Dependency-Check Report

Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies; false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties, implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.

Scan Information (show all):

dependency-check version: 3.1.2
Report Generated On: May 26, 2019 at 07:38:03 +00:00
Dependencies Scanned: 14 (7 unique)
Vulnerable Dependencies: 2
Vulnerabilities Found: 2
Vulnerabilities Suppressed: 0
...
NVD CVE 2002: 16/05/2019 09:15:31
NVD CVE 2003: 24/05/2019 08:15:38
NVD CVE 2004: 16/05/2019 09:15:31
NVD CVE 2005: 24/05/2019 08:15:38
NVD CVE 2006: 23/05/2019 08:15:43
NVD CVE 2007: 25/05/2019 08:15:38
NVD CVE 2008: 25/05/2019 08:15:38
NVD CVE 2009: 24/05/2019 08:15:38
NVD CVE 2010: 24/05/2019 08:15:38
NVD CVE 2011: 23/05/2019 08:15:44
NVD CVE 2012: 25/05/2019 08:15:39
NVD CVE 2013: 25/05/2019 08:15:39
NVD CVE 2014: 25/05/2019 08:15:39
NVD CVE 2015: 25/05/2019 07:45:46
NVD CVE 2016: 25/05/2019 07:45:46
NVD CVE 2017: 25/05/2019 07:45:47
NVD CVE 2018: 25/05/2019 07:45:47
NVD CVE 2019: 25/05/2019 07:15:28
NVD CVE Checked: 26/05/2019 07:26:05
NVD CVE Modified: 26/05/2019 05:15:29
VersionCheckOn: 1557645553942

Display: Showing Vulnerable Dependencies (click to show all)

Dependency	CPE	Coordinates	Highest Severity	CVE Count	CPE Confidence	Evidence Count
commons-lang-2.6.jar		org.netbeans.external:org-apache-commons-lang:RELEASE90 ✓		0		39
xwiki-commons-text-5.4.7.jar	cpe:/a:xwiki:xwiki:5.4.7	org.xwiki.commons:xwiki-commons-text:5.4.7	Low	1	Low	26
slf4j-api-1.7.18.jar		org.slf4j:slf4j-api:1.7.18 ✓		0		31
javax.inject-1.jar		javax.inject:javax.inject:1 ✓		0		20
validation-api-1.1.0.Final.jar		javax.validation:validation-api:1.1.0.Final ✓		0		22
commons-beanutils-1.8.3.jar	cpe:/a:apache:commons_beanutils:1.8.3	commons-beanutils:commons-beanutils:1.8.3 ✓	High	1	Low	34
commons-lang3-3.2.jar		org.apache.commons:commons-lang3:3.2 ✓		0		37

Dependencies

commons-lang-2.6.jar

Description: Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar
MD5: 4d5c1693079575b362edf41500630bbd
SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Referenced In Project/Scope: eXo PLF:: Wiki Macros Iframe:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	manifest	Bundle-Description	Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.	Low
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	description	Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.	Low
Vendor	pom	name	Commons Lang	High
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.lang	Medium
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	groupid	commons-lang	Highest
Vendor	pom	url	http://commons.apache.org/lang/	Highest
Vendor	central	groupid	commons-lang	High
Vendor	pom	artifactid	commons-lang	Low
Vendor	Manifest	bundle-docurl	http://commons.apache.org/lang/	Low
Vendor	file	name	commons-lang	High
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	central	groupid	org.netbeans.external	High
Product	pom	artifactid	commons-lang	Highest
Product	manifest	Bundle-Description	Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.	Low
Product	Manifest	Bundle-Name	Commons Lang	Medium
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	description	Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.	Low
Product	pom	name	Commons Lang	High
Product	Manifest	bundle-symbolicname	org.apache.commons.lang	Medium
Product	central	artifactid	commons-lang	High
Product	pom	groupid	commons-lang	Low
Product	pom	url	http://commons.apache.org/lang/	Medium
Product	Manifest	bundle-docurl	http://commons.apache.org/lang/	Low
Product	file	name	commons-lang	High
Product	central	artifactid	org-apache-commons-lang	High
Product	pom	parent-groupid	org.apache.commons	Low
Product	Manifest	Implementation-Title	Commons Lang	High
Product	Manifest	specification-title	Commons Lang	Medium
Version	pom	version	2.6	Highest
Version	central	version	RELEASE110	High
Version	file	version	2.6	Highest
Version	Manifest	Implementation-Version	2.6	High
Version	central	version	RELEASE90	High
Version	central	version	RELEASE100	High
Version	central	version	2.6	High

Identifiers

maven: org.netbeans.external:org-apache-commons-lang:RELEASE90 ✓ Confidence:Highest
maven: org.netbeans.external:org-apache-commons-lang:RELEASE110 ✓ Confidence:Highest
maven: org.netbeans.external:org-apache-commons-lang:RELEASE100 ✓ Confidence:Highest
maven: commons-lang:commons-lang:2.6 ✓ Confidence:Highest

xwiki-commons-text-5.4.7.jar

Description: Offers text-related APIs

License:

http://www.gnu.org/licenses/old-licenses/lgpl-2.1.html

File Path: /home/ciagent/.m2/repository/org/xwiki/commons/xwiki-commons-text/5.4.7/xwiki-commons-text-5.4.7.jar
MD5: 477305b76113ea2a7838264affdd500a
SHA1: 1f79f0bd85b203195251a4f15ff808ab8d3146e8
Referenced In Project/Scope: eXo PLF:: Wiki Macros Iframe:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	xwiki.commons	Highest
Vendor	pom	name	XWiki Commons - Text	High
Vendor	Manifest	xwiki-extension-id	org.xwiki.commons:xwiki-commons-text	Low
Vendor	Manifest	bundle-docurl	http://xwiki.org/	Low
Vendor	file	name	xwiki-commons-text	High
Vendor	manifest	Bundle-Description	Offers text-related APIs	Medium
Vendor	pom	artifactid	xwiki-commons-text	Low
Vendor	Manifest	bundle-symbolicname	org.xwiki.commons.xwiki-commons-text	Medium
Vendor	pom	parent-groupid	org.xwiki.commons	Medium
Vendor	pom	parent-artifactid	xwiki-commons-core	Low
Vendor	pom	description	Offers text-related APIs	Medium
Vendor	pom	groupid	org.xwiki.commons	Highest
Product	pom	name	XWiki Commons - Text	High
Product	Manifest	Bundle-Name	XWiki Commons - Text	Medium
Product	Manifest	xwiki-extension-id	org.xwiki.commons:xwiki-commons-text	Low
Product	pom	parent-groupid	org.xwiki.commons	Low
Product	Manifest	bundle-docurl	http://xwiki.org/	Low
Product	file	name	xwiki-commons-text	High
Product	manifest	Bundle-Description	Offers text-related APIs	Medium
Product	Manifest	bundle-symbolicname	org.xwiki.commons.xwiki-commons-text	Medium
Product	pom	artifactid	xwiki-commons-text	Highest
Product	pom	description	Offers text-related APIs	Medium
Product	pom	parent-artifactid	xwiki-commons-core	Medium
Product	pom	groupid	xwiki.commons	Low
Version	file	version	5.4.7	Highest
Version	pom	version	5.4.7	Highest

Related Dependencies

xwiki-rendering-transformation-macro-5.4.7.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/rendering/xwiki-rendering-transformation-macro/5.4.7/xwiki-rendering-transformation-macro-5.4.7.jar
- SHA1: f0c600ec2a25a6cddbf1cb98a9a3c95c3c29d805
- MD5: dc57dee48e180f19ab49b0515087732a
xwiki-commons-filter-api-5.4.7.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/commons/xwiki-commons-filter-api/5.4.7/xwiki-commons-filter-api-5.4.7.jar
- SHA1: 6749b6acd3c82581fbf600ad4d5036ca45a2de42
- MD5: 0dd5e9347616281d219d9aff7f7cd01f
xwiki-rendering-api-5.4.7.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/rendering/xwiki-rendering-api/5.4.7/xwiki-rendering-api-5.4.7.jar
- SHA1: ef54407ddbdd657c3da2fd9f4557b0063ee0b883
- MD5: 69137bb0927694682c5a7b642f0b9621
xwiki-commons-properties-5.4.7.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/commons/xwiki-commons-properties/5.4.7/xwiki-commons-properties-5.4.7.jar
- SHA1: c2c61479ba9a627951fc43066384de38a79eb067
- MD5: 543efb4925178456d1589ce6aa25087f
xwiki-commons-component-api-5.4.7.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/commons/xwiki-commons-component-api/5.4.7/xwiki-commons-component-api-5.4.7.jar
- SHA1: e305955b98d05e07d14da20ad47f5b69393cb438
- MD5: d22938d83aae4827298b7f99a7f72170
xwiki-commons-configuration-api-5.4.7.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/commons/xwiki-commons-configuration-api/5.4.7/xwiki-commons-configuration-api-5.4.7.jar
- SHA1: 7444a6824d68424eac7f24d3d95e20b50b35d98d
- MD5: d2f9f3c69916264f899f069a4ce29ca3
xwiki-commons-stability-5.4.7.jar
- File Path: /home/ciagent/.m2/repository/org/xwiki/commons/xwiki-commons-stability/5.4.7/xwiki-commons-stability-5.4.7.jar
- SHA1: 177095921278492e908305ecc71554e4265da5e0
- MD5: 67065d9178fd521f807ec07fd2280266

Identifiers

maven: org.xwiki.commons:xwiki-commons-text:5.4.7 Confidence:High
cpe: cpe:/a:xwiki:xwiki:5.4.7 Confidence:Low

Published Vulnerabilities

CVE-2018-16277

Severity: Low
CVSS Score: 3.5 (AV:N/AC:M/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

The Image Import function in XWiki through 10.7 has XSS.

MISC - https://mksec.tk/index.php/2018/09/27/cve-2018-16277-xss-in-xwiki/

Vulnerable Software & Versions:

cpe:/a:xwiki:xwiki:10.7 and all previous versions

slf4j-api-1.7.18.jar

Description: The slf4j API

File Path: /home/ciagent/.m2/repository/org/slf4j/slf4j-api/1.7.18/slf4j-api-1.7.18.jar
MD5: 1b1d1af21206ac5ae44cd79a6c04dd92
SHA1: b631d286463ced7cc42ee2171fe3beaed2836823
Referenced In Project/Scope: eXo PLF:: Wiki Macros Iframe:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	name	SLF4J API Module	High
Vendor	pom	parent-groupid	org.slf4j	Medium
Vendor	pom	url	http://www.slf4j.org	Highest
Vendor	file	name	slf4j-api	High
Vendor	pom	groupid	slf4j	Highest
Vendor	manifest	Bundle-Description	The slf4j API	Medium
Vendor	pom	parent-artifactid	slf4j-parent	Low
Vendor	central	groupid	org.slf4j	Highest
Vendor	pom	artifactid	slf4j-api	Low
Vendor	Manifest	bundle-symbolicname	slf4j.api	Medium
Vendor	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Vendor	pom	groupid	org.slf4j	Highest
Vendor	pom	description	The slf4j API	Medium
Product	pom	name	SLF4J API Module	High
Product	pom	groupid	slf4j	Low
Product	pom	url	http://www.slf4j.org	Medium
Product	file	name	slf4j-api	High
Product	central	artifactid	slf4j-api	Highest
Product	pom	artifactid	slf4j-api	Highest
Product	manifest	Bundle-Description	The slf4j API	Medium
Product	pom	parent-artifactid	slf4j-parent	Medium
Product	Manifest	bundle-symbolicname	slf4j.api	Medium
Product	Manifest	Implementation-Title	slf4j-api	High
Product	Manifest	bundle-requiredexecutionenvironment	J2SE-1.5	Low
Product	Manifest	Bundle-Name	slf4j-api	Medium
Product	pom	parent-groupid	org.slf4j	Low
Product	pom	description	The slf4j API	Medium
Version	central	version	1.7.18	Highest
Version	pom	version	1.7.18	Highest
Version	Manifest	Implementation-Version	1.7.18	High
Version	file	version	1.7.18	Highest

Identifiers

maven: org.slf4j:slf4j-api:1.7.18 ✓ Confidence:Highest

javax.inject-1.jar

Description: The javax.inject API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/javax/inject/javax.inject/1/javax.inject-1.jar
MD5: 289075e48b909e9e74e6c915b3631d2e
SHA1: 6975da39a7040257bd51d21a231b76c915872d38
Referenced In Project/Scope: eXo PLF:: Wiki Macros Iframe:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	javax.inject	Low
Vendor	pom	groupid	javax.inject	Highest
Vendor	pom	name	javax.inject	High
Vendor	central	groupid	javax.inject	Highest
Vendor	jar	package name	javax	Low
Vendor	file	name	javax.inject-1	High
Vendor	pom	url	http://code.google.com/p/atinject/	Highest
Vendor	pom	description	The javax.inject API	Medium
Vendor	jar	package name	inject	Low
Product	central	artifactid	javax.inject	Highest
Product	pom	artifactid	javax.inject	Highest
Product	pom	name	javax.inject	High
Product	pom	groupid	javax.inject	Low
Product	file	name	javax.inject-1	High
Product	pom	description	The javax.inject API	Medium
Product	pom	url	http://code.google.com/p/atinject/	Medium
Product	jar	package name	inject	Low
Version	file	version	1	Medium
Version	pom	version	1	Highest
Version	central	version	1	Highest

Identifiers

maven: javax.inject:javax.inject:1 ✓ Confidence:Highest

validation-api-1.1.0.Final.jar

Description: Bean Validation API

License:

The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/javax/validation/validation-api/1.1.0.Final/validation-api-1.1.0.Final.jar
MD5: 4c257f52462860b62ab3cdab45f53082
SHA1: 8613ae82954779d518631e05daa73a6a954817d5
Referenced In Project/Scope: eXo PLF:: Wiki Macros Iframe:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	artifactid	validation-api	Low
Vendor	Manifest	bundle-symbolicname	javax.validation.api	Medium
Vendor	pom	name	Bean Validation API	High
Vendor	central	groupid	javax.validation	Highest
Vendor	pom	url	http://beanvalidation.org	Highest
Vendor	pom	description	Bean Validation API	Medium
Vendor	pom	groupid	javax.validation	Highest
Vendor	file	name	validation-api	High
Vendor	manifest	Bundle-Description	Bean Validation API	Medium
Product	Manifest	bundle-symbolicname	javax.validation.api	Medium
Product	central	artifactid	validation-api	Highest
Product	pom	name	Bean Validation API	High
Product	pom	url	http://beanvalidation.org	Medium
Product	pom	artifactid	validation-api	Highest
Product	pom	groupid	javax.validation	Low
Product	Manifest	Bundle-Name	Bean Validation API	Medium
Product	pom	description	Bean Validation API	Medium
Product	file	name	validation-api	High
Product	manifest	Bundle-Description	Bean Validation API	Medium
Version	pom	version	1.1.0.Final	Highest
Version	file	version	1.1.0	Highest
Version	central	version	1.1.0.Final	Highest

Identifiers

maven: javax.validation:validation-api:1.1.0.Final ✓ Confidence:Highest

commons-beanutils-1.8.3.jar

Description: BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
MD5: b45be74134796c89db7126083129532f
SHA1: 686ef3410bcf4ab8ce7fd0b899e832aaba5facf7
Referenced In Project/Scope: eXo PLF:: Wiki Macros Iframe:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	central	groupid	commons-beanutils	Highest
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	pom	description	BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.	Medium
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	file	name	commons-beanutils	High
Vendor	pom	name	Commons BeanUtils	High
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	url	http://commons.apache.org/beanutils/	Highest
Vendor	Manifest	bundle-docurl	http://commons.apache.org/beanutils/	Low
Vendor	Manifest	bundle-symbolicname	org.apache.commons.beanutils	Medium
Vendor	manifest	Bundle-Description	BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	pom	artifactid	commons-beanutils	Low
Vendor	pom	groupid	commons-beanutils	Highest
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	description	BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.	Medium
Product	Manifest	Bundle-Name	Commons BeanUtils	Medium
Product	file	name	commons-beanutils	High
Product	pom	name	Commons BeanUtils	High
Product	pom	artifactid	commons-beanutils	Highest
Product	Manifest	specification-title	Commons BeanUtils	Medium
Product	Manifest	bundle-docurl	http://commons.apache.org/beanutils/	Low
Product	Manifest	Implementation-Title	Commons BeanUtils	High
Product	central	artifactid	commons-beanutils	Highest
Product	Manifest	bundle-symbolicname	org.apache.commons.beanutils	Medium
Product	pom	groupid	commons-beanutils	Low
Product	manifest	Bundle-Description	BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.	Medium
Product	pom	url	http://commons.apache.org/beanutils/	Medium
Product	pom	parent-groupid	org.apache.commons	Low
Version	file	version	1.8.3	Highest
Version	Manifest	Implementation-Version	1.8.3	High
Version	central	version	1.8.3	Highest
Version	pom	version	1.8.3	Highest

Identifiers

maven: commons-beanutils:commons-beanutils:1.8.3 ✓ Confidence:Highest
cpe: cpe:/a:apache:commons_beanutils:1.8.3 Confidence:Low

Published Vulnerabilities

CVE-2014-0114

Severity: High
CVSS Score: 7.5 (AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-20 Improper Input Validation

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

BID - 67121
BUGTRAQ - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
CONFIRM - http://advisories.mageia.org/MGASA-2014-0219.html
CONFIRM - http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674128
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21674812
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675266
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675387
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675689
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675898
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21675972
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676091
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676110
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676303
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676375
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21676931
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg21677110
CONFIRM - http://www-01.ibm.com/support/docview.wss?uid=swg27042296
CONFIRM - http://www.ibm.com/support/docview.wss?uid=swg21675496
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html
CONFIRM - http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html
CONFIRM - http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html
CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0008.html
CONFIRM - http://www.vmware.com/security/advisories/VMSA-2014-0012.html
CONFIRM - https://access.redhat.com/solutions/869353
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1091938
CONFIRM - https://bugzilla.redhat.com/show_bug.cgi?id=1116665
CONFIRM - https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755
CONFIRM - https://issues.apache.org/jira/browse/BEANUTILS-463
CONFIRM - https://security.netapp.com/advisory/ntap-20140911-0001/
CONFIRM - https://security.netapp.com/advisory/ntap-20180629-0006/
CONFIRM - https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html
DEBIAN - DSA-2940
FEDORA - FEDORA-2014-9380
FULLDISC - 20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities
GENTOO - GLSA-201607-09
HP - HPSBGN03041
HP - HPSBMU03090
HP - HPSBST03160
MANDRIVA - MDVSA-2014:095
MISC - https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3@%3Cissues.commons.apache.org%3E
MISC - https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e@%3Cissues.commons.apache.org%3E
MISC - https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5@%3Cissues.commons.apache.org%3E
MISC - https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263@%3Cissues.commons.apache.org%3E
MISC - https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html
MLIST - [apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114
MLIST - [commons-dev] 20190522 [beanutils2] CVE-2014-0114 Pull Request
MLIST - [commons-issues] 20190521 [jira] [Created] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114
MLIST - [commons-issues] 20190522 [jira] [Commented] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114
MLIST - [commons-issues] 20190522 [jira] [Work logged] (BEANUTILS-520) BeanUtils2 mitigate CVE-2014-0114
MLIST - [infra-devnull] 20190329 [GitHub] [pulsar] massakam opened pull request #3938: Upgrade third party libraries with security vulnerabilities
MLIST - [oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE
MLIST - [oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE
MLIST - [pulsar-commits] 20190329 [GitHub] [pulsar] massakam opened a new pull request #3938: Upgrade third party libraries with security vulnerabilities
REDHAT - RHSA-2018:2669
SECUNIA - 57477
SECUNIA - 58710
SECUNIA - 58947
SECUNIA - 59118
SECUNIA - 59228
SECUNIA - 59245
SECUNIA - 59246
SECUNIA - 59430
SECUNIA - 59464
SECUNIA - 59479
SECUNIA - 59480
SECUNIA - 59718

Vulnerable Software & Versions: (show all)

cpe:/a:apache:commons_beanutils:1.9.1 and all previous versions
...
cpe:/a:apache:commons_beanutils:1.9.1 and all previous versions
cpe:/a:apache:struts:1.0
cpe:/a:apache:struts:1.0.2
cpe:/a:apache:struts:1.1
cpe:/a:apache:struts:1.1:b1
cpe:/a:apache:struts:1.1:b2
cpe:/a:apache:struts:1.1:b3
cpe:/a:apache:struts:1.1:rc1
cpe:/a:apache:struts:1.1:rc2
cpe:/a:apache:struts:1.2.2
cpe:/a:apache:struts:1.2.4
cpe:/a:apache:struts:1.2.6
cpe:/a:apache:struts:1.2.7
cpe:/a:apache:struts:1.2.8
cpe:/a:apache:struts:1.2.9
cpe:/a:apache:struts:1.3.5
cpe:/a:apache:struts:1.3.8
cpe:/a:apache:struts:1.3.10

commons-lang3-3.2.jar

Description: Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.

License:

http://www.apache.org/licenses/LICENSE-2.0.txt

File Path: /home/ciagent/.m2/repository/org/apache/commons/commons-lang3/3.2/commons-lang3-3.2.jar
MD5: 9f2013bc16457ff8dfbfbf3357060192
SHA1: 4ff27bd725ae39f616e4ecdd08c27978cef749ec
Referenced In Project/Scope: eXo PLF:: Wiki Macros Iframe:compile

Evidence

Type	Source	Name	Value	Confidence
Vendor	pom	groupid	org.apache.commons	Highest
Vendor	pom	url	http://commons.apache.org/proper/commons-lang/	Highest
Vendor	Manifest	specification-vendor	The Apache Software Foundation	Low
Vendor	Manifest	implementation-build	tags/LANG_3_2_RC2@r1553875; 2013-12-28 18:05:45+0100	Low
Vendor	pom	groupid	apache.commons	Highest
Vendor	pom	parent-artifactid	commons-parent	Low
Vendor	pom	description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.	Low
Vendor	central	groupid	org.apache.commons	Highest
Vendor	pom	artifactid	commons-lang3	Low
Vendor	manifest	Bundle-Description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.	Low
Vendor	Manifest	Implementation-Vendor	The Apache Software Foundation	High
Vendor	pom	parent-groupid	org.apache.commons	Medium
Vendor	pom	name	Apache Commons Lang	High
Vendor	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Vendor	Manifest	Implementation-Vendor-Id	org.apache	Medium
Vendor	file	name	commons-lang3	High
Vendor	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-lang/	Low
Product	Manifest	implementation-build	tags/LANG_3_2_RC2@r1553875; 2013-12-28 18:05:45+0100	Low
Product	pom	parent-artifactid	commons-parent	Medium
Product	pom	description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.	Low
Product	Manifest	specification-title	Apache Commons Lang	Medium
Product	manifest	Bundle-Description	Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.	Low
Product	Manifest	Bundle-Name	Apache Commons Lang	Medium
Product	Manifest	Implementation-Title	Apache Commons Lang	High
Product	pom	name	Apache Commons Lang	High
Product	pom	groupid	apache.commons	Low
Product	pom	url	http://commons.apache.org/proper/commons-lang/	Medium
Product	central	artifactid	commons-lang3	Highest
Product	Manifest	bundle-symbolicname	org.apache.commons.lang3	Medium
Product	pom	parent-groupid	org.apache.commons	Low
Product	file	name	commons-lang3	High
Product	Manifest	bundle-docurl	http://commons.apache.org/proper/commons-lang/	Low
Product	pom	artifactid	commons-lang3	Highest
Version	pom	version	3.2	Highest
Version	central	version	3.2	Highest
Version	Manifest	Implementation-Version	3.2	High
Version	file	version	3.2	Highest

Identifiers

maven: org.apache.commons:commons-lang3:3.2 ✓ Confidence:Highest

How to read the report | Suppressing false positives | Getting Help: google group | github issues

Project: eXo PLF:: Wiki Macros

org.exoplatform.wiki:wiki-macros:5.3.x-SNAPSHOT

Dependencies

commons-lang-2.6.jar

Evidence

Identifiers

xwiki-commons-text-5.4.7.jar

Evidence

Related Dependencies

Identifiers

Published Vulnerabilities

slf4j-api-1.7.18.jar

Evidence

Identifiers

javax.inject-1.jar

Evidence

Identifiers

validation-api-1.1.0.Final.jar

Evidence

Identifiers

commons-beanutils-1.8.3.jar

Evidence

Identifiers

Published Vulnerabilities

commons-lang3-3.2.jar

Evidence

Identifiers