Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 3.1.2
Report Generated On: May 26, 2019 at 07:26:57 +00:00
Dependencies Scanned: 400 (293 unique)
Vulnerable Dependencies: 42
Vulnerabilities Found: 147
Vulnerabilities Suppressed: 0
...
NVD CVE 2002: 16/05/2019 09:15:31
NVD CVE 2003: 24/05/2019 08:15:38
NVD CVE 2004: 16/05/2019 09:15:31
NVD CVE 2005: 24/05/2019 08:15:38
NVD CVE 2006: 23/05/2019 08:15:43
NVD CVE 2007: 25/05/2019 08:15:38
NVD CVE 2008: 25/05/2019 08:15:38
NVD CVE 2009: 24/05/2019 08:15:38
NVD CVE 2010: 24/05/2019 08:15:38
NVD CVE 2011: 23/05/2019 08:15:44
NVD CVE 2012: 25/05/2019 08:15:39
NVD CVE 2013: 25/05/2019 08:15:39
NVD CVE 2014: 25/05/2019 08:15:39
NVD CVE 2015: 25/05/2019 07:45:46
NVD CVE 2016: 25/05/2019 07:45:46
NVD CVE 2017: 25/05/2019 07:45:47
NVD CVE 2018: 25/05/2019 07:45:47
NVD CVE 2019: 25/05/2019 07:15:28
NVD CVE Checked: 26/05/2019 07:26:05
NVD CVE Modified: 26/05/2019 05:15:29
VersionCheckOn: 1557645553942

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	CPE	Coordinates	Highest Severity	CVE Count	CPE Confidence	Evidence Count
platform-ui-skin-5.3.x-SNAPSHOT.war		org.exoplatform.platform-ui:platform-ui-skin:5.3.x-SNAPSHOT		0		24
gwt-servlet-2.6.1.jar	cpe:/a:google:protobuf:2.5.0 cpe:/a:google:protobuf:2.6.1	com.google.gwt:gwt-servlet:2.6.1 ✓	Medium	1	Highest	27
smartgwt-lgpl-6.0-p20170514.jar	cpe:/a:widgets_project:widgets:6.0.p20170514	com.isomorphic.smartgwt.lgpl:smartgwt-lgpl:6.0-p20170514	Medium	1	Low	14
xwiki-platform-gwt-dom-6.0.jar	cpe:/a:xwiki:xwiki:6.0	org.xwiki.platform:xwiki-platform-gwt-dom:6.0	Low	1	Low	26
slf4j-api-1.7.18.jar		org.slf4j:slf4j-api:1.7.18 ✓		0		31
javax.inject-1.jar		javax.inject:javax.inject:1 ✓		0		20
commons-io-2.4.jar		commons-io:commons-io:2.4 ✓		0		36
jcommon-1.0.17.jar		org.jfree:jcommon:1.0.17 ✓		0		23
jfreechart-1.0.14.jar		org.jfree:jfreechart:1.0.14 ✓		0		25
velocity-1.7.jar		org.apache.velocity:velocity:1.7 ✓		0		33
velocity-tools-1.4.jar	cpe:/a:apache:struts:1.4	velocity-tools:velocity-tools:1.4 ✓		0	Low	19
commons-codec-1.10.jar		commons-codec:commons-codec:1.10 ✓		0		38
jackson-core-2.3.1.jar	cpe:/a:fasterxml:jackson:2.3.1	com.fasterxml.jackson.core:jackson-core:2.3.1 ✓		0	Low	37
jackson-annotations-2.3.0.jar	cpe:/a:fasterxml:jackson:2.3.0	com.fasterxml.jackson.core:jackson-annotations:2.3.0 ✓		0	Low	37
jackson-databind-2.3.1.jar	cpe:/a:fasterxml:jackson:2.3.1 cpe:/a:fasterxml:jackson-databind:2.3.1	com.fasterxml.jackson.core:jackson-databind:2.3.1 ✓	High	13	Highest	37
ezmorph-1.0.6.jar		net.sf.ezmorph:ezmorph:1.0.6 ✓		0		22
json-lib-2.4-jdk15.jar		com.hynnet:json-lib:2.4 ✓		0		15
commons-configuration-1.10.jar		commons-configuration:commons-configuration:1.10 ✓		0		36
commons-collections-3.2.2.jar	cpe:/a:apache:commons_collections:3.2.2	commons-collections:commons-collections:3.2.2 ✓		0	Low	40
commons-lang3-3.2.jar		org.apache.commons:commons-lang3:3.2 ✓		0		37
rome-1.0.jar		rome:rome:1.0 ✓		0		32
jdom-1.1.3.jar		org.jdom:jdom:1.1.3 ✓		0		44
commons-httpclient-3.1.jar	cpe:/a:apache:httpclient:3.1 cpe:/a:apache:commons-httpclient:3.1	commons-httpclient:commons-httpclient:3.1 ✓		0	Low	24
snuggletex-core-1.1.0.jar		uk.ac.ed.ph.snuggletex:snuggletex-core:1.1.0		0		18
batik-css-1.7.jar	cpe:/a:apache:batik:1.7	org.apache.xmlgraphics:batik-css:1.7 ✓	High	3	Highest	22
xmlgraphics-commons-1.3.1.jar		org.apache.xmlgraphics:xmlgraphics-commons:1.3.1 ✓		0		25
jeuclid-core-3.1.5.jar		net.sourceforge.jeuclid:jeuclid-core:3.1.5 ✓		0		22
snuggletex-jeuclid-1.1.0.jar		uk.ac.ed.ph.snuggletex:snuggletex-jeuclid:1.1.0		0		18
serializer-2.7.1.jar	cpe:/a:apache:xalan-java:2.7.1	xalan:serializer:2.7.1 ✓	High	1	Highest	26
xalan-2.7.1.jar	cpe:/a:apache:xalan-java:2.7.1	xalan:xalan:2.7.1 ✓	High	1	Highest	40
commons-lang-2.6.jar		org.netbeans.external:org-apache-commons-lang:RELEASE90 ✓		0		39
portlet-api-2.0.jar		javax.portlet:portlet-api:2.0 ✓		0		22
jcr-1.0.1.jar	cpe:/a:content_project:content:1.0.1	javax.jcr:jcr:1.0.1	Medium	1	Low	25
fontbox-1.8.14.jar	cpe:/a:apache:pdfbox:1.8.14	org.apache.pdfbox:fontbox:1.8.14 ✓	Medium	2	Highest	37
jempbox-1.8.14.jar	cpe:/a:apache:pdfbox:1.8.14	org.apache.pdfbox:jempbox:1.8.14 ✓	Medium	2	Highest	35
pdfbox-1.8.14.jar	cpe:/a:apache:pdfbox:1.8.14	org.apache.pdfbox:pdfbox:1.8.14 ✓	Medium	2	Highest	35
htmllexer-2.1.jar		org.htmlparser:htmllexer:2.1 ✓		0		23
htmlparser-2.1.jar		org.htmlparser:htmlparser:2.1 ✓		0		23
poi-3.13.jar	cpe:/a:apache:poi:3.13	org.apache.poi:poi:3.13 ✓	High	2	Highest	28
tika-core-1.5.jar	cpe:/a:apache:tika:1.5	org.apache.tika:tika-core:1.5 ✓	High	8	Highest	33
vorbis-java-core-0.1-tests.jar		org.gagravarr:vorbis-java-core:0.1 ✓		0		23
vorbis-java-tika-0.1.jar	cpe:/a:apache:tika:0.1	org.gagravarr:vorbis-java-tika:0.1 ✓	High	6	Highest	23
netcdf-4.2-min.jar		edu.ucar:netcdf:4.2-min ✓		0		21
apache-mime4j-core-0.7.2.jar	cpe:/a:apache:james:0.7.2	org.apache.james:apache-mime4j-core:0.7.2 ✓		0	Low	33
xz-1.2.jar	cpe:/a:tukaani:xz:1.2	org.tukaani:xz:1.2 ✓	Medium	1	Low	27
commons-compress-1.5.jar	cpe:/a:apache:commons-compress:1.5	org.apache.commons:commons-compress:1.5 ✓		0	Low	39
tagsoup-1.2.1.jar		org.ccil.cowan.tagsoup:tagsoup:1.2.1 ✓		0		18
asm-debug-all-4.1.jar		org.ow2.asm:asm-debug-all:4.1 ✓		0		28
isoparser-1.0-RC-1.jar	cpe:/a:boxes_project:boxes:7.x-1.0	com.googlecode.mp4parser:isoparser:1.0-RC-1 ✓	Low	1	Highest	24
xmpcore-5.1.2.jar		com.adobe.xmp:xmpcore:5.1.2 ✓		0		30
metadata-extractor-2.6.2.jar		com.drewnoakes:metadata-extractor:2.6.2 ✓		0		21
vorbis-java-core-0.1.jar		org.gagravarr:vorbis-java-core:0.1 ✓		0		21
juniversalchardet-1.0.3.jar		org.zenframework.z8.dependencies.commons:juniversalchardet-1.0.3:2.0 ✓		0		27
jhighlight-1.0.jar		com.uwyn:jhighlight:1.0 ✓		0		25
xmlbeans-2.6.0.jar		org.apache.xmlbeans:xmlbeans:2.6.0 ✓		0		24
exo.core.component.document-5.3.x-SNAPSHOT.jar		org.exoplatform.core:exo.core.component.document:5.3.x-SNAPSHOT		0		22
lucene-analyzers-3.6.2.jar		org.apache.lucene:lucene-analyzers:3.6.2 ✓		0		26
lucene-spellchecker-3.6.2.jar		org.apache.lucene:lucene-spellchecker:3.6.2 ✓		0		26
jta-1.1.jar		javax.transaction:transaction-api:1.1 ✓		0		22
concurrent-1.3.4.jar		concurrent:concurrent:1.3.4 ✓		0		23
jgroups-3.6.13.Final.jar		org.jgroups:jgroups:3.6.13.Final ✓		0		32
jbossjta-4.16.6.Final.jar		org.jboss.jbossts:jbossjta:4.16.6.Final ✓		0		22
ws-commons-util-1.0.1.jar	cpe:/a:ws_project:ws:1.0.1	ws-commons-util:ws-commons-util:1.0.1 ✓	Medium	1	Low	30
jboss-common-core-2.2.22.GA.jar		org.jboss:jboss-common-core:2.2.22.GA ✓		0		30
stringtemplate-3.2.1.jar		org.antlr:stringtemplate:3.2.1 ✓		0		23
antlr-runtime-3.5.jar		org.antlr:antlr-runtime:3.5 ✓		0		26
jboss-marshalling-osgi-2.0.0.Beta3.jar		org.jboss.marshalling:jboss-marshalling-osgi:2.0.0.Beta3 ✓		0		29
infinispan-core-8.2.6.Final.jar	cpe:/a:infinispan:infinispan:8.2.6	org.infinispan:infinispan-core:8.2.6.Final ✓	Medium	3	Highest	35
exo.jcr.component.core-5.3.x-SNAPSHOT.jar		org.exoplatform.jcr:exo.jcr.component.core:5.3.x-SNAPSHOT		0		22
jtidy-r938.jar	cpe:/a:html-tidy:tidy:-	net.sf.jtidy:jtidy:r938 ✓		0	Low	25
exo.core.component.xml-processing-5.3.x-SNAPSHOT.jar	cpe:/a:processing:processing:5.3	org.exoplatform.core:exo.core.component.xml-processing:5.3.x-SNAPSHOT		0	Low	22
exo.core.component.script.groovy-5.3.x-SNAPSHOT.jar		org.exoplatform.core:exo.core.component.script.groovy:5.3.x-SNAPSHOT		0		22
exo.jcr.component.ext-5.3.x-SNAPSHOT.jar		org.exoplatform.jcr:exo.jcr.component.ext:5.3.x-SNAPSHOT		0		22
xmlpull-1.1.3.1.jar		xmlpull:xmlpull:1.1.3.1 ✓		0		18
xpp3_min-1.1.4c.jar		xpp3:xpp3_min:1.1.4c ✓		0		24
xstream-1.4.10.jar	cpe:/a:xstream_project:xstream:1.4.10	com.thoughtworks.xstream:xstream:1.4.10 ✓	High	1	Highest	53
commons-webui-component-5.3.x-SNAPSHOT.jar		org.exoplatform.commons:commons-webui-component:5.3.x-SNAPSHOT		0		24
commons-webui-ext-5.3.x-SNAPSHOT.jar		org.exoplatform.commons:commons-webui-ext:5.3.x-SNAPSHOT		0		24
exo.kernel.component.cache-5.3.x-SNAPSHOT.jar		org.exoplatform.kernel:exo.kernel.component.cache:5.3.x-SNAPSHOT		0		22
antlr-2.7.7.jar		antlr:antlr:2.7.7 ✓		0		18
hibernate-core-4.2.21.Final.jar		org.hibernate:hibernate-core:4.2.21.Final ✓		0		32
jakarta-regexp-1.4.jar		jakarta-regexp:jakarta-regexp:1.4 ✓		0		14
xpp3-1.1.6.jar		org.ogce:xpp3:1.1.6 ✓		0		24
exo.core.component.organization.api-5.3.x-SNAPSHOT.jar	cpe:/a:api-platform:core:5.3	org.exoplatform.core:exo.core.component.organization.api:5.3.x-SNAPSHOT		0	Low	22
commons-dbcp-1.4.jar		commons-dbcp:commons-dbcp:1.4 ✓		0		34
commons-pool-1.6.jar		commons-pool:commons-pool:1.6 ✓		0		36
exo.kernel.component.common-5.3.x-SNAPSHOT.jar		org.exoplatform.kernel:exo.kernel.component.common:5.3.x-SNAPSHOT		0		22
exo.core.component.security.core-5.3.x-SNAPSHOT.jar		org.exoplatform.core:exo.core.component.security.core:5.3.x-SNAPSHOT		0		22
mime-util-2.1.3.jar		eu.medsea.mimeutil:mime-util:2.1.3 ✓		0		30
jcl-over-slf4j-1.7.18.jar		org.slf4j:jcl-over-slf4j:1.7.18 ✓		0		31
exo.kernel.commons-5.3.x-SNAPSHOT.jar		org.exoplatform.kernel:exo.kernel.commons:5.3.x-SNAPSHOT		0		22
javax.servlet-api-3.0.1.jar		javax.servlet:javax.servlet-api:3.0.1 ✓		0		38
commons-beanutils-1.8.3.jar	cpe:/a:apache:commons_beanutils:1.8.3	commons-beanutils:commons-beanutils:1.8.3 ✓	High	1	Low	34
jibx-run-1.2.6.jar		org.jibx:jibx-run:1.2.6 ✓		0		29
cdi-api-1.0-SP4.jar		javax.enterprise:cdi-api:1.0-SP4 ✓		0		31
exo.kernel.container-5.3.x-SNAPSHOT.jar		org.exoplatform.kernel:exo.kernel.container:5.3.x-SNAPSHOT		0		22
exo.portal.webui.core-5.3.x-SNAPSHOT.jar	cpe:/a:in-portal:in-portal:5.3	org.exoplatform.gatein.portal:exo.portal.webui.core:5.3.x-SNAPSHOT		0	Low	27
htmlcleaner-2.7.jar	cpe:/a:htmlcleaner_project:htmlcleaner:2.7	net.sourceforge.htmlcleaner:htmlcleaner:2.7 ✓		0	Low	20
xercesImpl-2.9.1.jar	cpe:/a:apache:xerces2_java:2.9.1	xerces:xercesImpl:2.9.1 ✓	High	1	Low	50
stax-utils-20070216.jar		net.java.dev.stax-utils:stax-utils:20070216 ✓		0		20
xwiki-commons-xml-5.4.7.jar	cpe:/a:xwiki:xwiki:5.4.7	org.xwiki.commons:xwiki-commons-xml:5.4.7	Low	1	Low	26
picocontainer-1.1.jar		picocontainer:picocontainer:1.1 ✓		0		28
wiki-renderer-5.3.x-SNAPSHOT.jar		org.exoplatform.wiki:wiki-renderer:5.3.x-SNAPSHOT		0		24
commons-chain-1.2.jar		commons-chain:commons-chain:1.2 ✓		0		34
commons-fileupload-1.3.3.jar	cpe:/a:apache:commons_fileupload:1.3.3	commons-fileupload:commons-fileupload:1.3.3 ✓		0	Low	40
activation-1.1.1.jar		javax.activation:activation:1.1.1 ✓		0		24
mail-1.4.7.jar	cpe:/a:sun:javamail:1.4.7	javax.mail:mail:1.4.7 ✓		0	Low	38
jsr311-api-1.1.1.jar		javax.ws.rs:jsr311-api:1.1.1 ✓		0		28
lucene-core-3.6.2.jar		org.apache.lucene:lucene-core:3.6.2 ✓		0		26
chromattic.api-1.3.0.jar		org.chromattic:chromattic.api:1.3.0 ✓		0		23
reflext.api-1.1.0.jar		org.reflext:reflext.api:1.1.0 ✓		0		23
reflext.core-1.1.0.jar		org.reflext:reflext.core:1.1.0 ✓		0		23
reflext.spi-1.1.0.jar		org.reflext:reflext.spi:1.1.0 ✓		0		25
reflext.apt-1.1.0.jar	cpe:/a:processing:processing:1.1.0	org.reflext:reflext.apt:1.1.0 ✓	Medium	1	Low	23
chromattic.apt-1.3.0.jar		org.chromattic:chromattic.apt:1.3.0 ✓		0		23
chromattic.common-1.3.0.jar		org.chromattic:chromattic.common:1.3.0 ✓		0		25
reflext.jlr-1.1.0.jar		org.reflext:reflext.jlr:1.1.0 ✓		0		23
chromattic.core-1.3.0.jar		org.chromattic:chromattic.core:1.3.0 ✓		0		23
chromattic.ext-1.3.0.jar		org.chromattic:chromattic.ext:1.3.0 ✓		0		25
chromattic.metamodel-1.3.0.jar		org.chromattic:chromattic.metamodel:1.3.0 ✓		0		23
chromattic.spi-1.3.0.jar		org.chromattic:chromattic.spi:1.3.0 ✓		0		25
exo.jcr.component.webdav-5.3.x-SNAPSHOT.jar		org.exoplatform.jcr:exo.jcr.component.webdav:5.3.x-SNAPSHOT		0		22
commons-digester-2.1.jar		commons-digester:commons-digester:2.1 ✓		0		34
exo.kernel.component.command-5.3.x-SNAPSHOT.jar		org.exoplatform.kernel:exo.kernel.component.command:5.3.x-SNAPSHOT		0		22
exo.ws.rest.core-5.3.x-SNAPSHOT.jar	cpe:/a:ws_project:ws:5.3	org.exoplatform.ws:exo.ws.rest.core:5.3.x-SNAPSHOT		0	Low	22
jboss-logging-annotations-1.2.0.Beta1.jar		org.jboss.logging:jboss-logging-annotations:1.2.0.Beta1 ✓		0		30
hibernate-commons-annotations-4.0.5.Final.jar		org.hibernate.common:hibernate-commons-annotations:4.0.5.Final ✓		0		30
log4j-1.2.17.jar	cpe:/a:apache:log4j:2.0:alpha1	log4j:log4j:1.2.17 ✓	High	1	High	36
stax-api-1.0-2.jar		javax.xml.stream:stax-api:1.0-2 ✓		0		20
jaxb-api-2.1.jar		javax.xml.bind:jaxb-api:2.1 ✓		0		15
jaxb-impl-2.1.8.jar		com.sun.xml.bind:jaxb-impl:2.1.8 ✓		0		20
picketlink-idm-core-1.4.6.Final.jar	cpe:/a:picketlink:picketlink:1.4.6	org.picketlink.idm:picketlink-idm-core:1.4.6.Final ✓	Medium	3	Low	37
nekohtml-1.9.22.jar		net.sourceforge.nekohtml:nekohtml:1.9.22 ✓		0		20
social-component-service-5.3.x-SNAPSHOT.jar		org.exoplatform.social:social-component-service:5.3.x-SNAPSHOT		0		26
itext-2.1.7.jar		com.lowagie:itext:2.1.7 ✓		0		23
validation-api-1.1.0.Final.jar		javax.validation:validation-api:1.1.0.Final ✓		0		22
sac-1.3.jar		org.w3c.css:sac:1.3 ✓		0		27
cssparser-0.9.18.jar		net.sourceforge.cssparser:cssparser:0.9.18 ✓		0		27
mchange-commons-java-0.2.3.4.jar		com.mchange:mchange-commons-java:0.2.3.4 ✓		0		19
c3p0-0.9.2.1.jar	cpe:/a:mchange:c3p0:0.9.2.1	com.mchange:c3p0:0.9.2.1 ✓	Medium	1	Highest	24
hibernate-c3p0-4.2.21.Final.jar		org.hibernate:hibernate-c3p0:4.2.21.Final ✓		0		32
exo.core.component.organization.jdbc-5.3.x-SNAPSHOT.jar		org.exoplatform.core:exo.core.component.organization.jdbc:5.3.x-SNAPSHOT		0		22
jrcs.rcs-0.4.2.jar		org.jvnet.hudson:org.suigeneris.jrcs.rcs:0.4.2 ✓		0		17
flying-saucer-core-9.0.8.jar		org.xhtmlrenderer:flying-saucer-core:9.0.8 ✓		0		21
xpp3-1.1.4c.jar		xpp3:xpp3:1.1.4c ✓		0		26
wiki-service-5.3.x-SNAPSHOT.jar		org.exoplatform.wiki:wiki-service:5.3.x-SNAPSHOT		0		24
common-common-2.2.2.Final.jar		org.gatein.common:common-common:2.2.2.Final ✓		0		31
exo.kernel.component.ext.cache.impl.infinispan.v8-5.3.x-SNAPSHOT.jar	cpe:/a:infinispan:infinispan:5.3.0	org.exoplatform.kernel:exo.kernel.component.ext.cache.impl.infinispan.v8:5.3.x-SNAPSHOT	Medium	3	Highest	22
exo.core.component.database-5.3.x-SNAPSHOT.jar		org.exoplatform.core:exo.core.component.database:5.3.x-SNAPSHOT		0		22
staxnav.core-0.9.8.jar		org.staxnav:staxnav.core:0.9.8 ✓		0		19
pc-portlet-5.3.x-SNAPSHOT.jar		org.exoplatform.gatein.pc:pc-portlet:5.3.x-SNAPSHOT		0		27
pc-federation-5.3.x-SNAPSHOT.jar		org.exoplatform.gatein.pc:pc-federation:5.3.x-SNAPSHOT		0		27
pc-bridge-5.3.x-SNAPSHOT.jar		org.exoplatform.gatein.pc:pc-bridge:5.3.x-SNAPSHOT		0		27
common-logging-2.2.2.Final.jar		org.gatein.common:common-logging:2.2.2.Final ✓		0		31
mop-api-1.3.2.Final.jar		org.gatein.mop:mop-api:1.3.2.Final		0		30
mop-spi-1.3.2.Final.jar		org.gatein.mop:mop-spi:1.3.2.Final		0		30
mop-core-1.3.2.Final.jar		org.gatein.mop:mop-core:1.3.2.Final		0		30
gatein-management-api-2.1.0.Final.jar		org.gatein.management:gatein-management-api:2.1.0.Final		0		28
gatein-management-spi-2.1.0.Final.jar		org.gatein.management:gatein-management-spi:2.1.0.Final		0		28
json-20070829.jar		org.json:json:20070829 ✓		0		23
closure-compiler-externs-v20170910.jar		com.google.javascript:closure-compiler-externs:v20170910 ✓		0		19
args4j-2.33.jar		args4j:args4j:2.33 ✓		0		24
error_prone_annotations-2.0.18.jar		com.google.errorprone:error_prone_annotations:2.0.18 ✓		0		23
guava-20.0.jar	cpe:/a:google:guava:20.0	com.google.guava:guava:20.0 ✓	Medium	1	Highest	29
gson-2.7.jar		com.google.code.gson:gson:2.7 ✓		0		33
jsinterop-annotations-1.0.0.jar		com.google.jsinterop:jsinterop-annotations:1.0.0 ✓		0		19
closure-compiler-v20170910.jar		com.google.javascript:closure-compiler:v20170910 ✓		0		13
twitter4j-core-3.0.5.jar	cpe:/a:twitter_project:twitter:3.0.5 cpe:/a:twitter:twitter:3.0.5	org.twitter4j:twitter4j-core:3.0.5 ✓		0	Low	22
scribe-1.3.5.jar	cpe:/a:scribe:scribe:1.3.5	org.scribe:scribe:1.3.5 ✓		0	Low	23
google-http-client-1.14.1-beta.jar		com.google.http-client:google-http-client:1.14.1-beta ✓		0		24
jsr305-1.3.9.jar		com.google.code.findbugs:jsr305:1.3.9 ✓		0		21
google-oauth-client-1.14.1-beta.jar		com.google.oauth-client:google-oauth-client:1.14.1-beta ✓		0		24
google-api-client-1.14.1-beta.jar		com.google.api-client:google-api-client:1.14.1-beta ✓		0		22
jackson-core-asl-1.9.11.jar	cpe:/a:fasterxml:jackson:1.9.11	org.codehaus.jackson:jackson-core-asl:1.9.11 ✓		0	Low	32
google-http-client-jackson-1.14.1-beta.jar		com.google.http-client:google-http-client-jackson:1.14.1-beta ✓		0		22
google-api-services-plus-v1-rev69-1.14.2-beta.jar		com.google.apis:google-api-services-plus:v1-rev69-1.14.2-beta ✓		0		26
google-api-services-oauth2-v2-rev36-1.14.2-beta.jar		com.google.apis:google-api-services-oauth2:v2-rev36-1.14.2-beta ✓		0		26
groovy-all-2.4.12.jar	cpe:/a:apache:groovy:2.4.12	org.codehaus.groovy:groovy-all:2.4.12 ✓		0	Low	36
aopalliance-1.0.jar		aopalliance:aopalliance:1.0 ✓		0		20
guice-3.0.jar		com.google.inject:guice:3.0 ✓		0		29
joda-time-2.4.jar		joda-time:joda-time:2.4 ✓		0		34
oauth-20100527.jar		net.oauth.core:oauth:20100527 ✓		0		18
ehcache-core-2.6.9.jar		net.sf.ehcache:ehcache-core:2.6.9 ✓		0		19
juel-impl-2.2.7.jar		de.odysseus.juel:juel-impl:2.2.7 ✓		0		26
el-api-6.0.41.jar	cpe:/a:apache_tomcat:apache_tomcat:6.0.41 cpe:/a:apache:tomcat:6.0.41 cpe:/a:apache_software_foundation:tomcat:6.0.41	org.apache.tomcat:el-api:6.0.41 ✓	High	22	Highest	19
jasper-el-6.0.41.jar	cpe:/a:apache_tomcat:apache_tomcat:6.0.41 cpe:/a:apache:tomcat:6.0.41 cpe:/a:apache_software_foundation:tomcat:6.0.41 cpe:/a:jasper_project:jasper:6.0.41	org.apache.tomcat:jasper-el:6.0.41 ✓	High	22	Highest	21
shindig-common-2.5.2.jar	cpe:/a:apache:shindig:2.5.2	org.apache.shindig:shindig-common:2.5.2 ✓		0	Low	26
filters-2.0.235.jar	cpe:/a:image_processing_software:image_processing_software:2.0.235 cpe:/a:processing:processing:2.0.235	com.jhlabs:filters:2.0.235 ✓	Medium	2	Low	22
simplecaptcha-1.1.1.Final-gatein-4.jar		org.gatein.captcha:simplecaptcha:1.1.1.Final-gatein-4		0		27
gatein-api-1.0.1.Final.jar		org.gatein.api:gatein-api:1.0.1.Final ✓		0		29
icu4j-56.1.jar	cpe:/a:icu-project:international_components_for_unicode:56.1::~~~c%2fc%2b%2b~~	com.ibm.icu:icu4j:56.1 ✓	High	8	Highest	33
commons-component-product-5.3.x-SNAPSHOT.jar		org.exoplatform.commons:commons-component-product:5.3.x-SNAPSHOT		0		28
commons-component-upgrade-5.3.x-SNAPSHOT.jar		org.exoplatform.commons:commons-component-upgrade:5.3.x-SNAPSHOT		0		24
social-component-common-5.3.x-SNAPSHOT.jar		org.exoplatform.social:social-component-common:5.3.x-SNAPSHOT		0		26
pc-api-5.3.x-SNAPSHOT.jar		org.exoplatform.gatein.pc:pc-api:5.3.x-SNAPSHOT		0		27
caja-r5054.jar		com.google.caja:caja:r5054		0		23
htmlparser-r4209.jar		caja:htmlparser:r4209		0		24
oauth-consumer-20090617.jar		net.oauth.core:oauth-consumer:20090617		0		17
oauth-httpclient4-20090913.jar		net.oauth.core:oauth-httpclient4:20090913		0		20
oauth-provider-20100527.jar		net.oauth.core:oauth-provider:20100527 ✓		0		18
guice-multibindings-3.0.jar		com.google.inject.extensions:guice-multibindings:3.0 ✓		0		29
sanselan-0.97-incubator.jar		org.apache.sanselan:sanselan:0.97-incubator ✓		0		35
social-component-core-5.3.x-SNAPSHOT.jar		org.exoplatform.social:social-component-core:5.3.x-SNAPSHOT		0		26
social-component-webui-5.3.x-SNAPSHOT.jar		org.exoplatform.social:social-component-webui:5.3.x-SNAPSHOT		0		26
flying-saucer-pdf-9.0.8.jar		org.xhtmlrenderer:flying-saucer-pdf:9.0.8 ✓		0		23
bcmail-jdk15-1.45.jar	cpe:/a:no-cms_project:no-cms:1.45	org.bouncycastle:bcmail-jdk15:1.45 ✓		0	Low	24
bcprov-jdk15-1.45.jar	cpe:/a:bouncycastle:bouncy-castle-crypto-package:1.45 cpe:/a:bouncycastle:bouncy_castle_crypto_package:1.45	org.bouncycastle:bcprov-jdk15:1.45 ✓	Medium	1	Low	24
bctsp-jdk15-1.45.jar		org.bouncycastle:bctsp-jdk15:1.45 ✓		0		24
jsr250-api-1.0.jar		javax.annotation:jsr250-api:1.0 ✓		0		20
bayeux-api-3.0.8.jar		org.cometd.java:bayeux-api:3.0.8 ✓		0		29
cometd-java-common-3.0.8.jar		org.cometd.java:cometd-java-common:3.0.8 ✓		0		29
cometd-java-websocket-javax-server-3.0.8.jar		org.cometd.java:cometd-java-websocket-javax-server:3.0.8 ✓		0		29
cometd-java-websocket-common-server-3.0.8.jar		org.cometd.java:cometd-java-websocket-common-server:3.0.8 ✓		0		29
cometd-java-annotations-3.0.8.jar		org.cometd.java:cometd-java-annotations:3.0.8 ✓		0		29
jetty-io-9.2.14.v20151106.jar		org.eclipse.jetty:jetty-io:9.2.14.v20151106 ✓		0		35
cometd-java-client-3.0.8.jar		org.cometd.java:cometd-java-client:3.0.8 ✓		0		29
cometd-java-websocket-common-client-3.0.8.jar		org.cometd.java:cometd-java-websocket-common-client:3.0.8 ✓		0		29
cometd-java-websocket-javax-client-3.0.8.jar		org.cometd.java:cometd-java-websocket-javax-client:3.0.8 ✓		0		29
cometd-java-oort-3.0.8.jar		org.cometd.java:cometd-java-oort:3.0.8 ✓		0		29
jetty-jmx-9.2.14.v20151106.jar	cpe:/a:jetty:jetty:9.2.14.v20151106 cpe:/a:eclipse:jetty:9.2.14.v20151106	org.eclipse.jetty:jetty-jmx:9.2.14.v20151106 ✓	High	4	Low	37
cometd-java-server-3.0.8.jar		org.cometd.java:cometd-java-server:3.0.8 ✓		0		29
commons-comet-service-5.3.x-SNAPSHOT.jar		org.exoplatform.commons:commons-comet-service:5.3.x-SNAPSHOT		0		24
aspectjrt-1.8.8.jar		org.aspectj:aspectjrt:1.8.8 ✓		0		21
c3p0-0.9.1.1.jar	cpe:/a:mchange:c3p0:0.9.1.1	c3p0:c3p0:0.9.1.1 ✓	Medium	1	Highest	23
quartz-2.2.2.jar		org.quartz-scheduler:quartz:2.2.2 ✓		0		43
owasp-java-html-sanitizer-20160413.1.jar	cpe:/a:owasp-java-html-sanitizer_project:owasp-java-html-sanitizer:20160413.1	com.googlecode.owasp-java-html-sanitizer:owasp-java-html-sanitizer:20160413.1 ✓		0	Low	21
jrcs.diff-0.4.2.jar		org.jvnet.hudson:org.suigeneris.jrcs.diff:0.4.2 ✓		0		17
ecs-1.4.2.jar		ecs:ecs:1.4.2 ✓		0		14
liquibase-core-3.4.2.jar		org.liquibase:liquibase-core:3.4.2 ✓		0		19
stax2-api-3.1.4.jar		org.codehaus.woodstox:stax2-api:3.1.4 ✓		0		29
jackson-dataformat-xml-2.4.2.jar	cpe:/a:fasterxml:jackson-databind:2.4.2 cpe:/a:fasterxml:jackson:2.4.2	com.fasterxml.jackson.dataformat:jackson-dataformat-xml:2.4.2 ✓	High	13	Highest	37
swagger-annotations-1.5.0.jar		io.swagger:swagger-annotations:1.5.0 ✓		0		24
swagger-models-1.5.0.jar		io.swagger:swagger-models:1.5.0 ✓		0		24
swagger-core-1.5.0.jar		io.swagger:swagger-core:1.5.0 ✓		0		17
annotations-2.0.1.jar		com.google.code.findbugs:annotations:2.0.1 ✓		0		23
reflections-0.9.9.jar		org.reflections:reflections:0.9.9 ✓		0		19
swagger-jaxrs-1.5.0.jar		io.swagger:swagger-jaxrs:1.5.0 ✓		0		17
commons-component-common-5.3.x-SNAPSHOT.jar		org.exoplatform.commons:commons-component-common:5.3.x-SNAPSHOT		0		24
wiki-macros-iframe-5.3.x-SNAPSHOT.jar		org.exoplatform.wiki:wiki-macros-iframe:5.3.x-SNAPSHOT		0		24
wci-wci-5.3.x-SNAPSHOT.jar		org.exoplatform.gatein.wci:wci-wci:5.3.x-SNAPSHOT		0		27
jython-standalone-2.5.4-rc1.jar	cpe:/a:jython_project:jython:2.5.4.rc1	org.python:jython-standalone:2.5.4-rc1 ✓		0	Low	10
pygments-1.6.jar	cpe:/a:pygments:pygments:1.6	org.pygments:pygments:1.6 ✓	High	1	Highest	18
jdom2-2.0.5.jar		org.jdom:jdom2:2.0.5 ✓		0		43
wiki-webui-5.3.x-SNAPSHOT.jar		org.exoplatform.wiki:wiki-webui:5.3.x-SNAPSHOT		0		24
json-simple-1.1.1.jar		com.googlecode.json-simple:json-simple:1.1.1 ✓		0		23
httpcore-4.3.3.jar		org.apache.httpcomponents:httpcore:4.3.3 ✓		0		32
commons-logging-1.1.3.jar		commons-logging:commons-logging:1.1.3 ✓		0		36
httpclient-4.3.6.jar	cpe:/a:apache:httpclient:4.3.6	org.apache.httpcomponents:httpclient:4.3.6 ✓		0	Low	32
commons-search-5.3.x-SNAPSHOT.jar	cpe:/a:pro_search:pro_search:5.3	org.exoplatform.commons:commons-search:5.3.x-SNAPSHOT		0	Low	24
commons-api-5.3.x-SNAPSHOT.jar		org.exoplatform.commons:commons-api:5.3.x-SNAPSHOT		0		24
commons-file-storage-5.3.x-SNAPSHOT.jar		org.exoplatform.commons:commons-file-storage:5.3.x-SNAPSHOT		0		26
jboss-logging-3.3.0.Final.jar		org.jboss.logging:jboss-logging:3.3.0.Final ✓		0		44
dom4j-1.6.1.jar	cpe:/a:dom4j_project:dom4j:1.6.1	dom4j:dom4j:1.6.1 ✓	Medium	1	Highest	31
javassist-3.20.0-GA.jar		org.javassist:javassist:3.20.0-GA ✓		0		27
jboss-transaction-api_1.1_spec-1.0.1.Final.jar		org.jboss.spec.javax.transaction:jboss-transaction-api_1.1_spec:1.0.1.Final ✓		0		38
hibernate-jpa-2.0-api-1.0.1.Final.jar		org.hibernate.javax.persistence:hibernate-jpa-2.0-api:1.0.1.Final ✓		0		26
hibernate-entitymanager-4.2.21.Final.jar		org.hibernate:hibernate-entitymanager:4.2.21.Final ✓		0		32
wiki-jpa-5.3.x-SNAPSHOT.jar		org.exoplatform.wiki:wiki-jpa:5.3.x-SNAPSHOT		0		24
wiki-jpa-migration-5.3.x-SNAPSHOT.jar		org.exoplatform.wiki:wiki-jpa-migration:5.3.x-SNAPSHOT		0		24
commons-lang3-3.3.2.jar		org.apache.commons:commons-lang3:3.3.2 ✓		0		37
gwt-user-2.6.1.jar	cpe:/a:user_project:user:2.6.1	com.google.gwt:gwt-user:2.6.1 ✓		0	Low	20
jdom-1.0.jar		jdom:jdom:1.0 ✓		0		33
modules-0.3.2.jar		rome:modules:0.3.2 ✓		0		24
protobuf-java-3.0.2.jar	cpe:/a:google:protobuf:3.0.2	com.google.protobuf:protobuf-java:3.0.2 ✓	Medium	1	Highest	29
geronimo-stax-api_1.0_spec-1.0.1.jar		org.apache.geronimo.specs:geronimo-stax-api_1.0_spec:1.0.1 ✓		0		26
xml-apis-1.0.b2.jar		xml-apis:xml-apis:1.0.b2 ✓		0		37
xml-apis-1.4.01.jar		xml-apis:xml-apis:1.4.01 ✓		0		49
jmock-1.0.1.jar		jmock:jmock:1.0.1 ✓		0		14
jsr305-3.0.1.jar		com.google.code.findbugs:jsr305:3.0.1 ✓		0		23
jackson-core-2.4.2.jar	cpe:/a:fasterxml:jackson:2.4.2	com.fasterxml.jackson.core:jackson-core:2.4.2 ✓		0	Low	37
jackson-annotations-2.4.0.jar	cpe:/a:fasterxml:jackson:2.4.0	com.fasterxml.jackson.core:jackson-annotations:2.4.0 ✓		0	Low	37
commons-logging-1.0.4.jar		commons-logging:commons-logging:1.0.4 ✓		0		26
smartgwt-lgpl-6.0-p20170514.jar: isomorphic_applets.jar				0		9
ehcache-core-2.6.9.jar: sizeof-agent.jar		net.sf.ehcache:sizeof-agent:1.0.1		0		26
jython-standalone-2.5.4-rc1.jar: jline64.dll				0		4
jython-standalone-2.5.4-rc1.jar: jline32.dll				0		4
jython-standalone-2.5.4-rc1.jar: wininst-7.1.exe				0		4
jython-standalone-2.5.4-rc1.jar: wininst-6.exe				0		4
jython-standalone-2.5.4-rc1.jar: jffi-1.0.dll				0		4
jython-standalone-2.5.4-rc1.jar: jffi-1.0.dll				0		4
jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling/pom.xml		org.jboss.marshalling:jboss-marshalling:2.0.0.Beta3		0		13
jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling-river/pom.xml		org.jboss.marshalling:jboss-marshalling-river:2.0.0.Beta3		0		13
jboss-marshalling-osgi-2.0.0.Beta3.jar/META-INF/maven/org.jboss.marshalling/jboss-marshalling-serial/pom.xml		org.jboss.marshalling:jboss-marshalling-serial:2.0.0.Beta3		0		13
closure-compiler-v20170910.jar/META-INF/maven/com.google.javascript/closure-compiler/pom.xml	cpe:/a:google:gmail:-	com.google.javascript:closure-compiler:v20170910	Medium	1	Low	15
jackson-dataformat-yaml-2.4.2.jar/META-INF/maven/com.fasterxml.jackson.dataformat/jackson-dataformat-yaml/pom.xml	cpe:/a:fasterxml:jackson:2.4.2	com.fasterxml.jackson.dataformat:jackson-dataformat-yaml:2.4.2		0	Low	16
jackson-dataformat-yaml-2.4.2.jar/META-INF/maven/org.yaml/snakeyaml/pom.xml		org.yaml:snakeyaml:1.12		0		11
jython-standalone-2.5.4-rc1.jar/META-INF/maven/jline/jline/pom.xml		jline:jline:0.9.95-SNAPSHOT		0		11
jython-standalone-2.5.4-rc1.jar/META-INF/maven/org.antlr/antlr-runtime/pom.xml		org.antlr:antlr-runtime:3.1.3		0		15
jython-standalone-2.5.4-rc1.jar/META-INF/maven/org.jruby.ext.posix/jnr-posix/pom.xml	cpe:/a:jruby:jruby:1.1.4	org.jruby.ext.posix:jnr-posix:1.1.4	High	3	Highest	9
jython-standalone-2.5.4-rc1.jar/META-INF/maven/org.jruby.extras/constantine/pom.xml	cpe:/a:values_project:values:0.7	org.jruby.extras:constantine:0.7		0	Low	11
jython-standalone-2.5.4-rc1.jar/META-INF/maven/org.jruby.extras/jaffl/pom.xml		org.jruby.extras:jaffl:0.5.1		0		11
jython-standalone-2.5.4-rc1.jar/META-INF/maven/org.jruby.extras/jffi/pom.xml	cpe:/a:jruby:jruby:1.0.1	org.jruby.extras:jffi:1.0.1	High	3	Highest	11
jython-standalone-2.5.4-rc1.jar/META-INF/maven/org.jruby.extras/jnr-netdb/pom.xml		org.jruby.extras:jnr-netdb:0.4		0		11

Dependencies

platform-ui-skin-5.3.x-SNAPSHOT.war

File Path: /home/ciagent/.m2/repository/org/exoplatform/platform-ui/platform-ui-skin/5.3.x-SNAPSHOT/platform-ui-skin-5.3.x-SNAPSHOT.war
MD5: 27ec72c7e2b3d00395a6ffd4cee60748
SHA1: 995106fdac815a895ae87f40050a61e4cbb8d3fa
Referenced In Project/Scope: eXo PLF:: Wiki Webapp:provided

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.exoplatform.platform-ui	Highest
Vendor	file	name	platform-ui-skin	High
Vendor	pom	artifactid	platform-ui-skin	Low
Vendor	Manifest	date	2019-05-24T09:49:10Z	Low
Vendor	Manifest	specification-vendor	eXo Platform SAS	Low
Vendor	Manifest	implementation-url	https://projects.exoplatform.org/platform-ui/platform-ui-skin	Low
Vendor	pom	parent-artifactid	platform-ui	Low
Vendor	Manifest	Implementation-Vendor	eXo Platform SAS	High
Vendor	pom	parent-groupid	org.exoplatform.platform-ui	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.exoplatform.platform-ui	Medium
Vendor	pom	groupid	exoplatform.platform-ui	Highest
Vendor	pom	name	eXo PLF:: Platform UI - Skin	High
Product	Manifest	Implementation-Title	eXo PLF:: Platform UI - Skin	High
Product	file	name	platform-ui-skin	High
Product	Manifest	date	2019-05-24T09:49:10Z	Low
Product	Manifest	specification-title	eXo PLF:: Platform UI - Skin	Medium
Product	pom	parent-artifactid	platform-ui	Medium
Product	pom	artifactid	platform-ui-skin	Highest
Product	pom	groupid	exoplatform.platform-ui	Low
Product	pom	parent-groupid	org.exoplatform.platform-ui	Low
Product	Manifest	implementation-url	https://projects.exoplatform.org/platform-ui/platform-ui-skin	Low
Product	pom	name	eXo PLF:: Platform UI - Skin	High
Version	file	version	5.3	Highest
Version	Manifest	Implementation-Version	5.3.x-SNAPSHOT	High

Identifiers

maven: org.exoplatform.platform-ui:platform-ui-skin:5.3.x-SNAPSHOT Confidence:High

gwt-servlet-2.6.1.jar

Description: Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.

License:

New BSD license: http://www.opensource.org/licenses/bsd-license.php

File Path: /home/ciagent/.m2/repository/com/google/gwt/gwt-servlet/2.6.1/gwt-servlet-2.6.1.jar
MD5: 46fa19a4859520cdf86c083e4c4519a4
SHA1: 983e26ec957ee3463f8554f4f03a58e16129e8f2
Referenced In Projects/Scopes:

eXo Wiki JPA DAO:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	Protocol Buffer Java API	High
Vendor	pom	parent-artifactid	google	Low
Vendor	jar	package name	google	Low
Vendor	jar	package name	gwt	Low
Vendor	pom	groupid	com.google.gwt	Highest
Vendor	central	groupid	com.google.gwt	Highest
Vendor	pom	artifactid	protobuf-java	Low
Vendor	pom	url	http://code.google.com/p/protobuf	Highest
Vendor	pom	description	Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.	Low
Vendor	pom	parent-groupid	com.google	Medium
Vendor	file	name	gwt-servlet	High
Vendor	pom	groupid	google.protobuf	Highest
Product	pom	name	Protocol Buffer Java API	High
Product	pom	parent-artifactid	google	Medium
Product	pom	url	http://code.google.com/p/protobuf	Medium
Product	pom	artifactid	gwt-servlet	Highest
Product	pom	description	Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.	Low
Product	central	artifactid	gwt-servlet	Highest
Product	file	name	gwt-servlet	High
Product	pom	groupid	google.protobuf	Low
Product	pom	parent-groupid	com.google	Low
Product	jar	package name	gwt	Low
Product	pom	artifactid	protobuf-java	Highest
Version	pom	version	2.5.0	Highest
Version	central	version	2.6.1	Highest
Version	file	version	2.6.1	Highest
Version	pom	version	2.6.1	Highest

Identifiers

cpe: cpe:/a:google:protobuf:2.5.0 Confidence:Highest
maven: com.google.protobuf:protobuf-java:2.5.0 Confidence:High
cpe: cpe:/a:google:protobuf:2.6.1 Confidence:Highest
maven: com.google.gwt:gwt-servlet:2.6.1 ✓ Confidence:Highest

Published Vulnerabilities

CVE-2015-5237

Severity: Medium
CVSS Score: 6.5 (AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer

protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.

Vulnerable Software & Versions: (show all)

smartgwt-lgpl-6.0-p20170514.jar

File Path: /home/ciagent/.m2/repository/com/isomorphic/smartgwt/lgpl/smartgwt-lgpl/6.0-p20170514/smartgwt-lgpl-6.0-p20170514.jar
MD5: feef4d7601d4e2ca9cfdaa5315eb17c6
SHA1: b27485a980eca557785290c25f15349075e077b7
Referenced In Project/Scope: eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	smartgwt-lgpl	Low
Vendor	jar	package name	widgets	Low
Vendor	pom	groupid	isomorphic.smartgwt.lgpl	Highest
Vendor	jar	package name	client	Low
Vendor	pom	groupid	com.isomorphic.smartgwt.lgpl	Highest
Vendor	jar	package name	smartgwt	Low
Vendor	file	name	smartgwt-lgpl	High
Product	pom	groupid	isomorphic.smartgwt.lgpl	Low
Product	jar	package name	widgets	Low
Product	pom	artifactid	smartgwt-lgpl	Highest
Product	jar	package name	client	Low
Product	file	name	smartgwt-lgpl	High
Version	pom	version	6.0-p20170514	Highest
Version	file	version	6.0.p20170514	Highest

Identifiers

maven: com.isomorphic.smartgwt.lgpl:smartgwt-lgpl:6.0-p20170514 Confidence:High
cpe: cpe:/a:widgets_project:widgets:6.0.p20170514 Confidence:Low

Published Vulnerabilities

CVE-2015-6737

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

Cross-site scripting (XSS) vulnerability in the Widgets extension for MediaWiki allows remote attackers to inject arbitrary web script or HTML via vectors involving base64 encoded content.

BID - 76858
FEDORA - FEDORA-2015-13920
GENTOO - GLSA-201510-05
MLIST - [MediaWiki-announce] 20150810 MediaWiki Security and Maintenance Releases: 1.25.2, 1.24.3, 1.23.10
MLIST - [oss-security] 20150812 CVE Request: MediaWiki 1.25.2, 1.24.3, 1.23.10
MLIST - [oss-security] 20150827 Re: CVE Request: MediaWiki 1.25.2, 1.24.3, 1.23.10

Vulnerable Software & Versions:

cpe:/a:widgets_project:widgets:-::~~~mediawiki~~

xwiki-platform-gwt-dom-6.0.jar

Description: An extension of the GWT DOM API, providing W3C Range and Selection support, depth-first pre-order iterator and lots of DOM utility methods

License:

http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html

File Path: /home/ciagent/.m2/repository/org/xwiki/platform/xwiki-platform-gwt-dom/6.0/xwiki-platform-gwt-dom-6.0.jar
MD5: a032bb06ae3b65d4eb77611b87c9870c
SHA1: 06b7a3ce91be3c3ae2878c1ee4811f74a7d50df0
Referenced In Project/Scope: eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	XWiki Platform - GWT - DOM API	High
Vendor	pom	description	An extension of the GWT DOM API, providing W3C Range and Selection support, depth-first pre-order iterator and lots of DOM utility methods	Low
Vendor	Manifest	bundle-docurl	http://xwiki.org/	Low
Vendor	pom	groupid	org.xwiki.platform	Highest
Vendor	pom	parent-artifactid	xwiki-platform-gwt	Low
Vendor	manifest	Bundle-Description	An extension of the GWT DOM API, providing W3C Range and Selection support, depth-first pre-order iterator and lots of DOM utility methods	Low
Vendor	pom	groupid	xwiki.platform	Highest
Vendor	file	name	xwiki-platform-gwt-dom	High
Vendor	pom	parent-groupid	org.xwiki.platform	Medium
Vendor	pom	artifactid	xwiki-platform-gwt-dom	Low
Vendor	Manifest	xwiki-extension-id	org.xwiki.platform:xwiki-platform-gwt-dom	Low
Vendor	Manifest	bundle-symbolicname	org.xwiki.platform.xwiki-platform-gwt-dom	Medium
Product	pom	name	XWiki Platform - GWT - DOM API	High
Product	pom	description	An extension of the GWT DOM API, providing W3C Range and Selection support, depth-first pre-order iterator and lots of DOM utility methods	Low
Product	Manifest	bundle-docurl	http://xwiki.org/	Low
Product	Manifest	Bundle-Name	XWiki Platform - GWT - DOM API	Medium
Product	manifest	Bundle-Description	An extension of the GWT DOM API, providing W3C Range and Selection support, depth-first pre-order iterator and lots of DOM utility methods	Low
Product	pom	artifactid	xwiki-platform-gwt-dom	Highest
Product	pom	parent-groupid	org.xwiki.platform	Low
Product	pom	parent-artifactid	xwiki-platform-gwt	Medium
Product	pom	groupid	xwiki.platform	Low
Product	file	name	xwiki-platform-gwt-dom	High
Product	Manifest	xwiki-extension-id	org.xwiki.platform:xwiki-platform-gwt-dom	Low
Product	Manifest	bundle-symbolicname	org.xwiki.platform.xwiki-platform-gwt-dom	Medium
Version	file	version	6.0	Highest
Version	pom	version	6.0	Highest

Related Dependencies

xwiki-platform-wysiwyg-client-6.0.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/platform/xwiki-platform-wysiwyg-client/6.0/xwiki-platform-wysiwyg-client-6.0.jar
- SHA1: f02c454a697e75f0b6de88115550d2cca40c0e1c
- MD5: eb12e1be531e918d93c41b582fbf00d2
xwiki-platform-gwt-user-6.0.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/platform/xwiki-platform-gwt-user/6.0/xwiki-platform-gwt-user-6.0.jar
- SHA1: f3b7238adabafddea4d56dc7dd747458a87402e8
- MD5: 5c1cefee278ba00dcc6d3459917b6c34
xwiki-platform-wysiwyg-plugin-api-6.0.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/platform/xwiki-platform-wysiwyg-plugin-api/6.0/xwiki-platform-wysiwyg-plugin-api-6.0.jar
- SHA1: fd3188b8ec923b14b83fdd4215d3a15234e2174a
- MD5: cba6f3dd0dd57547cfe4eae23a9496da

Identifiers

cpe: cpe:/a:xwiki:xwiki:6.0 Confidence:Low
maven: org.xwiki.platform:xwiki-platform-gwt-dom:6.0 Confidence:High

Published Vulnerabilities

CVE-2018-16277

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The Image Import function in XWiki through 10.7 has XSS.

MISC - https://mksec.tk/index.php/2018/09/27/cve-2018-16277-xss-in-xwiki/

Vulnerable Software & Versions:

cpe:/a:xwiki:xwiki:10.7 and all previous versions

slf4j-api-1.7.18.jar

Description: The slf4j API

File Path: /home/ciagent/.m2/repository/org/slf4j/slf4j-api/1.7.18/slf4j-api-1.7.18.jar
MD5: 1b1d1af21206ac5ae44cd79a6c04dd92
SHA1: b631d286463ced7cc42ee2171fe3beaed2836823
Referenced In Projects/Scopes:

eXo PLF:: Wiki Macros Iframe:compile
eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	SLF4J API Module	High
Vendor	pom	parent-groupid	org.slf4j	Medium
Vendor	pom	url	http://www.slf4j.org	Highest
Vendor	file	name	slf4j-api	High
Vendor	pom	groupid	slf4j	Highest
Vendor	manifest	Bundle-Description	The slf4j API	Medium
Vendor	pom	parent-artifactid	slf4j-parent	Low
Vendor	central	groupid	org.slf4j	Highest
Vendor	pom	artifactid	slf4j-api	Low
Vendor	Manifest	bundle-symbolicname	slf4j.api	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	pom	groupid	org.slf4j	Highest
Vendor	pom	description	The slf4j API	Medium
Product	pom	name	SLF4J API Module	High
Product	pom	groupid	slf4j	Low
Product	pom	url	http://www.slf4j.org	Medium
Product	file	name	slf4j-api	High
Product	central	artifactid	slf4j-api	Highest
Product	pom	artifactid	slf4j-api	Highest
Product	manifest	Bundle-Description	The slf4j API	Medium
Product	pom	parent-artifactid	slf4j-parent	Medium
Product	Manifest	bundle-symbolicname	slf4j.api	Medium
Product	Manifest	Implementation-Title	slf4j-api	High
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	Bundle-Name	slf4j-api	Medium
Product	pom	parent-groupid	org.slf4j	Low
Product	pom	description	The slf4j API	Medium
Version	central	version	1.7.18	Highest
Version	pom	version	1.7.18	Highest
Version	Manifest	Implementation-Version	1.7.18	High
Version	file	version	1.7.18	Highest

Identifiers

maven: org.slf4j:slf4j-api:1.7.18 ✓ Confidence:Highest

javax.inject-1.jar

Description: The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
Referenced In Projects/Scopes:

eXo PLF:: Wiki Macros Iframe:compile
eXo Wiki JPA DAO:compile
eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	javax.inject	Low
Vendor	pom	groupid	javax.inject	Highest
Vendor	pom	name	javax.inject	High
Vendor	central	groupid	javax.inject	Highest
Vendor	jar	package name	javax	Low
Vendor	file	name	javax.inject-1	High
Vendor	pom	url	http://code.google.com/p/atinject/	Highest
Vendor	pom	description	The javax.inject API	Medium
Vendor	jar	package name	inject	Low
Product	central	artifactid	javax.inject	Highest
Product	pom	artifactid	javax.inject	Highest
Product	pom	name	javax.inject	High
Product	pom	groupid	javax.inject	Low
Product	file	name	javax.inject-1	High
Product	pom	description	The javax.inject API	Medium
Product	pom	url	http://code.google.com/p/atinject/	Medium
Product	jar	package name	inject	Low
Version	file	version	1	Medium
Version	pom	version	1	Highest
Version	central	version	1	Highest

Identifiers

maven: javax.inject:javax.inject:1 ✓ Confidence:Highest

commons-io-2.4.jar

Description: The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/commons-io/commons-io/2.4/commons-io-2.4.jar
MD5: 7f97854dc04c119d461fed14f5d8bb96
SHA1: b1b6ea3b7e4aa4f492509a4952029cd8e48019ad
Referenced In Projects/Scopes:

eXo Wiki JPA DAO:compile
eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	artifactid	commons-io	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	Manifest	implementation-build	tags/2.4-RC2@r1349569; 2012-06-12 18:18:20-0400	Low
Vendor	central	groupid	commons-io	Highest
Vendor	pom	name	Commons IO	High
Vendor	pom	groupid	commons-io	Highest
Vendor	pom	url	http://commons.apache.org/io/	Highest
Vendor	Manifest	bundle-symbolicname	org.apache.commons.io	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	manifest	Bundle-Description	The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.	Low
Vendor	file	name	commons-io	High
Vendor	pom	description	The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.	Low
Vendor	Manifest	bundle-docurl	http://commons.apache.org/io/	Low
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	url	http://commons.apache.org/io/	Medium
Product	pom	groupid	commons-io	Low
Product	Manifest	implementation-build	tags/2.4-RC2@r1349569; 2012-06-12 18:18:20-0400	Low
Product	Manifest	Bundle-Name	Commons IO	Medium
Product	pom	name	Commons IO	High
Product	Manifest	bundle-symbolicname	org.apache.commons.io	Medium
Product	central	artifactid	commons-io	Highest
Product	manifest	Bundle-Description	The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.	Low
Product	file	name	commons-io	High
Product	pom	parent-groupid	org.apache.commons	Low
Product	pom	description	The Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.	Low
Product	pom	artifactid	commons-io	Highest
Product	Manifest	specification-title	Commons IO	Medium
Product	Manifest	bundle-docurl	http://commons.apache.org/io/	Low
Product	Manifest	Implementation-Title	Commons IO	High
Version	file	version	2.4	Highest
Version	central	version	2.4	Highest
Version	pom	version	2.4	Highest
Version	Manifest	Implementation-Version	2.4	High

Identifiers

maven: commons-io:commons-io:2.4 ✓ Confidence:Highest

jcommon-1.0.17.jar

Description: JCommon is a free general purpose Java class library that is used in several projects at www.jfree.org, including JFreeChart and JFreeReport.

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt

File Path: /home/ciagent/.m2/repository/org/jfree/jcommon/1.0.17/jcommon-1.0.17.jar
MD5: d123cd511e2ebc4542e8b424cd20bbde
SHA1: 7bcb68fde08258e59fe7bcc758c08af830fb2c1d
Referenced In Projects/Scopes:

eXo Wiki JPA DAO:compile
eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	JCommon	High
Vendor	pom	artifactid	jcommon	Low
Vendor	jar	package name	jfree	Low
Vendor	pom	organization url	http://www.jfree.org/	Medium
Vendor	central	groupid	org.jfree	Highest
Vendor	file	name	jcommon	High
Vendor	pom	organization name	JFree.org	High
Vendor	pom	url	http://www.jfree.org/jcommon/	Highest
Vendor	pom	groupid	jfree	Highest
Vendor	pom	description	JCommon is a free general purpose Java class library that is used in several projects at www.jfree.org, including JFreeChart and JFreeReport.	Low
Vendor	pom	groupid	org.jfree	Highest
Product	pom	name	JCommon	High
Product	pom	artifactid	jcommon	Highest
Product	central	artifactid	jcommon	Highest
Product	pom	organization name	JFree.org	Low
Product	pom	url	http://www.jfree.org/jcommon/	Medium
Product	file	name	jcommon	High
Product	pom	groupid	jfree	Low
Product	pom	description	JCommon is a free general purpose Java class library that is used in several projects at www.jfree.org, including JFreeChart and JFreeReport.	Low
Product	pom	organization url	http://www.jfree.org/	Low
Version	pom	version	1.0.17	Highest
Version	file	version	1.0.17	Highest
Version	central	version	1.0.17	Highest

Identifiers

maven: org.jfree:jcommon:1.0.17 ✓ Confidence:Highest

jfreechart-1.0.14.jar

Description: JFreeChart is a class library, written in Java, for generating charts. Utilising the Java2D APIs, it currently supports bar charts, pie charts, line charts, XY-plots and time series plots.

License:

GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt

File Path: /home/ciagent/.m2/repository/org/jfree/jfreechart/1.0.14/jfreechart-1.0.14.jar
MD5: e0ac6e8ecb858f946200b326209fe639
SHA1: fa67c798b0ae80b84f3854d69e341abacd3867c5
Referenced In Projects/Scopes:

eXo Wiki JPA DAO:compile
eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	JFreeChart	High
Vendor	pom	description	JFreeChart is a class library, written in Java, for generating charts. Utilising the Java2D APIs, it currently supports bar charts, pie charts, line charts, XY-plots and time series plots.	Low
Vendor	jar	package name	chart	Low
Vendor	pom	artifactid	jfreechart	Low
Vendor	jar	package name	jfree	Low
Vendor	file	name	jfreechart	High
Vendor	central	groupid	org.jfree	Highest
Vendor	pom	groupid	jfree	Highest
Vendor	pom	url	http://www.jfree.org/jfreechart/	Highest
Vendor	pom	organization url	http://www.jfree.org/	Medium
Vendor	pom	organization name	JFree.org	High
Vendor	pom	groupid	org.jfree	Highest
Product	pom	name	JFreeChart	High
Product	pom	description	JFreeChart is a class library, written in Java, for generating charts. Utilising the Java2D APIs, it currently supports bar charts, pie charts, line charts, XY-plots and time series plots.	Low
Product	jar	package name	chart	Low
Product	pom	artifactid	jfreechart	Highest
Product	pom	organization name	JFree.org	Low
Product	file	name	jfreechart	High
Product	pom	groupid	jfree	Low
Product	pom	url	http://www.jfree.org/jfreechart/	Medium
Product	central	artifactid	jfreechart	Highest
Product	pom	organization url	http://www.jfree.org/	Low
Version	central	version	1.0.14	Highest
Version	file	version	1.0.14	Highest
Version	pom	version	1.0.14	Highest

Identifiers

maven: org.jfree:jfreechart:1.0.14 ✓ Confidence:Highest

velocity-1.7.jar

Description: Apache Velocity is a general purpose template engine.

File Path: /home/ciagent/.m2/repository/org/apache/velocity/velocity/1.7/velocity-1.7.jar
MD5: 3692dd72f8367cb35fb6280dc2916725
SHA1: 2ceb567b8f3f21118ecdec129fe1271dbc09aa7a
Referenced In Projects/Scopes:

eXo Wiki JPA DAO:compile
eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	central	groupid	org.apache.velocity	Highest
Vendor	pom	parent-artifactid	apache	Low
Vendor	pom	url	http://velocity.apache.org/engine/devel/	Highest
Vendor	pom	groupid	org.apache.velocity	Highest
Vendor	pom	artifactid	velocity	Low
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	pom	groupid	apache.velocity	Highest
Vendor	file	name	velocity	High
Vendor	Manifest	extension-name	velocity	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	bundle-symbolicname	org.apache.velocity	Medium
Vendor	pom	name	Apache Velocity	High
Vendor	pom	description	Apache Velocity is a general purpose template engine.	Medium
Vendor	pom	parent-groupid	org.apache	Medium
Product	central	artifactid	velocity	Highest
Product	pom	artifactid	velocity	Highest
Product	pom	groupid	apache.velocity	Low
Product	pom	parent-groupid	org.apache	Low
Product	pom	url	http://velocity.apache.org/engine/devel/	Medium
Product	Manifest	Implementation-Title	org.apache.velocity	High
Product	Manifest	Bundle-Name	Apache Velocity	Medium
Product	file	name	velocity	High
Product	Manifest	extension-name	velocity	Medium
Product	pom	parent-artifactid	apache	Medium
Product	Manifest	bundle-symbolicname	org.apache.velocity	Medium
Product	pom	name	Apache Velocity	High
Product	pom	description	Apache Velocity is a general purpose template engine.	Medium
Product	Manifest	specification-title	Velocity is a Java-based template engine	Medium
Version	pom	version	1.7	Highest
Version	central	version	1.7	Highest
Version	file	version	1.7	Highest
Version	Manifest	Implementation-Version	1.7	High

Identifiers

maven: org.apache.velocity:velocity:1.7 ✓ Confidence:Highest

velocity-tools-1.4.jar

File Path: /home/ciagent/.m2/repository/velocity-tools/velocity-tools/1.4/velocity-tools-1.4.jar
MD5: 2ef7ed8b728186558b5d587c38900b84
SHA1: 4e1f4d507030a00959f4c0c7fcc60b3565617d08
Referenced In Projects/Scopes:

eXo Wiki JPA DAO:compile
eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	central	groupid	velocity-tools	Highest
Vendor	Manifest	specification-vendor	Apache Software Foundation	Low
Vendor	pom	groupid	velocity-tools	Highest
Vendor	Manifest	Implementation-Vendor	Apache Software Foundation	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	pom	artifactid	velocity-tools	Low
Vendor	file	name	velocity-tools	High
Vendor	Manifest	extension-name	velocity-tools	Medium
Product	pom	groupid	velocity-tools	Low
Product	Manifest	Implementation-Title	org.apache.velocity	High
Product	Manifest	specification-title	VelocityTools is a set of utilities for use with the Velocity template engine and Struts web framework	Medium
Product	central	artifactid	velocity-tools	Highest
Product	file	name	velocity-tools	High
Product	Manifest	extension-name	velocity-tools	Medium
Product	pom	artifactid	velocity-tools	Highest
Version	Manifest	Implementation-Version	1.4	High
Version	pom	version	1.4	Highest
Version	file	version	1.4	Highest
Version	central	version	1.4	Highest

Identifiers

maven: velocity-tools:velocity-tools:1.4 ✓ Confidence:Highest
cpe: cpe:/a:apache:struts:1.4 Confidence:Low

commons-codec-1.10.jar

Description: The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
MD5: 353cf6a2bdba09595ccfa073b78c7fcb
SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
Referenced In Projects/Scopes:

eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	bundle-symbolicname	org.apache.commons.codec	Medium
Vendor	manifest	Bundle-Description	The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-codec/	Low
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	central	groupid	commons-codec	Highest
Vendor	file	name	commons-codec	High
Vendor	pom	groupid	commons-codec	Highest
Vendor	pom	description	The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.	Low
Vendor	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Vendor	pom	artifactid	commons-codec	Low
Vendor	pom	name	Apache Commons Codec	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	Manifest	implementation-build	trunk@r1637108; 2014-11-06 14:14:12+0000	Low
Vendor	pom	url	http://commons.apache.org/proper/commons-codec/	Highest
Product	pom	groupid	commons-codec	Low
Product	Manifest	bundle-symbolicname	org.apache.commons.codec	Medium
Product	manifest	Bundle-Description	The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.	Low
Product	pom	parent-artifactid	commons-parent	Medium
Product	central	artifactid	commons-codec	Highest
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-codec/	Low
Product	Manifest	Bundle-Name	Apache Commons Codec	Medium
Product	Manifest	Implementation-Title	Apache Commons Codec	High
Product	Manifest	specification-title	Apache Commons Codec	Medium
Product	file	name	commons-codec	High
Product	pom	description	The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.	Low
Product	Manifest	require-capability	osgi.ee;filter:="(&(osgi.ee=JavaSE)(version=1.6))"	Low
Product	pom	name	Apache Commons Codec	High
Product	pom	artifactid	commons-codec	Highest
Product	pom	parent-groupid	org.apache.commons	Low
Product	Manifest	implementation-build	trunk@r1637108; 2014-11-06 14:14:12+0000	Low
Product	pom	url	http://commons.apache.org/proper/commons-codec/	Medium
Version	pom	version	1.10	Highest
Version	central	version	1.10	Highest
Version	Manifest	Implementation-Version	1.10	High
Version	file	version	1.10	Highest

Identifiers

maven: commons-codec:commons-codec:1.10 ✓ Confidence:Highest

jackson-core-2.3.1.jar

Description: Core Jackson abstractions, basic JSON streaming API implementation

License:

http://www.apache.org/licenses/LICENSE-2.0.txt, http://www.gnu.org/licenses/lgpl-2.1.html

File Path: /home/ciagent/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.3.1/jackson-core-2.3.1.jar
MD5: aa2152b5f610a2dee75bb81bcab66c36
SHA1: f9f7185c92ca5fefe2fb3efdeb477a67c96ea2d0
Referenced In Projects/Scopes:

eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	artifactid	jackson-core	Low
Vendor	pom	description	Core Jackson abstractions, basic JSON streaming API implementation	Medium
Vendor	pom	name	Jackson-core	High
Vendor	Manifest	implementation-build-date	2013-12-27 17:00:34-0800	Low
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	manifest	Bundle-Description	Core Jackson abstractions, basic JSON streaming API implementation	Medium
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	pom	groupid	fasterxml.jackson.core	Highest
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	central	groupid	com.fasterxml.jackson.core	Highest
Vendor	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonHome	Low
Vendor	pom	parent-groupid	com.fasterxml	Medium
Vendor	pom	parent-artifactid	oss-parent	Low
Vendor	pom	url	http://wiki.fasterxml.com/JacksonHome	Highest
Vendor	file	name	jackson-core	High
Product	pom	url	http://wiki.fasterxml.com/JacksonHome	Medium
Product	Manifest	Bundle-Name	Jackson-core	Medium
Product	pom	description	Core Jackson abstractions, basic JSON streaming API implementation	Medium
Product	pom	name	Jackson-core	High
Product	Manifest	implementation-build-date	2013-12-27 17:00:34-0800	Low
Product	pom	parent-artifactid	oss-parent	Medium
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-core	Medium
Product	Manifest	specification-title	Jackson-core	Medium
Product	Manifest	Implementation-Title	Jackson-core	High
Product	manifest	Bundle-Description	Core Jackson abstractions, basic JSON streaming API implementation	Medium
Product	central	artifactid	jackson-core	Highest
Product	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonHome	Low
Product	pom	parent-groupid	com.fasterxml	Low
Product	pom	artifactid	jackson-core	Highest
Product	pom	groupid	fasterxml.jackson.core	Low
Product	file	name	jackson-core	High
Version	central	version	2.3.1	Highest
Version	pom	version	2.3.1	Highest
Version	file	version	2.3.1	Highest
Version	Manifest	Implementation-Version	2.3.1	High

Identifiers

cpe: cpe:/a:fasterxml:jackson:2.3.1 Confidence:Low
maven: com.fasterxml.jackson.core:jackson-core:2.3.1 ✓ Confidence:Highest

jackson-annotations-2.3.0.jar

Description: Core annotations used for value types, used by Jackson data binding package.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt, http://www.gnu.org/licenses/lgpl-2.1.html

File Path: /home/ciagent/.m2/repository/com/fasterxml/jackson/core/jackson-annotations/2.3.0/jackson-annotations-2.3.0.jar
MD5: c954fbca7d677f323d810d0fa8baead2
SHA1: f5e853a20b60758922453d56f9ae1e64af5cb3da
Referenced In Projects/Scopes:

eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	pom	description	Core annotations used for value types, used by Jackson data binding package.	Medium
Vendor	Manifest	implementation-build-date	2013-11-13 20:56:27-0800	Low
Vendor	pom	artifactid	jackson-annotations	Low
Vendor	file	name	jackson-annotations	High
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	pom	groupid	fasterxml.jackson.core	Highest
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	central	groupid	com.fasterxml.jackson.core	Highest
Vendor	pom	name	Jackson-annotations	High
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Vendor	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonHome	Low
Vendor	pom	parent-groupid	com.fasterxml	Medium
Vendor	manifest	Bundle-Description	Core annotations used for value types, used by Jackson data binding package.	Medium
Vendor	pom	parent-artifactid	oss-parent	Low
Vendor	pom	url	http://wiki.fasterxml.com/JacksonHome	Highest
Product	pom	url	http://wiki.fasterxml.com/JacksonHome	Medium
Product	pom	artifactid	jackson-annotations	Highest
Product	pom	description	Core annotations used for value types, used by Jackson data binding package.	Medium
Product	Manifest	Bundle-Name	Jackson-annotations	Medium
Product	pom	parent-artifactid	oss-parent	Medium
Product	Manifest	implementation-build-date	2013-11-13 20:56:27-0800	Low
Product	file	name	jackson-annotations	High
Product	pom	name	Jackson-annotations	High
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-annotations	Medium
Product	central	artifactid	jackson-annotations	Highest
Product	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonHome	Low
Product	pom	parent-groupid	com.fasterxml	Low
Product	Manifest	Implementation-Title	Jackson-annotations	High
Product	pom	groupid	fasterxml.jackson.core	Low
Product	manifest	Bundle-Description	Core annotations used for value types, used by Jackson data binding package.	Medium
Product	Manifest	specification-title	Jackson-annotations	Medium
Version	file	version	2.3.0	Highest
Version	Manifest	Implementation-Version	2.3.0	High
Version	central	version	2.3.0	Highest
Version	pom	version	2.3.0	Highest

Identifiers

cpe: cpe:/a:fasterxml:jackson:2.3.0 Confidence:Low
maven: com.fasterxml.jackson.core:jackson-annotations:2.3.0 ✓ Confidence:Highest

jackson-databind-2.3.1.jar

Description: General data-binding functionality for Jackson: works on core streaming API

License:

http://www.apache.org/licenses/LICENSE-2.0.txt, http://www.gnu.org/licenses/lgpl-2.1.html

File Path: /home/ciagent/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.1/jackson-databind-2.3.1.jar
MD5: 4de637793707fdecb1b7a90f677103ec
SHA1: c4096a8323bbbcbeda072e3def123a9b66783361
Referenced In Projects/Scopes:

eXo PLF:: Wiki Renderer:compile
eXo PLF:: Wiki Service:compile
eXo Wiki JPA Migration Service:compile
eXo PLF:: Wiki Webui:compile
eXo PLF:: Wiki Upgrade Plugins:compile
eXo PLF:: Wiki Webapp:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	Manifest	specification-vendor	FasterXML	Low
Vendor	file	name	jackson-databind	High
Vendor	pom	artifactid	jackson-databind	Low
Vendor	Manifest	implementation-build-date	2013-12-27 18:28:29-0800	Low
Vendor	manifest	Bundle-Description	General data-binding functionality for Jackson: works on core streaming API	Medium
Vendor	Manifest	Implementation-Vendor	FasterXML	High
Vendor	Manifest	Implementation-Vendor-Id	com.fasterxml.jackson.core	Medium
Vendor	pom	groupid	fasterxml.jackson.core	Highest
Vendor	pom	groupid	com.fasterxml.jackson.core	Highest
Vendor	central	groupid	com.fasterxml.jackson.core	Highest
Vendor	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Vendor	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonHome	Low
Vendor	pom	name	jackson-databind	High
Vendor	pom	parent-groupid	com.fasterxml	Medium
Vendor	pom	parent-artifactid	oss-parent	Low
Vendor	pom	url	http://wiki.fasterxml.com/JacksonHome	Highest
Vendor	pom	description	General data-binding functionality for Jackson: works on core streaming API	Medium
Product	pom	url	http://wiki.fasterxml.com/JacksonHome	Medium
Product	file	name	jackson-databind	High
Product	pom	parent-artifactid	oss-parent	Medium
Product	pom	artifactid	jackson-databind	Highest
Product	Manifest	implementation-build-date	2013-12-27 18:28:29-0800	Low
Product	manifest	Bundle-Description	General data-binding functionality for Jackson: works on core streaming API	Medium
Product	Manifest	Implementation-Title	jackson-databind	High
Product	central	artifactid	jackson-databind	Highest
Product	Manifest	bundle-symbolicname	com.fasterxml.jackson.core.jackson-databind	Medium
Product	Manifest	specification-title	jackson-databind	Medium
Product	Manifest	bundle-docurl	http://wiki.fasterxml.com/JacksonHome	Low
Product	pom	parent-groupid	com.fasterxml	Low
Product	pom	name	jackson-databind	High
Product	pom	groupid	fasterxml.jackson.core	Low
Product	Manifest	Bundle-Name	jackson-databind	Medium
Product	pom	description	General data-binding functionality for Jackson: works on core streaming API	Medium
Version	central	version	2.3.1	Highest
Version	pom	version	2.3.1	Highest
Version	file	version	2.3.1	Highest
Version	Manifest	Implementation-Version	2.3.1	High

Identifiers

cpe: cpe:/a:fasterxml:jackson:2.3.1 Confidence:Low
cpe: cpe:/a:fasterxml:jackson-databind:2.3.1 Confidence:Highest
maven: com.fasterxml.jackson.core:jackson-databind:2.3.1 ✓ Confidence:Highest

Published Vulnerabilities

CVE-2017-15095

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

BID - 103880
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CONFIRM - https://github.com/FasterXML/jackson-databind/issues/1680
CONFIRM - https://github.com/FasterXML/jackson-databind/issues/1737
CONFIRM - https://security.netapp.com/advisory/ntap-20171214-0003/
CONFIRM - https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
DEBIAN - DSA-4037
REDHAT - RHSA-2017:3189
REDHAT - RHSA-2017:3190
REDHAT - RHSA-2018:0342
REDHAT - RHSA-2018:0478
REDHAT - RHSA-2018:0479
REDHAT - RHSA-2018:0480
REDHAT - RHSA-2018:0481
REDHAT - RHSA-2018:0576
REDHAT - RHSA-2018:0577
REDHAT - RHSA-2018:1447
REDHAT - RHSA-2018:1448
REDHAT - RHSA-2018:1449
REDHAT - RHSA-2018:1450
REDHAT - RHSA-2018:1451
REDHAT - RHSA-2018:2927
SECTRACK - 1039769

Vulnerable Software & Versions: (show all)

CVE-2017-17485

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.

BUGTRAQ - 20180109 CVE-2017-17485: one more way of rce in jackson-databind when defaultTyping+objects are used
CONFIRM - https://github.com/FasterXML/jackson-databind/issues/1855
CONFIRM - https://security.netapp.com/advisory/ntap-20180201-0003/
CONFIRM - https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
DEBIAN - DSA-4114
MISC - https://github.com/irsl/jackson-rce-via-spel/
REDHAT - RHSA-2018:0116
REDHAT - RHSA-2018:0342
REDHAT - RHSA-2018:0478
REDHAT - RHSA-2018:0479
REDHAT - RHSA-2018:0480
REDHAT - RHSA-2018:0481
REDHAT - RHSA-2018:1447
REDHAT - RHSA-2018:1448
REDHAT - RHSA-2018:1449
REDHAT - RHSA-2018:1450
REDHAT - RHSA-2018:1451
REDHAT - RHSA-2018:2930

Vulnerable Software & Versions: (show all)

CVE-2017-7525

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.

BID - 99623
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1462702
CONFIRM - https://cwiki.apache.org/confluence/display/WW/S2-055
CONFIRM - https://github.com/FasterXML/jackson-databind/issues/1599
CONFIRM - https://github.com/FasterXML/jackson-databind/issues/1723
CONFIRM - https://security.netapp.com/advisory/ntap-20171214-0002/
CONFIRM - https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbhf03902en_us
CONFIRM - https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
DEBIAN - DSA-4004
MISC - https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MLIST - [lucene-dev] 20190325 [jira] [Assigned] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ...
MLIST - [lucene-dev] 20190325 [jira] [Closed] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ...
MLIST - [lucene-dev] 20190325 [jira] [Resolved] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ...
MLIST - [lucene-dev] 20190325 [jira] [Updated] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ...
MLIST - [lucene-dev] 20190325 [jira] [Updated] (SOLR-13110) CVE-2017-7525 Threat Level 9 Against Solr v7.6. org.codehaus.jackson : jackson-mapper-asl : 1.9.13. .A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, ...
REDHAT - RHSA-2017:1834
REDHAT - RHSA-2017:1835
REDHAT - RHSA-2017:1836
REDHAT - RHSA-2017:1837
REDHAT - RHSA-2017:1839
REDHAT - RHSA-2017:1840
REDHAT - RHSA-2017:2477
REDHAT - RHSA-2017:2546
REDHAT - RHSA-2017:2547
REDHAT - RHSA-2017:2633
REDHAT - RHSA-2017:2635
REDHAT - RHSA-2017:2636
REDHAT - RHSA-2017:2637
REDHAT - RHSA-2017:2638
REDHAT - RHSA-2017:3141
REDHAT - RHSA-2017:3454
REDHAT - RHSA-2017:3455
REDHAT - RHSA-2017:3456
REDHAT - RHSA-2017:3458
REDHAT - RHSA-2018:0294
REDHAT - RHSA-2018:0342
REDHAT - RHSA-2018:1449
REDHAT - RHSA-2018:1450
REDHAT - RHSA-2019:0910
SECTRACK - 1039744
SECTRACK - 1039947
SECTRACK - 1040360

Vulnerable Software & Versions: (show all)

CVE-2018-1000873

Severity: Medium
CVSS Score: 4.3 (AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-20 Improper Input Validation

Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.

Vulnerable Software & Versions: (show all)

CVE-2018-14719

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.

Vulnerable Software & Versions: (show all)

CVE-2018-14720

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Vulnerable Software & Versions: (show all)

CVE-2018-14721

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-918 Server-Side Request Forgery (SSRF)

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

CONFIRM - https://github.com/FasterXML/jackson-databind/commit/87d29af25e82a249ea15858e2d4ecbf64091db44
CONFIRM - https://github.com/FasterXML/jackson-databind/issues/2097
CONFIRM - https://github.com/FasterXML/jackson/wiki/Jackson-Release-2.9.7
CONFIRM - https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
MISC - https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MLIST - [debian-lts-announce] 20190304 [SECURITY] [DLA 1703-1] jackson-databind security update
MLIST - [pulsar-commits] 20190416 [GitHub] [pulsar] one70six opened a new issue #4057: Security Vulnerabilities - Black Duck Scan - Pulsar v.2.3.1
REDHAT - RHBA-2019:0959
REDHAT - RHSA-2019:0782
REDHAT - RHSA-2019:1106
REDHAT - RHSA-2019:1107
REDHAT - RHSA-2019:1108
REDHAT - RHSA-2019:1140

Vulnerable Software & Versions: (show all)

CVE-2018-19360

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Vulnerable Software & Versions: (show all)

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: eXo PLF:: Wiki

org.exoplatform.wiki:wiki:5.3.x-SNAPSHOT

Dependencies

platform-ui-skin-5.3.x-SNAPSHOT.war

Evidence

Identifiers

gwt-servlet-2.6.1.jar

Evidence

Identifiers

Published Vulnerabilities

smartgwt-lgpl-6.0-p20170514.jar

Evidence

Identifiers

Published Vulnerabilities

xwiki-platform-gwt-dom-6.0.jar

Evidence

Related Dependencies

Identifiers

Published Vulnerabilities

slf4j-api-1.7.18.jar

Evidence

Identifiers

javax.inject-1.jar

Evidence

Identifiers

commons-io-2.4.jar

Evidence

Identifiers

jcommon-1.0.17.jar

Evidence

Identifiers

jfreechart-1.0.14.jar

Evidence

Identifiers

velocity-1.7.jar

Evidence

Identifiers

velocity-tools-1.4.jar

Evidence

Identifiers

commons-codec-1.10.jar

Evidence

Identifiers

jackson-core-2.3.1.jar

Evidence

Identifiers

jackson-annotations-2.3.0.jar

Evidence

Identifiers

jackson-databind-2.3.1.jar

Evidence

Identifiers

Published Vulnerabilities