294112bce69f54a SHA1: 851b19507264b0f4a9f19d3752df3b127276ce2a
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
groupid
org.exoplatform.core
Highest
Vendor
pom
parent-artifactid
core-parent
Low
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.core
Medium
Vendor
pom
artifactid
exo.core.component.security.core
Low
Vendor
pom
groupid
exoplatform.core
Highest
Vendor
pom
description
Implementation of 'eXo Security' component of Exoplatform SAS 'eXo Core' project.
Medium
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
file
name
exo.core.component.security.core
High
Vendor
pom
parent-groupid
org.exoplatform.core
Medium
Vendor
pom
name
eXo PLF Core :: Component :: Security Service
High
Product
Manifest
Implementation-Title
eXo PLF Core :: Component :: Security Service
High
Product
pom
parent-groupid
org.exoplatform.core
Low
Product
pom
groupid
exoplatform.core
Low
Product
pom
parent-artifactid
core-parent
Medium
Product
pom
artifactid
exo.core.component.security.core
Highest
Product
pom
description
Implementation of 'eXo Security' component of Exoplatform SAS 'eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/freemarker/freemarker/2.3.18/freemarker-2.3.18.jar MD5: 179cfdc90bff3b95a8d08d810656ad33 SHA1: 7b0cd31bfed5ceb396bdcdc088b24e6ff9eae96f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
extension-name
FreeMarker
Medium
Vendor
pom
name
FreeMarker
High
Vendor
pom
groupid
org.freemarker
Highest
Vendor
Manifest
specification-vendor
Visigoth Software Society
Low
Vendor
pom
url
http://freemarker.org
Highest
Vendor
file
name
freemarker
High
Vendor
central
groupid
org.freemarker
Highest
Vendor
Manifest
Implementation-Vendor
Visigoth Software Society
High
Vendor
pom
artifactid
freemarker
Low
Vendor
pom
description
FreeMarker is a "template engine"; a generic tool to generate text output based on templates.
Low
Vendor
pom
groupid
freemarker
Highest
Product
Manifest
extension-name
FreeMarker
Medium
Product
central
artifactid
freemarker
Highest
Product
pom
name
FreeMarker
High
Product
pom
artifactid
freemarker
Highest
Product
pom
groupid
freemarker
Low
Product
file
name
freemarker
High
Product
Manifest
Implementation-Title
VSS Java FreeMarker
High
Product
pom
url
http://freemarker.org
Medium
Product
Manifest
specification-title
FreeMarker
Medium
Product
pom
description
FreeMarker is a "template engine"; a generic tool to generate text output based on templates.
File Path: /home/ciagent/.m2/repository/org/wikbook/wikbook.template.core/0.9.45/wikbook.template.core-0.9.45.jar MD5: 830af5160a42ed28624d966959b49fbd SHA1: 67cd7abca5de9bb35ec44cf319b750c2fb7cd487
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/exoplatform/doc/doc-style/5.3.x-SNAPSHOT/doc-style-5.3.x-SNAPSHOT.jar MD5: ede4876dace8b38533c2bfb6bcb84891 SHA1: f42c399a62fa76b9ed58be0cf63875bc4a9f05f7
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be
used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the
document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.
License:
Java HTML Tidy License: http://jtidy.svn.sourceforge.net/viewvc/jtidy/trunk/jtidy/LICENSE.txt?revision=95
File Path: /home/ciagent/.m2/repository/net/sf/jtidy/jtidy/r938/jtidy-r938.jar MD5: 6a9121561b8f98c0a8fb9b6e57f50e6b SHA1: ab08d87a225a715a69107732b67f21e1da930349
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
artifactid
jtidy
Low
Vendor
pom
name
JTidy
High
Vendor
pom
organization url
http://sourceforge.net
Medium
Vendor
jar
package name
tidy
Low
Vendor
pom
organization name
sourceforge
High
Vendor
pom
groupid
net.sf.jtidy
Highest
Vendor
pom
url
http://jtidy.sourceforge.net
Highest
Vendor
jar
package name
w3c
Low
Vendor
pom
description
JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.
Low
Vendor
file
name
jtidy-r938
High
Vendor
central
groupid
net.sf.jtidy
Highest
Product
pom
name
JTidy
High
Product
pom
organization name
sourceforge
Low
Product
jar
package name
tidy
Low
Product
central
artifactid
jtidy
Highest
Product
pom
organization url
http://sourceforge.net
Low
Product
pom
description
JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.
Description: Implementation of XML Processing Service of Exoplatform SAS 'eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.xml-processing/5.3.x-SNAPSHOT/exo.core.component.xml-processing-5.3.x-SNAPSHOT.jar MD5: 72733f679e354536825490dcd09a699a SHA1: 8abf87f511ed36fa29ee72cd75c7308f852c7b6f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
name
eXo PLF Core :: Component :: XML Processing Service
High
Vendor
pom
groupid
org.exoplatform.core
Highest
Vendor
pom
parent-artifactid
core-parent
Low
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.core
Medium
Vendor
pom
artifactid
exo.core.component.xml-processing
Low
Vendor
file
name
exo.core.component.xml-processing
High
Vendor
pom
groupid
exoplatform.core
Highest
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
description
Implementation of XML Processing Service of Exoplatform SAS 'eXo Core' project.
Medium
Vendor
pom
parent-groupid
org.exoplatform.core
Medium
Product
pom
parent-groupid
org.exoplatform.core
Low
Product
pom
name
eXo PLF Core :: Component :: XML Processing Service
High
Product
pom
groupid
exoplatform.core
Low
Product
pom
parent-artifactid
core-parent
Medium
Product
file
name
exo.core.component.xml-processing
High
Product
Manifest
Implementation-Title
eXo PLF Core :: Component :: XML Processing Service
High
Product
pom
artifactid
exo.core.component.xml-processing
Highest
Product
Manifest
specification-title
exo-core
Medium
Product
pom
description
Implementation of XML Processing Service of Exoplatform SAS 'eXo Core' project.
Description: Groovy Scripts Instantiator of Exoplatform SAS 'eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.script.groovy/5.3.x-SNAPSHOT/exo.core.component.script.groovy-5.3.x-SNAPSHOT.jar MD5: 7b83e6a1b4a6dad0afeeb2169f8bed89 SHA1: ee331e349386b130980f5564f3ba15a9cba7ebce
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
groupid
org.exoplatform.core
Highest
Vendor
pom
parent-artifactid
core-parent
Low
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.core
Medium
Vendor
pom
description
Groovy Scripts Instantiator of Exoplatform SAS 'eXo Core' project.
Description: Implementation of Commons Utils for Exoplatform SAS 'Web Services' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/ws/exo.ws.commons/5.3.x-SNAPSHOT/exo.ws.commons-5.3.x-SNAPSHOT.jar MD5: 916508b41039c72e9c729da2a0093689 SHA1: e3f538d0cc5bcf6360c9e00a0a4a4faabaf4ec6f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
exo.ws.commons
High
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
parent-artifactid
ws-parent
Low
Vendor
pom
groupid
exoplatform.ws
Highest
Vendor
pom
groupid
org.exoplatform.ws
Highest
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.ws
Medium
Vendor
pom
name
eXo PLF:: WS :: Commons Utils
High
Vendor
pom
parent-groupid
org.exoplatform.ws
Medium
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
artifactid
exo.ws.commons
Low
Vendor
pom
description
Implementation of Commons Utils for Exoplatform SAS 'Web Services' project.
Medium
Product
file
name
exo.ws.commons
High
Product
pom
parent-groupid
org.exoplatform.ws
Low
Product
Manifest
specification-title
exo-ws
Medium
Product
pom
groupid
exoplatform.ws
Low
Product
pom
name
eXo PLF:: WS :: Commons Utils
High
Product
pom
parent-artifactid
ws-parent
Medium
Product
pom
artifactid
exo.ws.commons
Highest
Product
Manifest
Implementation-Title
eXo PLF:: WS :: Commons Utils
High
Product
pom
description
Implementation of Commons Utils for Exoplatform SAS 'Web Services' project.
Description: JSR-250 Reference Implementation by Glassfish
License:
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/ciagent/.m2/repository/javax/annotation/jsr250-api/1.0/jsr250-api-1.0.jar MD5: 4cd56b2e4977e541186de69f5126b4a6 SHA1: 5025422767732a1ab45d93abfea846513d742dcf
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
description
JSR-250 Reference Implementation by Glassfish
Medium
Vendor
pom
name
JSR-250 Common Annotations for the JavaTM Platform
Description: Implementation of Extension Service of Exoplatform SAS 'eXo JCR' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/jcr/exo.jcr.component.ext/5.3.x-SNAPSHOT/exo.jcr.component.ext-5.3.x-SNAPSHOT.jar MD5: 80ba6722d208fa7b15b8c7d090d4c0cc SHA1: ecd82797b6732d7e1c33328f5970ffd1d7caee03
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
description
Implementation of Extension Service of Exoplatform SAS 'eXo JCR' project.
Medium
Vendor
pom
parent-groupid
org.exoplatform.jcr
Medium
Vendor
pom
parent-artifactid
jcr-parent
Low
Vendor
pom
artifactid
exo.jcr.component.ext
Low
Vendor
pom
groupid
org.exoplatform.jcr
Highest
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.jcr
Medium
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
groupid
exoplatform.jcr
Highest
Vendor
pom
name
eXo PLF:: JCR :: Component :: Extension Service
High
Vendor
file
name
exo.jcr.component.ext
High
Product
pom
description
Implementation of Extension Service of Exoplatform SAS 'eXo JCR' project.
Description: mime-util is a simple to use, small, light weight and fast open source java utility library that can detect
MIME types from files, input streams, URL's and byte arrays.
Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/eu/medsea/mimeutil/mime-util/2.1.3/mime-util-2.1.3.jar MD5: 3d4f3e1a96eb79683197f1c8b182f4a6 SHA1: 0c9cfae15c74f62491d4f28def0dff1dabe52a47
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
manifest
Bundle-Description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Low
Vendor
Manifest
bundle-docurl
http://www.medsea.eu
Low
Vendor
pom
url
http://www.medsea.eu/mime-util/
Highest
Vendor
central
groupid
eu.medsea.mimeutil
Highest
Vendor
pom
description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Low
Vendor
pom
name
Mime Detection Utility
High
Vendor
pom
organization url
http://www.medsea.eu
Medium
Vendor
Manifest
bundle-symbolicname
eu.medsea.mimeutil.mime-util
Medium
Vendor
pom
artifactid
mime-util
Low
Vendor
file
name
mime-util
High
Vendor
pom
organization name
Medsea Business Solutions S.L.
High
Vendor
pom
groupid
eu.medsea.mimeutil
Highest
Vendor
Manifest
url
http://www.medsea.eu/mime-util/
Low
Product
manifest
Bundle-Description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Low
Product
Manifest
bundle-docurl
http://www.medsea.eu
Low
Product
Manifest
Bundle-Name
Mime Detection Utility
Medium
Product
central
artifactid
mime-util
Highest
Product
pom
organization name
Medsea Business Solutions S.L.
Low
Product
pom
groupid
eu.medsea.mimeutil
Low
Product
pom
description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
File Path: /home/ciagent/.m2/repository/jakarta-regexp/jakarta-regexp/1.4/jakarta-regexp-1.4.jar MD5: 5d8b8c601c21b37aa6142d38f45c0297 SHA1: 0ea514a179ac1dd7e81c7e6594468b9b9910d298
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: XML Pull parser library developed by Extreme Computing Lab, Indiana University
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/ogce/xpp3/1.1.6/xpp3-1.1.6.jar MD5: 626a429318310e92e3466151e050bdc5 SHA1: dc87e00ddb69341b46a3eb1c331c6fcebf6c8546
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
jar
package name
xmlpull
Low
Vendor
pom
groupid
org.ogce
Highest
Vendor
jar
package name
builder
Low
Vendor
file
name
xpp3
High
Vendor
pom
description
XML Pull parser library developed by Extreme Computing Lab, Indiana University
Medium
Vendor
pom
url
http://www.extreme.indiana.edu/xpp/
Highest
Vendor
jar
package name
v1
Low
Vendor
pom
groupid
ogce
Highest
Vendor
pom
artifactid
xpp3
Low
Vendor
central
groupid
org.ogce
Highest
Vendor
pom
name
XPP3
High
Product
pom
artifactid
xpp3
Highest
Product
pom
groupid
ogce
Low
Product
pom
url
http://www.extreme.indiana.edu/xpp/
Medium
Product
jar
package name
builder
Low
Product
file
name
xpp3
High
Product
jar
package name
xpath
Low
Product
pom
description
XML Pull parser library developed by Extreme Computing Lab, Indiana University
File Path: /home/ciagent/.m2/repository/org/slf4j/slf4j-api/1.7.18/slf4j-api-1.7.18.jar MD5: 1b1d1af21206ac5ae44cd79a6c04dd92 SHA1: b631d286463ced7cc42ee2171fe3beaed2836823
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: Implementation of Commons Utils of Exoplatform SAS 'eXo Kernel' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.commons/5.3.x-SNAPSHOT/exo.kernel.commons-5.3.x-SNAPSHOT.jar MD5: e45922985af7344ecbcca4bae3fc09ab SHA1: c338e8e2fb4598959349acdf407306be46246113
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
file
name
exo.kernel.commons
High
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.kernel
Medium
Vendor
pom
parent-groupid
org.exoplatform.kernel
Medium
Vendor
pom
name
eXo PLF:: Kernel :: Commons Utils
High
Vendor
pom
artifactid
exo.kernel.commons
Low
Vendor
pom
groupid
org.exoplatform.kernel
Highest
Vendor
pom
groupid
exoplatform.kernel
Highest
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
parent-artifactid
kernel-parent
Low
Vendor
pom
description
Implementation of Commons Utils of Exoplatform SAS 'eXo Kernel' project.
Medium
Product
file
name
exo.kernel.commons
High
Product
Manifest
specification-title
exo-kernel
Medium
Product
pom
name
eXo PLF:: Kernel :: Commons Utils
High
Product
pom
parent-artifactid
kernel-parent
Medium
Product
Manifest
Implementation-Title
eXo PLF:: Kernel :: Commons Utils
High
Product
pom
parent-groupid
org.exoplatform.kernel
Low
Product
pom
artifactid
exo.kernel.commons
Highest
Product
pom
groupid
exoplatform.kernel
Low
Product
pom
description
Implementation of Commons Utils of Exoplatform SAS 'eXo Kernel' project.
File Path: /home/ciagent/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar MD5: b45be74134796c89db7126083129532f SHA1: 686ef3410bcf4ab8ce7fd0b899e832aaba5facf7
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
Commons BeanUtils
High
Vendor
pom
description
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Medium
Vendor
file
name
commons-beanutils
High
Vendor
central
groupid
commons-beanutils
Highest
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
pom
url
http://commons.apache.org/beanutils/
Highest
Vendor
pom
artifactid
commons-beanutils
Low
Vendor
Manifest
bundle-symbolicname
org.apache.commons.beanutils
Medium
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
manifest
Bundle-Description
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Medium
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
pom
groupid
commons-beanutils
Highest
Vendor
Manifest
bundle-docurl
http://commons.apache.org/beanutils/
Low
Product
pom
name
Commons BeanUtils
High
Product
pom
description
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Medium
Product
file
name
commons-beanutils
High
Product
Manifest
Bundle-Name
Commons BeanUtils
Medium
Product
pom
parent-artifactid
commons-parent
Medium
Product
pom
artifactid
commons-beanutils
Highest
Product
pom
url
http://commons.apache.org/beanutils/
Medium
Product
Manifest
Implementation-Title
Commons BeanUtils
High
Product
central
artifactid
commons-beanutils
Highest
Product
pom
parent-groupid
org.apache.commons
Low
Product
Manifest
bundle-symbolicname
org.apache.commons.beanutils
Medium
Product
Manifest
specification-title
Commons BeanUtils
Medium
Product
manifest
Bundle-Description
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
File Path: /home/ciagent/.m2/repository/org/exoplatform/gatein/wci/wci-wci/5.3.x-SNAPSHOT/wci-wci-5.3.x-SNAPSHOT.jar MD5: 2ab001252fa543ff2b30839d5d8b60ec SHA1: 70f414374362f77fa7ec7a35797e32395bbf36ee
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
parent-groupid
org.exoplatform.gatein.wci
Medium
Vendor
pom
groupid
org.exoplatform.gatein.wci
Highest
Vendor
Manifest
java-vendor
Oracle Corporation
Medium
Vendor
Manifest
Implementation-Vendor
JBoss by Red Hat
High
Vendor
pom
groupid
exoplatform.gatein.wci
Highest
Vendor
Manifest
os-name
Linux
Medium
Vendor
file
name
wci-wci
High
Vendor
Manifest
implementation-url
www.gatein.org/wci-parent/wci-wci/
Low
Vendor
Manifest
specification-vendor
JBoss by Red Hat
Low
Vendor
pom
parent-artifactid
wci-parent
Low
Vendor
Manifest
build-timestamp
Thu, 23 May 2019 09:57:20 +0000
Low
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.gatein.wci
Medium
Vendor
pom
artifactid
wci-wci
Low
Vendor
pom
name
GateIn - Web Container Integration component (wci)
High
Product
file
name
wci-wci
High
Product
pom
groupid
exoplatform.gatein.wci
Low
Product
Manifest
implementation-url
www.gatein.org/wci-parent/wci-wci/
Low
Product
pom
artifactid
wci-wci
Highest
Product
Manifest
Implementation-Title
GateIn - Web Container Integration component (wci)
High
Product
Manifest
specification-title
GateIn - Web Container Integration component (wci)
Medium
Product
pom
parent-groupid
org.exoplatform.gatein.wci
Low
Product
Manifest
build-timestamp
Thu, 23 May 2019 09:57:20 +0000
Low
Product
pom
parent-artifactid
wci-parent
Medium
Product
Manifest
os-name
Linux
Medium
Product
pom
name
GateIn - Web Container Integration component (wci)
File Path: /home/ciagent/.m2/repository/org/jibx/jibx-run/1.2.6/jibx-run-1.2.6.jar MD5: 4ef53e4279c8440aff2d16c0af024231 SHA1: 544f3ac7887d7eed20ca0420ee1963df6c7ecebb
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar MD5: 289075e48b909e9e74e6c915b3631d2e SHA1: 6975da39a7040257bd51d21a231b76c915872d38
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: APIs for JSR-299: Contexts and Dependency Injection for Java EE
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.html
File Path: /home/ciagent/.m2/repository/javax/enterprise/cdi-api/1.0-SP4/cdi-api-1.0-SP4.jar MD5: 6c1e2b4036d64b6ba1a1136a00c7cdaa SHA1: 6e38490033eb8b36c4cf1f7605163424a574dcf0
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
parent-groupid
org.jboss.weld
Medium
Vendor
pom
artifactid
cdi-api
Low
Vendor
central
groupid
javax.enterprise
Highest
Vendor
pom
parent-artifactid
weld-parent
Low
Vendor
pom
groupid
javax.enterprise
Highest
Vendor
Manifest
specification-vendor
Seam Framework
Low
Vendor
pom
url
http://www.seamframework.org/Weld
Highest
Vendor
Manifest
Implementation-Vendor
Seam Framework
High
Vendor
Manifest
implementation-url
http://www.seamframework.org/Weld
Low
Vendor
pom
organization name
Seam Framework
High
Vendor
file
name
cdi-api
High
Vendor
pom
name
CDI APIs
High
Vendor
pom
organization url
http://seamframework.org
Medium
Vendor
pom
description
APIs for JSR-299: Contexts and Dependency Injection for Java EE
Medium
Product
pom
organization name
Seam Framework
Low
Product
Manifest
specification-title
CDI APIs
Medium
Product
pom
url
http://www.seamframework.org/Weld
Medium
Product
central
artifactid
cdi-api
Highest
Product
pom
parent-artifactid
weld-parent
Medium
Product
Manifest
implementation-url
http://www.seamframework.org/Weld
Low
Product
pom
groupid
javax.enterprise
Low
Product
Manifest
Implementation-Title
CDI APIs
High
Product
pom
organization url
http://seamframework.org
Low
Product
pom
artifactid
cdi-api
Highest
Product
file
name
cdi-api
High
Product
pom
name
CDI APIs
High
Product
pom
parent-groupid
org.jboss.weld
Low
Product
pom
description
APIs for JSR-299: Contexts and Dependency Injection for Java EE
Description: Implementation of Container for Exoplatform SAS 'eXo Kernel' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.container/5.3.x-SNAPSHOT/exo.kernel.container-5.3.x-SNAPSHOT.jar MD5: e3a9fd28ca075c2222bbeed39e55297d SHA1: 6a171b6b0e06e09151f08de470d69b3b5358489a
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
description
Implementation of Container for Exoplatform SAS 'eXo Kernel' project.
Medium
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.kernel
Medium
Vendor
pom
parent-groupid
org.exoplatform.kernel
Medium
Vendor
pom
groupid
org.exoplatform.kernel
Highest
Vendor
pom
artifactid
exo.kernel.container
Low
Vendor
pom
groupid
exoplatform.kernel
Highest
Vendor
pom
name
eXo PLF:: Kernel :: Container
High
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
parent-artifactid
kernel-parent
Low
Vendor
file
name
exo.kernel.container
High
Product
Manifest
Implementation-Title
eXo PLF:: Kernel :: Container
High
Product
pom
description
Implementation of Container for Exoplatform SAS 'eXo Kernel' project.
Description:
A framework for constructing recognizers, compilers,
and translators from grammatical descriptions containing
Java, C#, C++, or Python actions.
License:
BSD License: http://www.antlr.org/license.html
File Path: /home/ciagent/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar MD5: f8f1352c52a4c6a500b597596501fc64 SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Low
Vendor
pom
name
AntLR Parser Generator
High
Vendor
pom
url
http://www.antlr.org/
Highest
Vendor
pom
artifactid
antlr
Low
Vendor
pom
groupid
antlr
Highest
Vendor
central
groupid
antlr
Highest
Vendor
file
name
antlr
High
Vendor
jar
package name
antlr
Low
Product
pom
artifactid
antlr
Highest
Product
pom
groupid
antlr
Low
Product
pom
url
http://www.antlr.org/
Medium
Product
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Description: A module of the Hibernate O/RM project
License:
GNU Lesser General Public License: http://www.gnu.org/licenses/lgpl-2.1.html
File Path: /home/ciagent/.m2/repository/org/hibernate/hibernate-core/4.2.21.Final/hibernate-core-4.2.21.Final.jar MD5: 492567c1f36fb3a5968ca2d3c452edaf SHA1: bb587d00287c13d9e4324bc76c13abbd493efa81
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: API of Organization Service of Exoplatform SAS 'eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.organization.api/5.3.x-SNAPSHOT/exo.core.component.organization.api-5.3.x-SNAPSHOT.jar MD5: dac80c845342c757a54f5b1c780c52d6 SHA1: a07f68213aab5a6dd25dfcc8780e4162c59a7673
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
description
API of Organization Service of Exoplatform SAS 'eXo Core' project.
Medium
Vendor
pom
name
eXo PLF Core :: Component :: Organization Service API
High
Vendor
pom
groupid
org.exoplatform.core
Highest
Vendor
pom
parent-artifactid
core-parent
Low
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.core
Medium
Vendor
pom
artifactid
exo.core.component.organization.api
Low
Vendor
pom
groupid
exoplatform.core
Highest
Vendor
file
name
exo.core.component.organization.api
High
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
parent-groupid
org.exoplatform.core
Medium
Product
pom
description
API of Organization Service of Exoplatform SAS 'eXo Core' project.
Medium
Product
pom
parent-groupid
org.exoplatform.core
Low
Product
pom
groupid
exoplatform.core
Low
Product
pom
parent-artifactid
core-parent
Medium
Product
pom
name
eXo PLF Core :: Component :: Organization Service API
High
Product
Manifest
Implementation-Title
eXo PLF Core :: Component :: Organization Service API
File Path: /home/ciagent/.m2/repository/org/exoplatform/gatein/pc/pc-api/5.3.x-SNAPSHOT/pc-api-5.3.x-SNAPSHOT.jar MD5: e995d3069d7ca3308034dcb2ccd06d09 SHA1: 7c15dad670317a24d7e12ff353aa252eb170165b
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/cometd/java/bayeux-api/3.0.8/bayeux-api-3.0.8.jar MD5: a09842b7f274cefffa408299b5fc8dd0 SHA1: d5aceb0e7fef4a140f7e95be48338b97723d3163
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/cometd/java/cometd-java-common/3.0.8/cometd-java-common-3.0.8.jar MD5: 70c7cc13ecc20634a6b357e33134d551 SHA1: 5e2134a1b3bc6e03b7e1666a74e9993d0bb52a7d
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/cometd/java/cometd-java-websocket-javax-server/3.0.8/cometd-java-websocket-javax-server-3.0.8.jar MD5: afa5e80138d48292a6f93b708257d2fc SHA1: 353860f809886a58c181dd9e273ee7b79e133277
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
cometd-java-websocket-javax-server
High
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/cometd/java/cometd-java-websocket-common-server/3.0.8/cometd-java-websocket-common-server-3.0.8.jar MD5: 5772b2360cec4ff610e62151fb4deb62 SHA1: 61538a1231b700bf045fa197514f63509960985e
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
artifactid
cometd-java-websocket-common-server
Low
Vendor
Manifest
bundle-symbolicname
cometd-java-websocket-common-server
Medium
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/cometd/java/cometd-java-annotations/3.0.8/cometd-java-annotations-3.0.8.jar MD5: 98b60697675562cf957655c3239a1ad3 SHA1: 5b56875b2ac024b5666633596abb90702ec35e81
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
cometd-java-annotations
High
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/eclipse/jetty/jetty-io/9.2.14.v20151106/jetty-io-9.2.14.v20151106.jar MD5: 94d0e857144c7615b6fd65019cd32b59 SHA1: dfa4137371a3f08769820138ca1a2184dacda267
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2014 Mort Bay Consulting Pty. Ltd.
Low
Vendor
Manifest
bundle-docurl
http://www.eclipse.org/jetty
Low
Vendor
manifest
Bundle-Description
Administrative parent pom for Jetty modules
Medium
Vendor
pom
groupid
eclipse.jetty
Highest
Vendor
pom
artifactid
jetty-io
Low
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.7
Low
Vendor
Manifest
url
http://www.eclipse.org/jetty
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
file
name
jetty-io
High
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.io
Medium
Vendor
pom
name
Jetty :: IO Utility
High
Vendor
pom
parent-groupid
org.eclipse.jetty
Medium
Vendor
central
groupid
org.eclipse.jetty
Highest
Vendor
pom
parent-artifactid
jetty-project
Low
Vendor
Manifest
Implementation-Vendor
Eclipse.org - Jetty
High
Vendor
pom
url
http://www.eclipse.org/jetty
Highest
Product
Manifest
bundle-copyright
Copyright (c) 2008-2014 Mort Bay Consulting Pty. Ltd.
File Path: /home/ciagent/.m2/repository/org/cometd/java/cometd-java-client/3.0.8/cometd-java-client-3.0.8.jar MD5: 24f1367fb4d96fe70a3f07a1f48e447e SHA1: 826d4ae9402e7c48cc98fe287389788134e4986f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/cometd/java/cometd-java-websocket-common-client/3.0.8/cometd-java-websocket-common-client-3.0.8.jar MD5: c17616c290c54ffc4a70dda2b901919a SHA1: 8b75f11de5bba306d0bcb20a6c1bed89675579cd
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/cometd/java/cometd-java-websocket-javax-client/3.0.8/cometd-java-websocket-javax-client-3.0.8.jar MD5: 433dd449f689697bbe1a75b0ed2788f8 SHA1: b44bcf098667f0112301d75f73adb5ba3295699d
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/cometd/java/cometd-java-oort/3.0.8/cometd-java-oort-3.0.8.jar MD5: 62dbbecedab27927495fc9c9e0b70505 SHA1: a72695546e010c250ba65519fc91867b208fc8f9
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/eclipse/jetty/jetty-jmx/9.2.14.v20151106/jetty-jmx-9.2.14.v20151106.jar MD5: 5eccc25d22921cb4787812d0687a2978 SHA1: 617edc5e966b4149737811ef8b289cd94b831bab
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
bundle-copyright
Copyright (c) 2008-2014 Mort Bay Consulting Pty. Ltd.
Low
Vendor
Manifest
bundle-docurl
http://www.eclipse.org/jetty
Low
Vendor
file
name
jetty-jmx
High
Vendor
pom
name
Jetty :: JMX Management
High
Vendor
pom
artifactid
jetty-jmx
Low
Vendor
manifest
Bundle-Description
JMX management artifact for jetty.
Medium
Vendor
pom
groupid
eclipse.jetty
Highest
Vendor
Manifest
bundle-requiredexecutionenvironment
JavaSE-1.7
Low
Vendor
Manifest
url
http://www.eclipse.org/jetty
Low
Vendor
pom
groupid
org.eclipse.jetty
Highest
Vendor
Manifest
bundle-symbolicname
org.eclipse.jetty.jmx
Medium
Vendor
pom
parent-groupid
org.eclipse.jetty
Medium
Vendor
central
groupid
org.eclipse.jetty
Highest
Vendor
pom
parent-artifactid
jetty-project
Low
Vendor
Manifest
Implementation-Vendor
Eclipse.org - Jetty
High
Vendor
pom
description
JMX management artifact for jetty.
Medium
Vendor
pom
url
http://www.eclipse.org/jetty
Highest
Product
Manifest
bundle-copyright
Copyright (c) 2008-2014 Mort Bay Consulting Pty. Ltd.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), HTTP/0.9 is handled poorly. An HTTP/1 style request line (i.e. method space URI space version) that declares a version of HTTP/0.9 was accepted and treated as a 0.9 request. If deployed behind an intermediary that also accepted and passed through the 0.9 version (but did not act on it), then the response sent could be interpreted by the intermediary as HTTP/1 headers. This could be used to poison the cache if the server allowed the origin client to generate arbitrary content in the response.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
In Eclipse Jetty, versions 9.2.x and older, 9.3.x (all configurations), and 9.4.x (non-default configuration with RFC2616 compliance enabled), transfer-encoding chunks are handled poorly. The chunk length parsing was vulnerable to an integer overflow. Thus a large chunk size could be interpreted as a smaller chunk size and content sent as chunk body could be interpreted as a pipelined request. If Jetty was deployed behind an intermediary that imposed some authorization and that intermediary allowed arbitrarily large chunks to be passed on unchanged, then this flaw could be used to bypass the authorization imposed by the intermediary as the fake pipelined request would not be interpreted by the intermediary as a request.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-19 Data Handling
In Eclipse Jetty Server, versions 9.2.x and older, 9.3.x (all non HTTP/1.x configurations), and 9.4.x (all HTTP/1.x configurations), when presented with two content-lengths headers, Jetty ignored the second. When presented with a content-length and a chunked encoding header, the content-length was ignored (as per RFC 2616). If an intermediary decided on the shorter length, but still passed on the longer body, then body content could be interpreted by Jetty as a pipelined request. If the intermediary was imposing authorization, the fake pipelined request would bypass that authorization.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Jetty through 9.4.x is prone to a timing channel in util/security/Password.java, which makes it easier for remote attackers to obtain access by observing elapsed times before rejection of incorrect passwords.
File Path: /home/ciagent/.m2/repository/org/cometd/java/cometd-java-server/3.0.8/cometd-java-server-3.0.8.jar MD5: c55eb617762fad72683da9de856e008c SHA1: 11d535c657bdb491abc2ccd820118f9d6a8f44e0
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
cometd.java
Highest
Vendor
Manifest
bundle-docurl
http://docs.cometd.org
Low
Vendor
central
groupid
org.cometd.java
Highest
Vendor
manifest
Bundle-Description
The CometD project is a scalable web messaging bus that uses WebSocketand HTTP AJAX push technology patterns known as "Comet" techniques
File Path: /home/ciagent/.m2/repository/org/exoplatform/commons/commons-comet-service/5.3.x-SNAPSHOT/commons-comet-service-5.3.x-SNAPSHOT.jar MD5: 7c020a92d3114dc217efa8f161b3738a SHA1: 24540f023fd116f3ccf2ef430b9dffb38a1b90ed
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/jmock/jmock/1.0.1/jmock-1.0.1.jar MD5: d45c5ca4c1063d508ca8df00538decc1 SHA1: 87a39d1a62ea94be5453ecdbb97cd81c978622d3
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
License:
Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt
Public Domain: http://creativecommons.org/licenses/publicdomain
Apache Software License, version 1.1: http://www.apache.org/licenses/LICENSE-1.1
File Path: /home/ciagent/.m2/repository/xpp3/xpp3/1.1.4c/xpp3-1.1.4c.jar MD5: 6e3c39f391e4994888b7d0030f775804 SHA1: 9b988ea84b9e4e9f1874e390ce099b8ac12cfff5
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs ...
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs ...
Description: Please refer to the main website for documentation.
File Path: /home/ciagent/.m2/repository/picocontainer/picocontainer/1.1/picocontainer-1.1.jar MD5: 98f476491eed3b106b9a015f15bf5fda SHA1: a2babe80a3af3a3672095341625e4a9ba4278c1b
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
url
http://www.picocontainer.org/
Highest
Vendor
Manifest
extension-name
picocontainer
Medium
Vendor
pom
name
PicoContainer
High
Vendor
pom
groupid
picocontainer
Highest
Vendor
pom
organization name
Codehaus
High
Vendor
Manifest
Implementation-Vendor
Codehaus
High
Vendor
pom
organization url
http://codehaus.org/
Medium
Vendor
file
name
picocontainer
High
Vendor
central
groupid
picocontainer
Highest
Vendor
pom
description
Please refer to the main website for documentation.
Medium
Vendor
pom
artifactid
picocontainer
Low
Vendor
Manifest
specification-vendor
Codehaus
Low
Product
Manifest
Implementation-Title
org.picocontainer
High
Product
Manifest
extension-name
picocontainer
Medium
Product
pom
groupid
picocontainer
Low
Product
pom
organization name
Codehaus
Low
Product
pom
name
PicoContainer
High
Product
Manifest
specification-title
Small footprint Dependency Injection container
Medium
Product
pom
artifactid
picocontainer
Highest
Product
pom
url
http://www.picocontainer.org/
Medium
Product
file
name
picocontainer
High
Product
pom
description
Please refer to the main website for documentation.
File Path: /home/ciagent/.m2/repository/com/googlecode/owasp-java-html-sanitizer/owasp-java-html-sanitizer/20160413.1/owasp-java-html-sanitizer-20160413.1.jar MD5: f2dbfedbd7bea844cedc1fc1e95fca80 SHA1: 61780b5d65c39013d733b70b2d2968f72f83aa0a
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/suigeneris/jrcs.diff/0.4.2/jrcs.diff-0.4.2.jar MD5: a05e71b59b7099da7844fd3b5f38e299 SHA1: 6e8eea2281426cd791a64b348c0932c88b966f39
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/ecs/ecs/1.4.2/ecs-1.4.2.jar MD5: 62d53be190ca9cbfe01bec9fc3396934 SHA1: f9bc5fdde56d60876c1785087ce2a301b4e4a676
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/liquibase/liquibase-core/3.4.2/liquibase-core-3.4.2.jar MD5: d4ad6d5f7958b69b8fbd01a5564ae45b SHA1: c91ccf342466857251cf6795b0cecc42509206f2
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/exoplatform/commons/commons-component-common/5.3.x-SNAPSHOT/commons-component-common-5.3.x-SNAPSHOT.jar MD5: 68e71cc3a18338cdd93d6eb873ec340a SHA1: e177099769562ebf444b664181284a611c0a1ea7
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /srv/ciagent/workspace/PLF/social-develop-site/sources/component/common/target/social-component-common-5.3.x-SNAPSHOT.jar MD5: 9802924e92e36868a38a4ba44ef23e52 SHA1: aba26d9005fde6f040d7e2afc93cf287b17b830c
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/ibm/icu/icu4j/56.1/icu4j-56.1.jar MD5: 7bd1a7a1295868726f991c7593dce442 SHA1: 8dd6671f52165a0419e6de5e1016400875a90fa9
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
ibm.icu
Highest
Vendor
pom
name
ICU4J
High
Vendor
manifest
Bundle-Description
International Components for Unicode for Java
Medium
Vendor
file
name
icu4j
High
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Vendor
central
groupid
com.ibm.icu
Highest
Vendor
pom
groupid
com.ibm.icu
Highest
Vendor
Manifest
Implementation-Vendor-Id
com.ibm
Medium
Vendor
Manifest
bundle-symbolicname
com.ibm.icu
Medium
Vendor
Manifest
bundle-copyright
Copyright 2000-2015, International Business Machines Corporation and others. All Rights Reserved.
Low
Vendor
Manifest
specification-vendor
icu-project.org
Low
Vendor
pom
artifactid
icu4j
Low
Vendor
pom
description
International Component for Unicode for Java (ICU4J) is a mature, widely used Java library providing Unicode and Globalization support
Low
Vendor
Manifest
Implementation-Vendor
IBM Corporation
High
Vendor
pom
url
http://icu-project.org/
Highest
Product
pom
name
ICU4J
High
Product
Manifest
Bundle-Name
ICU4J
Medium
Product
manifest
Bundle-Description
International Components for Unicode for Java
Medium
Product
file
name
icu4j
High
Product
pom
groupid
ibm.icu
Low
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5
Low
Product
central
artifactid
icu4j
Highest
Product
pom
artifactid
icu4j
Highest
Product
Manifest
bundle-symbolicname
com.ibm.icu
Medium
Product
Manifest
specification-title
International Components for Unicode for Java
Medium
Product
Manifest
bundle-copyright
Copyright 2000-2015, International Business Machines Corporation and others. All Rights Reserved.
Low
Product
Manifest
Implementation-Title
International Components for Unicode for Java
High
Product
pom
url
http://icu-project.org/
Medium
Product
pom
description
International Component for Unicode for Java (ICU4J) is a mature, widely used Java library providing Unicode and Globalization support
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-415 Double Free
Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-787 Out-of-bounds Write
International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-787 Out-of-bounds Write
International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.
Description: The Java Portlet API version 2.0 developed by the Java Community Process JSR-286 Expert Group.
File Path: /home/ciagent/.m2/repository/javax/portlet/portlet-api/2.0/portlet-api-2.0.jar MD5: 0ec08593cda1df33985391919996c740 SHA1: 1cd72f2a37fcf8ab9893a9468d7ba71c85fe2653
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
portlet-api
High
Vendor
pom
description
The Java Portlet API version 2.0 developed by the Java Community Process JSR-286 Expert Group.
Medium
Vendor
pom
name
Java Portlet Specification V2.0
High
Vendor
pom
url
http://www.jcp.org/en/jsr/detail?id=286
Highest
Vendor
central
groupid
javax.portlet
Highest
Vendor
pom
groupid
javax.portlet
Highest
Vendor
Manifest
bundle-docurl
http://www.jcp.org/en/jsr/detail?id=286
Low
Vendor
pom
artifactid
portlet-api
Low
Vendor
Manifest
bundle-symbolicname
javax.portlet
Medium
Product
file
name
portlet-api
High
Product
pom
artifactid
portlet-api
Highest
Product
pom
description
The Java Portlet API version 2.0 developed by the Java Community Process JSR-286 Expert Group.
Description: The Reflext Framework Annotation Processing Tool Plugin
File Path: /home/ciagent/.m2/repository/org/reflext/reflext.apt/1.1.0/reflext.apt-1.1.0.jar MD5: e6bb0195d6cdd15b618939c78999ea4e SHA1: 093ab21e03197c1c7a2d2d20da4d3dd34a60ac24
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.
File Path: /home/ciagent/.m2/repository/org/chromattic/chromattic.apt/1.3.0/chromattic.apt-1.3.0.jar MD5: 5f51682435a2e2014a9bd9c5936a5cc5 SHA1: f2e219c2b8e13983a26b4c3f4e8eb54d71730b4d
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/chromattic/chromattic.ext/1.3.0/chromattic.ext-1.3.0.jar MD5: a8482bb9fe7572e77a58627251740ee1 SHA1: ea3bd25892c827d9b830aea768de69e200a93165
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/exoplatform/commons/commons-api/5.3.x-SNAPSHOT/commons-api-5.3.x-SNAPSHOT.jar MD5: 2c3b7dfa120a9e5572d3b2c600e4ca02 SHA1: 3405ca34dc1ae7aa88efe1c0c1f2eb4168dd3c60
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: Product informations: version, revision and build numbers
File Path: /home/ciagent/.m2/repository/org/exoplatform/commons/commons-component-product/5.3.x-SNAPSHOT/commons-component-product-5.3.x-SNAPSHOT.jar MD5: b8901f4806b4b15c95950919ab4e22cc SHA1: 18deee3c16a7fbe462e1ffe37e4317fe89a9d24c
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/exoplatform/commons/commons-component-upgrade/5.3.x-SNAPSHOT/commons-component-upgrade-5.3.x-SNAPSHOT.jar MD5: dec94676448b6445d4b46241496bdc51 SHA1: 8a096fb70e071ea70a19721012cd6e425cdd3ff4
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: Implementation of Cache Service of Exoplatform SAS 'eXo Kernel' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.component.cache/5.3.x-SNAPSHOT/exo.kernel.component.cache-5.3.x-SNAPSHOT.jar MD5: 6a322bdcc585dcf7bb26e4b7554adf3c SHA1: 249eab6c763268ea4c6bcc15a6b53bf38c49fb6e
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
file
name
exo.kernel.component.cache
High
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.kernel
Medium
Vendor
pom
parent-groupid
org.exoplatform.kernel
Medium
Vendor
pom
groupid
org.exoplatform.kernel
Highest
Vendor
pom
groupid
exoplatform.kernel
Highest
Vendor
pom
name
eXo PLF:: Kernel :: Component :: Cache Service
High
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
description
Implementation of Cache Service of Exoplatform SAS 'eXo Kernel' project.
Medium
Vendor
pom
parent-artifactid
kernel-parent
Low
Vendor
pom
artifactid
exo.kernel.component.cache
Low
Product
file
name
exo.kernel.component.cache
High
Product
Manifest
specification-title
exo-kernel
Medium
Product
pom
artifactid
exo.kernel.component.cache
Highest
Product
pom
parent-artifactid
kernel-parent
Medium
Product
pom
name
eXo PLF:: Kernel :: Component :: Cache Service
High
Product
Manifest
Implementation-Title
eXo PLF:: Kernel :: Component :: Cache Service
High
Product
pom
parent-groupid
org.exoplatform.kernel
Low
Product
pom
description
Implementation of Cache Service of Exoplatform SAS 'eXo Kernel' project.
File Path: /home/ciagent/.m2/repository/org/gatein/common/common-common/2.2.2.Final/common-common-2.2.2.Final.jar MD5: 8ce16b5e3991285cd27e553740d09d1f SHA1: 44522d899e31a5a10dbd70f7b0ca2fe5a614f740
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/gatein/common/common-logging/2.2.2.Final/common-logging-2.2.2.Final.jar MD5: 28b7108ee63899bca08636d360e7df11 SHA1: aee18008518671fb10982c0fe5f7383e98f71c47
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
Caja is a HTML/CSS/JavaScript compiler which allows websites to safely embed web applications
from third parties, and enables rich interaction between the embedding page and the embedded
applications using an object-capability security model.
File Path: /home/ciagent/.m2/repository/caja/caja/r5054/caja-r5054.jar MD5: 7379ecf5bc7945ca6ab533b905e449a3 SHA1: 18b47afa0172413346d9c8ae1595b6ffbbddd499
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
caja
Highest
Vendor
pom
organization name
Google
High
Vendor
pom
description
Caja is a HTML/CSS/JavaScript compiler which allows websites to safely embed web applications from third parties, and enables rich interaction between the embedding page and the embedded applications using an object-capability security model.
Low
Vendor
pom
groupid
google.caja
Highest
Vendor
pom
artifactid
caja
Low
Vendor
pom
url
http://code.google.com/p/google-caja
Highest
Vendor
jar
package name
google
Low
Vendor
jar
package name
caja
Low
Vendor
file
name
caja-r5054
High
Vendor
pom
organization url
http://www.google.com
Medium
Vendor
pom
name
Caja
High
Product
pom
description
Caja is a HTML/CSS/JavaScript compiler which allows websites to safely embed web applications from third parties, and enables rich interaction between the embedding page and the embedded applications using an object-capability security model.
Low
Product
pom
organization url
http://www.google.com
Low
Product
pom
organization name
Google
Low
Product
jar
package name
caja
Low
Product
pom
artifactid
caja
Highest
Product
file
name
caja-r5054
High
Product
pom
groupid
google.caja
Low
Product
pom
url
http://code.google.com/p/google-caja
Medium
Product
pom
name
Caja
High
Version
pom
version
r5054
Highest
Version
file
version
5054
Medium
Version
file
name
caja-r5054
Medium
Identifiers
maven: com.google.caja:caja:r5054
Confidence:High
htmlparser-r4209.jar
Description:
A patched version of the nu.validator v1.2.1 HTML parser.
License:
No Warranty
File Path: /home/ciagent/.m2/repository/caja/htmlparser/r4209/htmlparser-r4209.jar MD5: 31c18bc52991e53ed4eaa28347c44189 SHA1: 0573217e5c9bf8fad6ce827a94191ca0f5785087
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
caja
Highest
Vendor
file
name
htmlparser-r4209
High
Vendor
jar
package name
validator
Low
Vendor
pom
organization url
http://validator.nu
Medium
Vendor
pom
url
http://code.google.com/p/google-caja
Highest
Vendor
pom
description
A patched version of the nu.validator v1.2.1 HTML parser.
Medium
Vendor
pom
name
HtmlParser
High
Vendor
jar
package name
nu
Low
Vendor
pom
artifactid
htmlparser
Low
Vendor
pom
organization name
Validator.nu
High
Vendor
jar
package name
htmlparser
Low
Product
file
name
htmlparser-r4209
High
Product
pom
artifactid
htmlparser
Highest
Product
jar
package name
validator
Low
Product
pom
description
A patched version of the nu.validator v1.2.1 HTML parser.
Medium
Product
pom
name
HtmlParser
High
Product
pom
organization url
http://validator.nu
Low
Product
pom
groupid
caja
Low
Product
pom
organization name
Validator.nu
Low
Product
pom
url
http://code.google.com/p/google-caja
Medium
Product
jar
package name
htmlparser
Low
Version
file
name
htmlparser-r4209
Medium
Version
pom
version
r4209
Highest
Version
file
version
4209
Medium
Identifiers
maven: caja:htmlparser:r4209
Confidence:High
oauth-20100527.jar
File Path: /home/ciagent/.m2/repository/net/oauth/core/oauth/20100527/oauth-20100527.jar MD5: 91c7c70579f95b7ddee95b2143a49b41 SHA1: a84c5331e225bc25a5a288db328048d6b1bb6fd5
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
(0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
a set of parsers and generators for the various flavors of feeds, as well as converters
to convert from one format to another. The parsers can give you back Java objects that
are either specific for the format you want to work with, or a generic normalized
SyndFeed object that lets you work on with the data without bothering about the
underlying format.
File Path: /home/ciagent/.m2/repository/rome/rome/1.0/rome-1.0.jar MD5: 53d38c030287b939f4e6d745ba1269a7 SHA1: 022b33347f315833e9348cec2751af1a5d5656e4
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
organization url
http://java.sun.com/
Medium
Vendor
pom
url
https://rome.dev.java.net/
Highest
Vendor
pom
organization name
Sun Microsystems
High
Vendor
pom
artifactid
rome
Low
Vendor
manifest
Bundle-Description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Low
Vendor
Manifest
embed-directory
META-INF/lib
Low
Vendor
Manifest
originally-created-by
1.6.0_10 (Sun Microsystems Inc.)
Low
Vendor
pom
name
ROME, RSS and atOM utilitiEs for Java
High
Vendor
central
groupid
rome
Highest
Vendor
file
name
rome
High
Vendor
Manifest
bundle-docurl
http://java.sun.com/
Low
Vendor
pom
description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Low
Vendor
pom
groupid
rome
Highest
Vendor
Manifest
bundle-symbolicname
rome.rome
Medium
Product
pom
groupid
rome
Low
Product
central
artifactid
rome
Highest
Product
pom
url
https://rome.dev.java.net/
Medium
Product
manifest
Bundle-Description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Low
Product
Manifest
embed-directory
META-INF/lib
Low
Product
Manifest
originally-created-by
1.6.0_10 (Sun Microsystems Inc.)
Low
Product
Manifest
Bundle-Name
ROME, RSS and atOM utilitiEs for Java
Medium
Product
pom
name
ROME, RSS and atOM utilitiEs for Java
High
Product
pom
artifactid
rome
Highest
Product
file
name
rome
High
Product
Manifest
bundle-docurl
http://java.sun.com/
Low
Product
pom
description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
File Path: /home/ciagent/.m2/repository/org/apache/sanselan/sanselan/0.97-incubator/sanselan-0.97-incubator.jar MD5: 84f823e61d93fcedcb3c10a827c45989 SHA1: 8396778b076a2eaf62024b64f6d924e4e0095fca
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: eXo Social Core Component: People and Space
File Path: /home/ciagent/.m2/repository/org/exoplatform/social/social-component-core/5.3.x-SNAPSHOT/social-component-core-5.3.x-SNAPSHOT.jar MD5: e316fbfba9fa30e37a9d370db43643f9 SHA1: cd72311e8b68d1ad544934b2e2f0ba33bcaed44d
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: The JavaBeans(TM) Activation Framework is used by the JavaMail(TM) API to manage MIME data
License:
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: https://glassfish.dev.java.net/public/CDDLv1.0.html
File Path: /home/ciagent/.m2/repository/javax/activation/activation/1.1.1/activation-1.1.1.jar MD5: 46a37512971d8eca81c3fcf245bf07d2 SHA1: 485de3a253e23f645037828c07f1d7f1af40763a
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/javax/mail/mail/1.4.7/mail-1.4.7.jar MD5: 77f53ff0c78ba43c4812ecc9f53e20f8 SHA1: 9add058589d5d85adeb625859bf2c5eeaaedf12d
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.jar MD5: dd77e787b7b5dc56f6a1cb658716d55d SHA1: 04ff14d809195b711fd6bcc87e6777f886730ca1
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Low
Vendor
pom
name
Apache Commons FileUpload
High
Vendor
pom
description
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Low
Product
pom
name
Apache Commons FileUpload
High
Product
pom
description
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Description: Implementation of REST Core for Exoplatform SAS 'Web Services' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/ws/exo.ws.rest.core/5.3.x-SNAPSHOT/exo.ws.rest.core-5.3.x-SNAPSHOT.jar MD5: 44bf545ee3d289362f22532c0760547b SHA1: 03ac20ae6703e58212d45e4e153056957e97d413
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
parent-artifactid
ws-parent
Low
Vendor
pom
groupid
exoplatform.ws
Highest
Vendor
pom
groupid
org.exoplatform.ws
Highest
Vendor
file
name
exo.ws.rest.core
High
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.ws
Medium
Vendor
pom
parent-groupid
org.exoplatform.ws
Medium
Vendor
pom
artifactid
exo.ws.rest.core
Low
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
description
Implementation of REST Core for Exoplatform SAS 'Web Services' project.
Medium
Vendor
pom
name
eXo PLF:: WS :: REST :: Core
High
Product
pom
parent-groupid
org.exoplatform.ws
Low
Product
pom
artifactid
exo.ws.rest.core
Highest
Product
file
name
exo.ws.rest.core
High
Product
Manifest
Implementation-Title
eXo PLF:: WS :: REST :: Core
High
Product
Manifest
specification-title
exo-ws
Medium
Product
pom
groupid
exoplatform.ws
Low
Product
pom
parent-artifactid
ws-parent
Medium
Product
pom
description
Implementation of REST Core for Exoplatform SAS 'Web Services' project.
Description: Infinispan Implementation of Cache Service for Exoplatform SAS 'eXo Kernel' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/kernel/exo.kernel.component.ext.cache.impl.infinispan.v8/5.3.x-SNAPSHOT/exo.kernel.component.ext.cache.impl.infinispan.v8-5.3.x-SNAPSHOT.jar MD5: 2bd82588a1d04ea435de3b334321abb1 SHA1: 1008ebec01e1a674843d64dee25fdd0daf31078e
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
Description: Implementation of Database Service of Exoplatform SAS eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/exoplatform/core/exo.core.component.database/5.3.x-SNAPSHOT/exo.core.component.database-5.3.x-SNAPSHOT.jar MD5: 92c38f5d3a2df6c2b885ad7408b22678 SHA1: 5b5bff26d83127aa80f76883395a4db05c39a4ff
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
eXo Platform SAS
Low
Vendor
pom
artifactid
exo.core.component.database
Low
Vendor
pom
groupid
org.exoplatform.core
Highest
Vendor
pom
parent-artifactid
core-parent
Low
Vendor
Manifest
Implementation-Vendor-Id
org.exoplatform.core
Medium
Vendor
pom
groupid
exoplatform.core
Highest
Vendor
pom
name
eXo PLF Core :: Component :: Database Service
High
Vendor
file
name
exo.core.component.database
High
Vendor
Manifest
Implementation-Vendor
eXo Platform SAS
High
Vendor
pom
parent-groupid
org.exoplatform.core
Medium
Vendor
pom
description
Implementation of Database Service of Exoplatform SAS eXo Core' project.
Medium
Product
pom
parent-groupid
org.exoplatform.core
Low
Product
pom
groupid
exoplatform.core
Low
Product
pom
parent-artifactid
core-parent
Medium
Product
Manifest
Implementation-Title
eXo PLF Core :: Component :: Database Service
High
Product
pom
name
eXo PLF Core :: Component :: Database Service
High
Product
pom
artifactid
exo.core.component.database
Highest
Product
file
name
exo.core.component.database
High
Product
Manifest
specification-title
exo-core
Medium
Product
pom
description
Implementation of Database Service of Exoplatform SAS eXo Core' project.
File Path: /home/ciagent/.m2/repository/org/staxnav/staxnav.core/0.9.8/staxnav.core-0.9.8.jar MD5: 0f786e5be21df9fbe8753175564564c7 SHA1: 27bd12d4d74b0851e38de79f8299462d93ba3d7f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/ciagent/.m2/repository/org/apache/commons/commons-lang3/3.3.2/commons-lang3-3.3.2.jar MD5: 3128bf75a2549ebe38663401191bacab SHA1: 90a3822c38ec8c996e84c16a3477ef632cbc87a3
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
url
http://commons.apache.org/proper/commons-lang/
Highest
Vendor
pom
groupid
org.apache.commons
Highest
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
pom
description
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Vendor
central
groupid
org.apache.commons
Highest
Vendor
manifest
Bundle-Description
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Product
Manifest
specification-title
Apache Commons Lang
Medium
Product
manifest
Bundle-Description
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
File Path: /home/ciagent/.m2/repository/org/exoplatform/gatein/pc/pc-portlet/5.3.x-SNAPSHOT/pc-portlet-5.3.x-SNAPSHOT.jar MD5: 471a9c4fc6eb53f16cd833eedcd1069f SHA1: 4a9cf81176c3da5bc100a8f90a87a151a20c4123
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/exoplatform/gatein/pc/pc-federation/5.3.x-SNAPSHOT/pc-federation-5.3.x-SNAPSHOT.jar MD5: dd4ce55f7c860bb7d016dce9d657b75c SHA1: 6740d145021ee194ff19685821bb77cf57ad1ec1
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/exoplatform/gatein/pc/pc-bridge/5.3.x-SNAPSHOT/pc-bridge-5.3.x-SNAPSHOT.jar MD5: a8031f45e408fb5a638da0e001313c6e SHA1: 807ded891c83a604160e6eac68bbaf3d6c071da9
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/gatein/mop/mop-api/1.3.2.Final/mop-api-1.3.2.Final.jar MD5: 4f2c10678f3c5850bb85c25514469e2e SHA1: 78f9c03a23ec1c3564e827d3927ce53eca6d919d
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/gatein/mop/mop-spi/1.3.2.Final/mop-spi-1.3.2.Final.jar MD5: 6ef18d761e625d923ec01c6e5283026e SHA1: 4fe3a673d58c85d2f6c9ad4446b90229f46c8987
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/gatein/mop/mop-core/1.3.2.Final/mop-core-1.3.2.Final.jar MD5: 7d5eb7a5c2ed2d88362f9d8a9413a475 SHA1: d27e4c960aefd919f7c25049b72a9bc225cd6548
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/gatein/management/gatein-management-api/2.1.0.Final/gatein-management-api-2.1.0.Final.jar MD5: dde253e45fefd580cab7a4ee75c6d92e SHA1: 5c73b152fe9497eb37386052f86bfa7ee7d33b87
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/gatein/management/gatein-management-spi/2.1.0.Final/gatein-management-spi-2.1.0.Final.jar MD5: 4e10565858662ec9eea75cfbd3544ba1 SHA1: 79670b2dd849b49e145b7122cbff4ef83116157f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/twitter4j/twitter4j-core/3.0.5/twitter4j-core-3.0.5.jar MD5: e6c8d2b10c621b2bbd7809bad9cedca3 SHA1: c38ad47bc8ba5991886ce2c0e0acd76d0fdd6e6d
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/scribe/scribe/1.3.5/scribe-1.3.5.jar MD5: 0abb910da19741cd84aabf5520385bc2 SHA1: a3b3deded9d241d9f2c8aa9c9bcd90ad29e2581e
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
Google HTTP Client Library for Java. Functionality that works on all supported Java platforms,
including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
File Path: /home/ciagent/.m2/repository/com/google/http-client/google-http-client/1.14.1-beta/google-http-client-1.14.1-beta.jar MD5: 8a3711522ebceef2531d455e2f04a639 SHA1: cb503d4021739e6bac39442ac87b4e311ec77b5e
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
parent-groupid
com.google.http-client
Medium
Vendor
pom
name
Google HTTP Client Library for Java
High
Vendor
pom
groupid
google.http-client
Highest
Vendor
central
groupid
com.google.http-client
Highest
Vendor
pom
artifactid
google-http-client
Low
Vendor
pom
parent-artifactid
google-http-client-parent
Low
Vendor
pom
description
Google HTTP Client Library for Java. Functionality that works on all supported Java platforms, including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
Low
Vendor
Manifest
Implementation-Vendor
Google
High
Vendor
pom
groupid
com.google.http-client
Highest
Vendor
Manifest
Implementation-Vendor-Id
com.google.http-client
Medium
Vendor
file
name
google-http-client
High
Product
pom
name
Google HTTP Client Library for Java
High
Product
pom
description
Google HTTP Client Library for Java. Functionality that works on all supported Java platforms, including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/com/google/code/findbugs/jsr305/1.3.9/jsr305-1.3.9.jar MD5: 1d5a772e400b04bb67a7ef4a0e0996d8 SHA1: 40719ea6961c0cb6afaeb6a921eaa1f6afd4cfdf
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
Google OAuth Client Library for Java. Functionality that works on all supported Java platforms,
including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
File Path: /home/ciagent/.m2/repository/com/google/oauth-client/google-oauth-client/1.14.1-beta/google-oauth-client-1.14.1-beta.jar MD5: 71feea1d54eb7878c12855b7c47ef289 SHA1: 7260cd30808a6d1d4ddef6250e3d92d814aaa4cb
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
Google OAuth Client Library for Java
High
Vendor
Manifest
Implementation-Vendor-Id
com.google.oauth-client
Medium
Vendor
pom
description
Google OAuth Client Library for Java. Functionality that works on all supported Java platforms, including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
Low
Vendor
pom
parent-artifactid
google-oauth-client-parent
Low
Vendor
file
name
google-oauth-client
High
Vendor
pom
parent-groupid
com.google.oauth-client
Medium
Vendor
pom
groupid
com.google.oauth-client
Highest
Vendor
Manifest
Implementation-Vendor
Google
High
Vendor
pom
artifactid
google-oauth-client
Low
Vendor
pom
groupid
google.oauth-client
Highest
Vendor
central
groupid
com.google.oauth-client
Highest
Product
pom
name
Google OAuth Client Library for Java
High
Product
pom
description
Google OAuth Client Library for Java. Functionality that works on all supported Java platforms, including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
File Path: /home/ciagent/.m2/repository/com/google/api-client/google-api-client/1.14.1-beta/google-api-client-1.14.1-beta.jar MD5: 6832804471d4d635ed74ae1fbd5d9d86 SHA1: e95d3b6e36fc67bffd7e71ef60bc5af623e73843
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: Jackson is a high-performance JSON processor (parser, generator)
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/codehaus/jackson/jackson-core-asl/1.9.11/jackson-core-asl-1.9.11.jar MD5: 49801a6d43725d5c3a1a52ca021d7dc5 SHA1: e32303ef8bd18a5c9272780d49b81c95e05ddf43
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
http://www.ietf.org/rfc/rfc4627.txt
Low
Vendor
pom
name
Jackson
High
Vendor
file
name
jackson-core-asl
High
Vendor
pom
organization name
FasterXML
High
Vendor
central
groupid
org.codehaus.jackson
Highest
Vendor
Manifest
Implementation-Vendor
http://fasterxml.com
High
Vendor
pom
organization url
http://fasterxml.com
Medium
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5, JavaSE-1.6
Low
Vendor
pom
groupid
org.codehaus.jackson
Highest
Vendor
pom
groupid
codehaus.jackson
Highest
Vendor
pom
description
Jackson is a high-performance JSON processor (parser, generator)
Medium
Vendor
pom
artifactid
jackson-core-asl
Low
Vendor
pom
url
http://jackson.codehaus.org
Highest
Vendor
Manifest
bundle-symbolicname
jackson-core-asl
Medium
Product
pom
groupid
codehaus.jackson
Low
Product
Manifest
Implementation-Title
Jackson JSON processor
High
Product
pom
name
Jackson
High
Product
Manifest
Bundle-Name
Jackson JSON processor
Medium
Product
file
name
jackson-core-asl
High
Product
pom
organization url
http://fasterxml.com
Low
Product
Manifest
specification-title
JSON - JavaScript Object Notation
Medium
Product
central
artifactid
jackson-core-asl
Highest
Product
pom
artifactid
jackson-core-asl
Highest
Product
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5, JavaSE-1.6
Low
Product
pom
organization name
FasterXML
Low
Product
pom
description
Jackson is a high-performance JSON processor (parser, generator)
File Path: /home/ciagent/.m2/repository/com/google/http-client/google-http-client-jackson/1.14.1-beta/google-http-client-jackson-1.14.1-beta.jar MD5: 85d9f42910a68e85ff22d24805688da9 SHA1: 3cfc08bf4b0f62234ff69ff2a0b3c26d7e447829
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
parent-groupid
com.google.http-client
Medium
Vendor
pom
groupid
google.http-client
Highest
Vendor
central
groupid
com.google.http-client
Highest
Vendor
pom
parent-artifactid
google-http-client-parent
Low
Vendor
Manifest
Implementation-Vendor
Google
High
Vendor
pom
artifactid
google-http-client-jackson
Low
Vendor
pom
groupid
com.google.http-client
Highest
Vendor
Manifest
Implementation-Vendor-Id
com.google.http-client
Medium
Vendor
file
name
google-http-client-jackson
High
Vendor
pom
name
Jackson extensions to the Google HTTP Client Library for Java.
High
Product
pom
artifactid
google-http-client-jackson
Highest
Product
Manifest
Implementation-Title
Jackson extensions to the Google HTTP Client Library for Java.
High
Product
central
artifactid
google-http-client-jackson
Highest
Product
pom
groupid
google.http-client
Low
Product
pom
parent-groupid
com.google.http-client
Low
Product
file
name
google-http-client-jackson
High
Product
pom
parent-artifactid
google-http-client-parent
Medium
Product
pom
name
Jackson extensions to the Google HTTP Client Library for Java.
File Path: /home/ciagent/.m2/repository/com/google/apis/google-api-services-plus/v1-rev69-1.14.2-beta/google-api-services-plus-v1-rev69-1.14.2-beta.jar MD5: fbddf71619f41f1359f0b3abff442444 SHA1: a6c5cc69690a3bd7777025a65b0f1abe66112a5e
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/google/apis/google-api-services-oauth2/v2-rev36-1.14.2-beta/google-api-services-oauth2-v2-rev36-1.14.2-beta.jar MD5: cd2ac31ad0317e53e660c2a4578749f3 SHA1: c7249e1e4832f6e6585f7b7db307585b3ae53881
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/joda-time/joda-time/2.4/joda-time-2.4.jar MD5: 1231c3e09de6aa5d6b6d9982c0224e20 SHA1: 89e9725439adffbbd41c5f5c215c136082b34a7f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
Implementation-Vendor
Joda.org
High
Vendor
Manifest
bundle-docurl
http://www.joda.org/joda-time/
Low
Vendor
Manifest
Implementation-Vendor-Id
org.joda
Medium
Vendor
pom
description
Date and time library to replace JDK date handling
Medium
Vendor
pom
name
Joda-Time
High
Vendor
Manifest
extension-name
joda-time
Medium
Vendor
pom
groupid
joda-time
Highest
Vendor
pom
artifactid
joda-time
Low
Vendor
file
name
joda-time
High
Vendor
Manifest
specification-vendor
Joda.org
Low
Vendor
pom
url
http://www.joda.org/joda-time/
Highest
Vendor
central
groupid
joda-time
Highest
Vendor
pom
organization url
http://www.joda.org
Medium
Vendor
Manifest
bundle-symbolicname
joda-time
Medium
Vendor
pom
organization name
Joda.org
High
Product
central
artifactid
joda-time
Highest
Product
pom
artifactid
joda-time
Highest
Product
Manifest
specification-title
Joda-Time
Medium
Product
pom
organization url
http://www.joda.org
Low
Product
Manifest
bundle-docurl
http://www.joda.org/joda-time/
Low
Product
pom
description
Date and time library to replace JDK date handling
Description: This is the ehcache core module. Pair it with other modules for added functionality.
License:
The Apache Software License, Version 2.0: src/assemble/EHCACHE-CORE-LICENSE.txt
File Path: /home/ciagent/.m2/repository/net/sf/ehcache/ehcache-core/2.6.9/ehcache-core-2.6.9.jar MD5: 521348c6da7c20dba2058917a6a8c0a9 SHA1: e892585cc2cf95d46a2533df438a1d3323034ae8
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
parent-artifactid
ehcache-parent
Low
Vendor
central
groupid
net.sf.ehcache
Highest
Vendor
pom
name
Ehcache Core
High
Vendor
pom
artifactid
ehcache-core
Low
Vendor
file
name
ehcache-core
High
Vendor
pom
url
http://ehcache.org
Highest
Vendor
pom
description
This is the ehcache core module. Pair it with other modules for added functionality.
Medium
Vendor
pom
groupid
net.sf.ehcache
Highest
Product
pom
name
Ehcache Core
High
Product
central
artifactid
ehcache-core
Highest
Product
pom
groupid
net.sf.ehcache
Low
Product
pom
parent-artifactid
ehcache-parent
Medium
Product
file
name
ehcache-core
High
Product
pom
description
This is the ehcache core module. Pair it with other modules for added functionality.
File Path: /home/ciagent/.m2/repository/de/odysseus/juel/juel-impl/2.2.7/juel-impl-2.2.7.jar MD5: c5d7a62edafb5706b6beadbbcfd8f57d SHA1: 97958467acef4c2b230b72354a4eefc66628dd99
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/apache/shindig/shindig-common/2.5.2/shindig-common-2.5.2.jar MD5: 9deeebec74d0530849d5dd42e19ee9cd SHA1: 8e3d0ee31607e7a18f20612ef705b32ab8eace2b
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: A collection of image processing filters.
License:
Apache License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0
File Path: /home/ciagent/.m2/repository/com/jhlabs/filters/2.0.235/filters-2.0.235.jar MD5: d91073d6b28e2505e96620709626495f SHA1: af6a2dfefef70f1ab2d7a8d1f8173f67e276b3f4
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.
File Path: /home/ciagent/.m2/repository/org/gatein/captcha/simplecaptcha/1.1.1.Final-gatein-4/simplecaptcha-1.1.1.Final-gatein-4.jar MD5: a8b83c67e6fd04cd02d8ebcfd47348c1 SHA1: 964c53fedc87745494c5f8f2cd62b2548dbdeff5
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/gatein/api/gatein-api/1.0.1.Final/gatein-api-1.0.1.Final.jar MD5: 04d51eb4e2734df16f83e514b7110000 SHA1: b67727b03994e6081e2e411804c25bd5d0d919a6
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/aopalliance/aopalliance/1.0/aopalliance-1.0.jar MD5: 04177054e180d09e3998808efa0401c7 SHA1: 0235ba8b489512805ac13a8f9ea77a1ca5ebe3e8
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/google/inject/guice/3.0/guice-3.0.jar MD5: ca1c7ba366884cfcd2cfb48d2395c400 SHA1: 9d84f15fe35e2c716a02979fb62f50a29f38aefa
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
manifest
Bundle-Description
Guice is a lightweight dependency injection framework for Java 5 and above
Medium
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5,JavaSE-1.6
Low
Vendor
Manifest
bundle-symbolicname
com.google.inject
Medium
Vendor
pom
parent-groupid
com.google.inject
Medium
Vendor
pom
groupid
google.inject
Highest
Vendor
file
name
guice
High
Vendor
central
groupid
com.google.inject
Highest
Vendor
Manifest
bundle-copyright
Copyright (C) 2006 Google Inc.
Low
Vendor
pom
name
Google Guice - Core Library
High
Vendor
pom
parent-artifactid
guice-parent
Low
Vendor
pom
groupid
com.google.inject
Highest
Vendor
Manifest
bundle-docurl
http://code.google.com/p/google-guice/
Low
Vendor
pom
artifactid
guice
Low
Product
manifest
Bundle-Description
Guice is a lightweight dependency injection framework for Java 5 and above
File Path: /home/ciagent/.m2/repository/com/google/inject/extensions/guice-multibindings/3.0/guice-multibindings-3.0.jar MD5: 4be1e91408e173eb10ed53a1a565a793 SHA1: 5e670615a927571234df68a8b1fe1a16272be555
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
com.google.inject.extensions
Highest
Vendor
pom
groupid
google.inject.extensions
Highest
Vendor
manifest
Bundle-Description
Guice is a lightweight dependency injection framework for Java 5 and above
Medium
Vendor
pom
groupid
com.google.inject.extensions
Highest
Vendor
Manifest
bundle-requiredexecutionenvironment
J2SE-1.5,JavaSE-1.6
Low
Vendor
pom
parent-artifactid
extensions-parent
Low
Vendor
Manifest
bundle-symbolicname
com.google.inject.multibindings
Medium
Vendor
pom
parent-groupid
com.google.inject.extensions
Medium
Vendor
pom
name
Google Guice - Extensions - MultiBindings
High
Vendor
pom
artifactid
guice-multibindings
Low
Vendor
Manifest
bundle-copyright
Copyright (C) 2006 Google Inc.
Low
Vendor
file
name
guice-multibindings
High
Vendor
Manifest
bundle-docurl
http://code.google.com/p/google-guice/
Low
Product
pom
parent-artifactid
extensions-parent
Medium
Product
manifest
Bundle-Description
Guice is a lightweight dependency injection framework for Java 5 and above
Description:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: /home/ciagent/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar MD5: 353cf6a2bdba09595ccfa073b78c7fcb SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
Manifest
bundle-docurl
http://commons.apache.org/proper/commons-codec/
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
pom
description
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Low
Vendor
manifest
Bundle-Description
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Low
Product
manifest
Bundle-Description
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
File Path: /home/ciagent/.m2/repository/com/google/guava/guava/20.0/guava-20.0.jar MD5: f32a8a2524620dbecc9f6bf6a20c293f SHA1: 89507701249388e1ed5ddcf8c41f4ce1be7831ef
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
bundle-docurl
https://github.com/google/guava/
Low
Vendor
pom
name
Guava: Google Core Libraries for Java
High
Vendor
file
name
guava
High
Vendor
manifest
Bundle-Description
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.
Low
Product
pom
artifactid
guava
Highest
Product
Manifest
bundle-docurl
https://github.com/google/guava/
Low
Product
pom
name
Guava: Google Core Libraries for Java
High
Product
file
name
guava
High
Product
manifest
Bundle-Description
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
File Path: /home/ciagent/.m2/repository/net/oauth/core/oauth-provider/20100527/oauth-provider-20100527.jar MD5: afdc85d3f14481e4842c317c4f414f7e SHA1: 165bfc97e63e5af8e052a47f4dee832ce06bf7d7
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/net/oauth/core/oauth-consumer/20090617/oauth-consumer-20090617.jar MD5: f0e2849d152f4d8bf725aa4e11b8f969 SHA1: fb70a4c98119c27e78320c5e42a99f0b9eb7c356
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/net/oauth/core/oauth-httpclient4/20090913/oauth-httpclient4-20090913.jar MD5: 577e1f28c28bc5006b8adcf838ffd46d SHA1: a42f9135d3d72e77274982c4aa14fa0f4dab882f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
File Path: /home/ciagent/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar MD5: 7f97854dc04c119d461fed14f5d8bb96 SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
Manifest
bundle-symbolicname
org.apache.commons.io
Medium
Vendor
pom
groupid
commons-io
Highest
Vendor
manifest
Bundle-Description
The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Low
Vendor
Manifest
bundle-docurl
http://commons.apache.org/io/
Low
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
pom
description
The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Low
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
Manifest
implementation-build
tags/2.4-RC2@r1349569; 2012-06-12 18:18:20-0400
Low
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
pom
artifactid
commons-io
Low
Vendor
pom
name
Commons IO
High
Vendor
pom
url
http://commons.apache.org/io/
Highest
Vendor
central
groupid
commons-io
Highest
Vendor
file
name
commons-io
High
Product
pom
parent-artifactid
commons-parent
Medium
Product
Manifest
bundle-symbolicname
org.apache.commons.io
Medium
Product
manifest
Bundle-Description
The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Low
Product
pom
url
http://commons.apache.org/io/
Medium
Product
pom
parent-groupid
org.apache.commons
Low
Product
Manifest
bundle-docurl
http://commons.apache.org/io/
Low
Product
pom
description
The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
File Path: /home/ciagent/.m2/repository/org/apache/httpcomponents/httpcore/4.3.3/httpcore-4.3.3.jar MD5: c26171852f9810cd3d2416604a387e71 SHA1: f91b7a4aadc5cf486df6e4634748d7dd7a73f06d
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/org/apache/httpcomponents/httpclient/4.3.6/httpclient-4.3.6.jar MD5: 2d29a27bb6c6b44bc8a608a0e5d09735 SHA1: 4c47155e3e6c9a41a28db36680b828ced53b8af4
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
JSON (JavaScript Object Notation) is a lightweight data-interchange format.
It is easy for humans to read and write. It is easy for machines to parse and generate.
It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
- December 1999. JSON is a text format that is completely language independent but uses
conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many others.
These properties make JSON an ideal data-interchange language.
File Path: /home/ciagent/.m2/repository/org/json/json/20070829/json-20070829.jar MD5: 4a913140f9099519dfc0212fa5d9a457 SHA1: 89190ff77b57203c3417555f32226998da97ff38
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
organization url
http://json.org/
Medium
Vendor
pom
groupid
json
Highest
Vendor
pom
artifactid
json
Low
Vendor
pom
url
http://www.json.org/java/index.html
Highest
Vendor
pom
groupid
org.json
Highest
Vendor
pom
name
JSON (JavaScript Object Notation)
High
Vendor
file
name
json-20070829
High
Vendor
jar
package name
json
Low
Vendor
pom
organization name
JSON
High
Vendor
pom
description
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but...
Low
Vendor
central
groupid
org.json
Highest
Product
central
artifactid
json
Highest
Product
pom
organization name
JSON
Low
Product
pom
artifactid
json
Highest
Product
pom
name
JSON (JavaScript Object Notation)
High
Product
pom
url
http://www.json.org/java/index.html
Medium
Product
file
name
json-20070829
High
Product
pom
organization url
http://json.org/
Low
Product
pom
groupid
json
Low
Product
pom
description
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but...
Description:
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
File Path: /home/ciagent/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar MD5: f807f86d7d9db25edbfc782aca7ca2a9 SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
manifest: org/apache/xerces/impl/Version.class
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/w3c/dom/
Implementation-Vendor
World Wide Web Consortium
Medium
Vendor
manifest: org/w3c/dom/ls/
Implementation-Vendor
World Wide Web Consortium
Medium
Vendor
file
name
xercesImpl
High
Vendor
manifest: javax/xml/xpath/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
parent-artifactid
apache
Low
Vendor
pom
description
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Low
Vendor
pom
name
Xerces2 Java Parser
High
Vendor
pom
artifactid
xercesImpl
Low
Vendor
pom
groupid
xerces
Highest
Vendor
manifest: javax/xml/transform/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: javax/xml/parsers/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
central
groupid
xerces
Highest
Vendor
pom
url
http://xerces.apache.org/xerces2-j
Highest
Vendor
manifest: org/xml/sax/
Implementation-Vendor
David Megginson
Medium
Vendor
manifest: javax/xml/datatype/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/apache/xerces/xni/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: javax/xml/validation/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
parent-groupid
org.apache
Medium
Product
pom
artifactid
xercesImpl
Highest
Product
manifest: javax/xml/transform/
Specification-Title
Java API for XML Processing
Medium
Product
pom
groupid
xerces
Low
Product
file
name
xercesImpl
High
Product
manifest: org/apache/xerces/impl/Version.class
Implementation-Title
org.apache.xerces.impl.Version
Medium
Product
pom
description
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Description: Java.net - The Source for Java Technology Collaboration
License:
CDDL + GPLv2 with classpath exception: https://glassfish.dev.java.net/nonav/public/CDDL+GPL.html
File Path: /home/ciagent/.m2/repository/javax/servlet/javax.servlet-api/3.0.1/javax.servlet-api-3.0.1.jar MD5: 3ef236ac4c24850cd54abff60be25f35 SHA1: 6bf0ebb7efd993e222fc1112377b5e92a13b38dd
Referenced In Project/Scope:
eXo PLF:: Social Service Component:provided
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
Oracle
Low
Vendor
pom
parent-artifactid
jvnet-parent
Low
Vendor
central
groupid
javax.servlet
Highest
Vendor
manifest
Bundle-Description
Java.net - The Source for Java Technology Collaboration
Medium
Vendor
pom
parent-groupid
net.java
Medium
Vendor
Manifest
Implementation-Vendor
GlassFish Community
High
Vendor
Manifest
extension-name
javax.servlet
Medium
Vendor
pom
url
http://servlet-spec.java.net
Highest
Vendor
Manifest
bundle-symbolicname
javax.servlet-api
Medium
Vendor
pom
name
Java Servlet API
High
Vendor
pom
artifactid
javax.servlet-api
Low
Vendor
Manifest
bundle-docurl
https://glassfish.dev.java.net
Low
Vendor
file
name
javax.servlet-api
High
Vendor
Manifest
Implementation-Vendor-Id
org.glassfish
Medium
Vendor
Manifest (hint)
specification-vendor
sun
Low
Vendor
pom
organization url
https://glassfish.dev.java.net
Medium
Vendor
pom
organization name
GlassFish Community
High
Vendor
pom
groupid
javax.servlet
Highest
Product
manifest
Bundle-Description
Java.net - The Source for Java Technology Collaboration
File Path: /home/ciagent/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.3.0/jackson-annotations-2.3.0.jar MD5: c954fbca7d677f323d810d0fa8baead2 SHA1: f5e853a20b60758922453d56f9ae1e64af5cb3da
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
parent-artifactid
oss-parent
Low
Vendor
file
name
jackson-annotations
High
Vendor
pom
parent-groupid
com.fasterxml
Medium
Vendor
Manifest
implementation-build-date
2013-11-13 20:56:27-0800
Low
Vendor
Manifest
bundle-docurl
http://wiki.fasterxml.com/JacksonHome
Low
Vendor
Manifest
Implementation-Vendor
FasterXML
High
Vendor
pom
name
Jackson-annotations
High
Vendor
pom
description
Core annotations used for value types, used by Jackson data binding package.
Medium
Vendor
Manifest
specification-vendor
FasterXML
Low
Vendor
pom
groupid
fasterxml.jackson.core
Highest
Vendor
Manifest
Implementation-Vendor-Id
com.fasterxml.jackson.core
Medium
Vendor
central
groupid
com.fasterxml.jackson.core
Highest
Vendor
pom
groupid
com.fasterxml.jackson.core
Highest
Vendor
pom
artifactid
jackson-annotations
Low
Vendor
Manifest
bundle-symbolicname
com.fasterxml.jackson.core.jackson-annotations
Medium
Vendor
pom
url
http://wiki.fasterxml.com/JacksonHome
Highest
Vendor
manifest
Bundle-Description
Core annotations used for value types, used by Jackson data binding package.
Medium
Product
pom
artifactid
jackson-annotations
Highest
Product
file
name
jackson-annotations
High
Product
Manifest
implementation-build-date
2013-11-13 20:56:27-0800
Low
Product
Manifest
bundle-docurl
http://wiki.fasterxml.com/JacksonHome
Low
Product
pom
groupid
fasterxml.jackson.core
Low
Product
pom
name
Jackson-annotations
High
Product
pom
description
Core annotations used for value types, used by Jackson data binding package.
Medium
Product
Manifest
Implementation-Title
Jackson-annotations
High
Product
pom
parent-groupid
com.fasterxml
Low
Product
pom
parent-artifactid
oss-parent
Medium
Product
Manifest
Bundle-Name
Jackson-annotations
Medium
Product
central
artifactid
jackson-annotations
Highest
Product
Manifest
bundle-symbolicname
com.fasterxml.jackson.core.jackson-annotations
Medium
Product
pom
url
http://wiki.fasterxml.com/JacksonHome
Medium
Product
manifest
Bundle-Description
Core annotations used for value types, used by Jackson data binding package.
File Path: /home/ciagent/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.3.1/jackson-core-2.3.1.jar MD5: aa2152b5f610a2dee75bb81bcab66c36 SHA1: f9f7185c92ca5fefe2fb3efdeb477a67c96ea2d0
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
artifactid
jackson-core
Low
Vendor
pom
parent-artifactid
oss-parent
Low
Vendor
pom
description
Core Jackson abstractions, basic JSON streaming API implementation
Medium
Vendor
pom
parent-groupid
com.fasterxml
Medium
Vendor
pom
name
Jackson-core
High
Vendor
Manifest
bundle-docurl
http://wiki.fasterxml.com/JacksonHome
Low
Vendor
Manifest
Implementation-Vendor
FasterXML
High
Vendor
Manifest
specification-vendor
FasterXML
Low
Vendor
Manifest
bundle-symbolicname
com.fasterxml.jackson.core.jackson-core
Medium
Vendor
pom
groupid
fasterxml.jackson.core
Highest
Vendor
Manifest
Implementation-Vendor-Id
com.fasterxml.jackson.core
Medium
Vendor
central
groupid
com.fasterxml.jackson.core
Highest
Vendor
pom
groupid
com.fasterxml.jackson.core
Highest
Vendor
manifest
Bundle-Description
Core Jackson abstractions, basic JSON streaming API implementation
Medium
Vendor
Manifest
implementation-build-date
2013-12-27 17:00:34-0800
Low
Vendor
pom
url
http://wiki.fasterxml.com/JacksonHome
Highest
Vendor
file
name
jackson-core
High
Product
Manifest
Bundle-Name
Jackson-core
Medium
Product
pom
description
Core Jackson abstractions, basic JSON streaming API implementation
Medium
Product
pom
name
Jackson-core
High
Product
Manifest
specification-title
Jackson-core
Medium
Product
Manifest
bundle-docurl
http://wiki.fasterxml.com/JacksonHome
Low
Product
Manifest
Implementation-Title
Jackson-core
High
Product
pom
groupid
fasterxml.jackson.core
Low
Product
Manifest
bundle-symbolicname
com.fasterxml.jackson.core.jackson-core
Medium
Product
manifest
Bundle-Description
Core Jackson abstractions, basic JSON streaming API implementation
File Path: /home/ciagent/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.1/jackson-databind-2.3.1.jar MD5: 4de637793707fdecb1b7a90f677103ec SHA1: c4096a8323bbbcbeda072e3def123a9b66783361
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
parent-artifactid
oss-parent
Low
Vendor
file
name
jackson-databind
High
Vendor
pom
parent-groupid
com.fasterxml
Medium
Vendor
pom
artifactid
jackson-databind
Low
Vendor
Manifest
bundle-docurl
http://wiki.fasterxml.com/JacksonHome
Low
Vendor
Manifest
Implementation-Vendor
FasterXML
High
Vendor
Manifest
specification-vendor
FasterXML
Low
Vendor
manifest
Bundle-Description
General data-binding functionality for Jackson: works on core streaming API
Medium
Vendor
pom
groupid
fasterxml.jackson.core
Highest
Vendor
Manifest
Implementation-Vendor-Id
com.fasterxml.jackson.core
Medium
Vendor
central
groupid
com.fasterxml.jackson.core
Highest
Vendor
pom
groupid
com.fasterxml.jackson.core
Highest
Vendor
Manifest
bundle-symbolicname
com.fasterxml.jackson.core.jackson-databind
Medium
Vendor
Manifest
implementation-build-date
2013-12-27 18:28:29-0800
Low
Vendor
pom
name
jackson-databind
High
Vendor
pom
url
http://wiki.fasterxml.com/JacksonHome
Highest
Vendor
pom
description
General data-binding functionality for Jackson: works on core streaming API
Medium
Product
file
name
jackson-databind
High
Product
Manifest
specification-title
jackson-databind
Medium
Product
Manifest
bundle-docurl
http://wiki.fasterxml.com/JacksonHome
Low
Product
pom
groupid
fasterxml.jackson.core
Low
Product
central
artifactid
jackson-databind
Highest
Product
pom
artifactid
jackson-databind
Highest
Product
manifest
Bundle-Description
General data-binding functionality for Jackson: works on core streaming API
Medium
Product
pom
parent-groupid
com.fasterxml
Low
Product
Manifest
bundle-symbolicname
com.fasterxml.jackson.core.jackson-databind
Medium
Product
pom
parent-artifactid
oss-parent
Medium
Product
Manifest
implementation-build-date
2013-12-27 18:28:29-0800
Low
Product
pom
name
jackson-databind
High
Product
Manifest
Bundle-Name
jackson-databind
Medium
Product
Manifest
Implementation-Title
jackson-databind
High
Product
pom
url
http://wiki.fasterxml.com/JacksonHome
Medium
Product
pom
description
General data-binding functionality for Jackson: works on core streaming API
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Description: tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/ciagent/.m2/repository/org/codehaus/woodstox/stax2-api/3.1.4/stax2-api-3.1.4.jar MD5: c08e89de601b0a78f941b2c29db565c3 SHA1: ac19014b1e6a7c08aad07fe114af792676b685b7
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
org.codehaus.woodstox
Highest
Vendor
Manifest
bundle-symbolicname
stax2-api
Medium
Vendor
pom
groupid
codehaus.woodstox
Highest
Vendor
pom
artifactid
stax2-api
Low
Vendor
manifest
Bundle-Description
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
Low
Vendor
Manifest
bundle-docurl
http://fasterxml.com
Low
Vendor
pom
url
http://wiki.fasterxml.com/WoodstoxStax2
Highest
Vendor
pom
organization url
http://fasterxml.com
Medium
Vendor
pom
organization name
fasterxml.com
High
Vendor
pom
name
Stax2 API
High
Vendor
pom
description
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
Low
Vendor
file
name
stax2-api
High
Vendor
pom
groupid
org.codehaus.woodstox
Highest
Product
pom
artifactid
stax2-api
Highest
Product
pom
groupid
codehaus.woodstox
Low
Product
pom
url
http://wiki.fasterxml.com/WoodstoxStax2
Medium
Product
central
artifactid
stax2-api
Highest
Product
Manifest
bundle-symbolicname
stax2-api
Medium
Product
pom
organization url
http://fasterxml.com
Low
Product
manifest
Bundle-Description
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
Low
Product
pom
organization name
fasterxml.com
Low
Product
Manifest
bundle-docurl
http://fasterxml.com
Low
Product
pom
name
Stax2 API
High
Product
pom
description
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
Description: Data format extension for Jackson (http://jackson.codehaus.org) to offer
alternative support for serializing POJOs as XML and deserializing XML as pojos.
Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types like JsonGenerator, JsonParser and JsonFactory.
Some data-binding types overridden as well (ObjectMapper sub-classed as XmlMapper).
File Path: /home/ciagent/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/2.4.2/jackson-dataformat-xml-2.4.2.jar MD5: 1fa55358af6a1364e72e24d9ca4d58e7 SHA1: 02f2d96f68b2d3475452d95dde7a3fbee225f6ae
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Data format extension for Jackson (http://jackson.codehaus.org) to offeralternative support for serializing POJOs as XML and deserializing XML as pojos.Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types ...
Low
Vendor
central
groupid
com.fasterxml.jackson.dataformat
Highest
Vendor
file
name
jackson-dataformat-xml
High
Vendor
Manifest
Implementation-Vendor-Id
com.fasterxml.jackson.dataformat
Medium
Vendor
Manifest
implementation-build-date
2014-08-15 18:38:26-0700
Low
Vendor
pom
description
Data format extension for Jackson (http://jackson.codehaus.org) to offer
alternative support for serializing POJOs as XML and deserializing XML as pojos.
Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types ...
Data format extension for Jackson (http://jackson.codehaus.org) to offeralternative support for serializing POJOs as XML and deserializing XML as pojos.Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types ...
Low
Product
file
name
jackson-dataformat-xml
High
Product
pom
groupid
fasterxml.jackson.dataformat
Low
Product
pom
parent-groupid
com.fasterxml.jackson
Low
Product
Manifest
implementation-build-date
2014-08-15 18:38:26-0700
Low
Product
pom
description
Data format extension for Jackson (http://jackson.codehaus.org) to offer
alternative support for serializing POJOs as XML and deserializing XML as pojos.
Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types ...
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
File Path: /home/ciagent/.m2/repository/io/swagger/swagger-annotations/1.5.0/swagger-annotations-1.5.0.jar MD5: c16eb2bdd9f90e97849950178c4c543d SHA1: f7497f7887e65277c0dab1da1148cf211083f3d4
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/io/swagger/swagger-models/1.5.0/swagger-models-1.5.0.jar MD5: 5c3d553535fddea14a4e7e87c5fc59fa SHA1: d2566bfc270073a559b342089f54086ee64ca5b1
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/javax/validation/validation-api/1.1.0.Final/validation-api-1.1.0.Final.jar MD5: 4c257f52462860b62ab3cdab45f53082 SHA1: 8613ae82954779d518631e05daa73a6a954817d5
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/io/swagger/swagger-core/1.5.0/swagger-core-1.5.0.jar MD5: abc2015d9e823cb96abfa7e2937b43fb SHA1: 09d5cfb8188ac316bad3a7b38c46bac0568c60e4
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: Annotation supports the FindBugs tool
License:
GNU Lesser Public License: http://www.gnu.org/licenses/lgpl.html
File Path: /home/ciagent/.m2/repository/com/google/code/findbugs/annotations/2.0.1/annotations-2.0.1.jar MD5: 35ef911c85603829ded63f211feb2d68 SHA1: 9ef6656259841cebfb9fb0697bb122ada4485498
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description: Reflections - a Java runtime metadata analysis
License:
WTFPL: http://www.wtfpl.net/
The New BSD License: http://www.opensource.org/licenses/bsd-license.html
File Path: /home/ciagent/.m2/repository/org/reflections/reflections/0.9.9/reflections-0.9.9.jar MD5: 5f13944b355f927f956b6298136ad959 SHA1: 0296d8adb2f22a38025f44b45cac89835ff0bbaf
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/com/fasterxml/jackson/jaxrs/jackson-jaxrs-base/2.4.2/jackson-jaxrs-base-2.4.2.jar MD5: 2764d307011e399f6cfde3d931325366 SHA1: 304e6e60d495095bdae65f80462afc26d76dded4
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
artifactid
jackson-jaxrs-base
Low
Vendor
pom
name
Jackson-JAXRS-base
High
Vendor
pom
parent-groupid
com.fasterxml.jackson.jaxrs
Medium
Vendor
pom
description
Pile of code that is shared by all Jackson-based JAX-RS
providers.
Medium
Vendor
Manifest
Implementation-Vendor
FasterXML
High
Vendor
file
name
jackson-jaxrs-base
High
Vendor
Manifest
specification-vendor
FasterXML
Low
Vendor
manifest
Bundle-Description
Pile of code that is shared by all Jackson-based JAX-RSproviders.
File Path: /home/ciagent/.m2/repository/io/swagger/swagger-jaxrs/1.5.0/swagger-jaxrs-1.5.0.jar MD5: a09d96c899411ac57a479c6635829600 SHA1: 04a77f3f95bfec3073d9d20660c16f54886dfc9f
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
File Path: /home/ciagent/.m2/repository/net/sf/ehcache/ehcache-core/2.6.9/ehcache-core-2.6.9.jar/net/sf/ehcache/pool/sizeof/sizeof-agent.jar MD5: 5ad919b3ac0516897bdca079c9a222a8 SHA1: e86399a80ae6a6c7a563717eaa0ce9ba4708571c
Referenced In Project/Scope:
eXo PLF:: Social Service Component:compile
Description:
Closure Compiler is a JavaScript optimizing compiler. It parses your
JavaScript, analyzes it, removes dead code and rewrites and minimizes
what's left. It also checks syntax, variable references, and types, and
warns about common JavaScript pitfalls. It is used in many of Google's
JavaScript apps, including Gmail, Google Web Search, Google Maps, and
Google Docs.
Closure Compiler is a JavaScript optimizing compiler. It parses your JavaScript, analyzes it, removes dead code and rewrites and minimizes what's left. It also checks syntax, variable references, and types, and warns about common JavaScript pitfalls. It is used in many of Google's JavaScript apps, including Gmail, Google Web Search, Google Maps, and Google Docs.
Low
Vendor
pom
name
Closure Compiler
High
Vendor
pom
groupid
google.javascript
Highest
Vendor
pom
artifactid
closure-compiler
Low
Vendor
pom
parent-artifactid
closure-compiler-main
Low
Product
pom
url
https://developers.google.com/closure/compiler/
Medium
Product
pom
groupid
google.javascript
Low
Product
pom
artifactid
closure-compiler
Highest
Product
pom
parent-groupid
com.google.javascript
Low
Product
pom
parent-artifactid
closure-compiler-main
Medium
Product
pom
description
Closure Compiler is a JavaScript optimizing compiler. It parses your JavaScript, analyzes it, removes dead code and rewrites and minimizes what's left. It also checks syntax, variable references, and types, and warns about common JavaScript pitfalls. It is used in many of Google's JavaScript apps, including Gmail, Google Web Search, Google Maps, and Google Docs.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.