Dependency-Check is an open source tool performing a best effort analysis of 3rd party dependencies;
false positives and false negatives may exist in the analysis performed by the tool. Use of the tool and
the reporting provided constitutes acceptance for use in an AS IS condition, and there are NO warranties,
implied or otherwise, with regard to the analysis or its use. Any use of the tool and the reporting provided
is at the user’s risk. In no event shall the copyright holder or OWASP be held liable for any damages whatsoever
arising out of or in connection with the use of this tool, the analysis performed, or the resulting report.
Description:
Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
File Path: /home/ciagent/.m2/repository/commons-lang/commons-lang/2.6/commons-lang-2.6.jar MD5: 4d5c1693079575b362edf41500630bbd SHA1: 0ce1edb914c94ebc388f086c6827e8bdeec71ac2
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
manifest
Bundle-Description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Vendor
pom
name
Commons Lang
High
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
Manifest
bundle-symbolicname
org.apache.commons.lang
Medium
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
pom
groupid
commons-lang
Highest
Vendor
pom
url
http://commons.apache.org/lang/
Highest
Vendor
central
groupid
commons-lang
High
Vendor
pom
artifactid
commons-lang
Low
Vendor
Manifest
bundle-docurl
http://commons.apache.org/lang/
Low
Vendor
file
name
commons-lang
High
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
central
groupid
org.netbeans.external
High
Product
pom
artifactid
commons-lang
Highest
Product
manifest
Bundle-Description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Product
Manifest
Bundle-Name
Commons Lang
Medium
Product
pom
parent-artifactid
commons-parent
Medium
Product
pom
description
Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Description: mime-util is a simple to use, small, light weight and fast open source java utility library that can detect
MIME types from files, input streams, URL's and byte arrays.
Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/eu/medsea/mimeutil/mime-util/2.1.3/mime-util-2.1.3.jar MD5: 3d4f3e1a96eb79683197f1c8b182f4a6 SHA1: 0c9cfae15c74f62491d4f28def0dff1dabe52a47
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
url
http://www.medsea.eu/mime-util/
Highest
Vendor
manifest
Bundle-Description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Low
Vendor
Manifest
bundle-docurl
http://www.medsea.eu
Low
Vendor
pom
organization name
Medsea Business Solutions S.L.
High
Vendor
pom
name
Mime Detection Utility
High
Vendor
pom
organization url
http://www.medsea.eu
Medium
Vendor
Manifest
bundle-symbolicname
eu.medsea.mimeutil.mime-util
Medium
Vendor
Manifest
url
http://www.medsea.eu/mime-util/
Low
Vendor
file
name
mime-util
High
Vendor
central
groupid
eu.medsea.mimeutil
Highest
Vendor
pom
description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Low
Vendor
pom
groupid
eu.medsea.mimeutil
Highest
Vendor
pom
artifactid
mime-util
Low
Product
Manifest
Bundle-Name
Mime Detection Utility
Medium
Product
manifest
Bundle-Description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Low
Product
Manifest
bundle-docurl
http://www.medsea.eu
Low
Product
central
artifactid
mime-util
Highest
Product
pom
artifactid
mime-util
Highest
Product
pom
organization name
Medsea Business Solutions S.L.
Low
Product
pom
name
Mime Detection Utility
High
Product
Manifest
bundle-symbolicname
eu.medsea.mimeutil.mime-util
Medium
Product
Manifest
url
http://www.medsea.eu/mime-util/
Low
Product
pom
url
http://www.medsea.eu/mime-util/
Medium
Product
file
name
mime-util
High
Product
pom
organization url
http://www.medsea.eu
Low
Product
pom
groupid
eu.medsea.mimeutil
Low
Product
pom
description
mime-util is a simple to use, small, light weight and fast open source java utility library that can detect MIME types from files, input streams, URL's and byte arrays. Due to the use of regular expressions and the java.nio packages it requires at least Java 1.4.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Description:
Google HTTP Client Library for Java. Functionality that works on all supported Java platforms,
including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
File Path: /home/ciagent/.m2/repository/com/google/http-client/google-http-client/1.14.1-beta/google-http-client-1.14.1-beta.jar MD5: 8a3711522ebceef2531d455e2f04a639 SHA1: cb503d4021739e6bac39442ac87b4e311ec77b5e
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
Implementation-Vendor-Id
com.google.http-client
Medium
Vendor
pom
artifactid
google-http-client
Low
Vendor
Manifest
Implementation-Vendor
Google
High
Vendor
pom
groupid
google.http-client
Highest
Vendor
central
groupid
com.google.http-client
Highest
Vendor
pom
groupid
com.google.http-client
Highest
Vendor
pom
parent-groupid
com.google.http-client
Medium
Vendor
pom
description
Google HTTP Client Library for Java. Functionality that works on all supported Java platforms, including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
Low
Vendor
pom
parent-artifactid
google-http-client-parent
Low
Vendor
file
name
google-http-client
High
Vendor
pom
name
Google HTTP Client Library for Java
High
Product
pom
description
Google HTTP Client Library for Java. Functionality that works on all supported Java platforms, including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
Description:
Google OAuth Client Library for Java. Functionality that works on all supported Java platforms,
including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
File Path: /home/ciagent/.m2/repository/com/google/oauth-client/google-oauth-client/1.14.1-beta/google-oauth-client-1.14.1-beta.jar MD5: 71feea1d54eb7878c12855b7c47ef289 SHA1: 7260cd30808a6d1d4ddef6250e3d92d814aaa4cb
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
com.google.oauth-client
Highest
Vendor
pom
parent-artifactid
google-oauth-client-parent
Low
Vendor
Manifest
Implementation-Vendor
Google
High
Vendor
pom
description
Google OAuth Client Library for Java. Functionality that works on all supported Java platforms, including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
Low
Vendor
pom
name
Google OAuth Client Library for Java
High
Vendor
Manifest
Implementation-Vendor-Id
com.google.oauth-client
Medium
Vendor
pom
artifactid
google-oauth-client
Low
Vendor
pom
parent-groupid
com.google.oauth-client
Medium
Vendor
pom
groupid
google.oauth-client
Highest
Vendor
file
name
google-oauth-client
High
Vendor
central
groupid
com.google.oauth-client
Highest
Product
pom
description
Google OAuth Client Library for Java. Functionality that works on all supported Java platforms, including Java 5 (or higher) desktop (SE) and web (EE), Android, and Google App Engine.
Description:
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
License:
GNU General Public Library: http://www.gnu.org/licenses/gpl.txt
COMMON DEVELOPMENT AND DISTRIBUTION LICENSE (CDDL) Version 1.0: http://www.sun.com/cddl/cddl.html
File Path: /home/ciagent/.m2/repository/javax/xml/stream/stax-api/1.0-2/stax-api-1.0-2.jar MD5: 7d18b63063580284c3f5734081fdc99f SHA1: d6337b0de8b25e53e81b922352fbea9f9f57ba0b
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
javax.xml.stream
Highest
Vendor
pom
artifactid
stax-api
Low
Vendor
file
name
stax-api
High
Vendor
pom
description
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
Low
Vendor
jar
package name
javax
Low
Vendor
pom
name
Streaming API for XML
High
Vendor
jar
package name
stream
Low
Vendor
jar
package name
xml
Low
Vendor
central
groupid
javax.xml.stream
Highest
Product
pom
artifactid
stax-api
Highest
Product
central
artifactid
stax-api
Highest
Product
file
name
stax-api
High
Product
pom
groupid
javax.xml.stream
Low
Product
pom
description
StAX is a standard XML processing API that allows you to stream XML data from and to your application.
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
The Service Provider (SP) in PicketLink before 2.7.0 does not ensure that it is a member of an Audience element when an AudienceRestriction is specified, which allows remote attackers to log in to other users' accounts via a crafted SAML assertion. NOTE: this identifier has been SPLIT per ADT2 due to different vulnerability types. See CVE-2015-6254 for lack of validation for the Destination attribute in a Response element in a SAML assertion.
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The invokeNextValve function in identity/federation/bindings/tomcat/idp/AbstractIDPValve.java in PicketLink before 2.8.0.Beta1 does not properly check role based authorization, which allows remote authenticated users to gain access to restricted application resources via a (1) direct request or (2) request through an SP initiated flow.
Severity:
Medium
CVSS Score: 6.0
(AV:N/AC:M/Au:S/C:P/I:P/A:P)
CWE: CWE-17 Code
The (1) Service Provider (SP) and (2) Identity Provider (IdP) in PicketLink before 2.7.0 does not ensure that the Destination attribute in a Response element in a SAML assertion matches the location from which the message was received, which allows remote attackers to have unspecified impact via unknown vectors. NOTE: this identifier was SPLIT from CVE-2015-0277 per ADT2 due to different vulnerability types.
Description: tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
License:
The BSD License: http://www.opensource.org/licenses/bsd-license.php
File Path: /home/ciagent/.m2/repository/org/codehaus/woodstox/stax2-api/3.1.4/stax2-api-3.1.4.jar MD5: c08e89de601b0a78f941b2c29db565c3 SHA1: ac19014b1e6a7c08aad07fe114af792676b685b7
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
org.codehaus.woodstox
Highest
Vendor
pom
groupid
codehaus.woodstox
Highest
Vendor
pom
organization url
http://fasterxml.com
Medium
Vendor
Manifest
bundle-symbolicname
stax2-api
Medium
Vendor
pom
url
http://wiki.fasterxml.com/WoodstoxStax2
Highest
Vendor
manifest
Bundle-Description
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
Low
Vendor
pom
description
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
Low
Vendor
Manifest
bundle-docurl
http://fasterxml.com
Low
Vendor
file
name
stax2-api
High
Vendor
pom
name
Stax2 API
High
Vendor
pom
groupid
org.codehaus.woodstox
Highest
Vendor
pom
artifactid
stax2-api
Low
Vendor
pom
organization name
fasterxml.com
High
Product
pom
artifactid
stax2-api
Highest
Product
pom
groupid
codehaus.woodstox
Low
Product
central
artifactid
stax2-api
Highest
Product
Manifest
bundle-symbolicname
stax2-api
Medium
Product
Manifest
Bundle-Name
Stax2 API
Medium
Product
manifest
Bundle-Description
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
Low
Product
pom
description
tax2 API is an extension to basic Stax 1.0 API that adds significant new functionality, such as full-featured bi-direction validation interface and high-performance Typed Access API.
Description: Data format extension for Jackson (http://jackson.codehaus.org) to offer
alternative support for serializing POJOs as XML and deserializing XML as pojos.
Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types like JsonGenerator, JsonParser and JsonFactory.
Some data-binding types overridden as well (ObjectMapper sub-classed as XmlMapper).
File Path: /home/ciagent/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-xml/2.4.2/jackson-dataformat-xml-2.4.2.jar MD5: 1fa55358af6a1364e72e24d9ca4d58e7 SHA1: 02f2d96f68b2d3475452d95dde7a3fbee225f6ae
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
specification-vendor
FasterXML
Low
Vendor
pom
parent-groupid
com.fasterxml.jackson
Medium
Vendor
Manifest
Implementation-Vendor-Id
com.fasterxml.jackson.dataformat
Medium
Vendor
manifest
Bundle-Description
Data format extension for Jackson (http://jackson.codehaus.org) to offeralternative support for serializing POJOs as XML and deserializing XML as pojos.Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types ...
Data format extension for Jackson (http://jackson.codehaus.org) to offer
alternative support for serializing POJOs as XML and deserializing XML as pojos.
Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types ...
Data format extension for Jackson (http://jackson.codehaus.org) to offeralternative support for serializing POJOs as XML and deserializing XML as pojos.Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types ...
Data format extension for Jackson (http://jackson.codehaus.org) to offer
alternative support for serializing POJOs as XML and deserializing XML as pojos.
Support implemented on top of Stax API (javax.xml.stream), by implementing core Jackson Streaming API types ...
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
XML external entity (XXE) vulnerability in XmlMapper in the Data format extension for Jackson (aka jackson-dataformat-xml) allows attackers to have unspecified impact via unknown vectors.
XmlMapper in the Jackson XML dataformat component (aka jackson-dataformat-xml) before 2.7.8 and 2.8.x before 2.8.4 allows remote attackers to conduct server-side request forgery (SSRF) attacks via vectors related to a DTD.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Description: Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.
License:
Day License: http://www.day.com/maven/jsr170/licenses/day-spec-license.htm
File Path: /home/ciagent/.m2/repository/javax/jcr/jcr/1.0.1/jcr-1.0.1.jar MD5: 4639c7b994528948dab1a4feb1f68d6f SHA1: 567ee103cf7592e3cf036e1bf4e2e06b9f08e1a1
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
jcr
High
Vendor
Manifest
extension-name
jcr
Medium
Vendor
pom
name
Content Repository for Java Technology API
High
Vendor
pom
url
http://www.jcp.org/en/jsr/detail?id=170
Highest
Vendor
Manifest
Implementation-Vendor
Day Software Management AG
High
Vendor
pom
artifactid
jcr
Low
Vendor
pom
description
Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.
Low
Vendor
pom
groupid
javax.jcr
Highest
Vendor
pom
organization name
Day Software Management AG
High
Vendor
Manifest
specification-vendor
Day Software Management AG
Low
Vendor
pom
organization url
http://www.day.com/
Medium
Product
file
name
jcr
High
Product
pom
groupid
javax.jcr
Low
Product
Manifest
extension-name
jcr
Medium
Product
pom
name
Content Repository for Java Technology API
High
Product
Manifest
Implementation-Title
javax.jcr
High
Product
pom
organization url
http://www.day.com/
Low
Product
pom
organization name
Day Software Management AG
Low
Product
pom
description
Content Repository for Java technology API. Specifies a standard API to access content repositories in JavaTM 2 independently of implementation.
The content module is a module to parse HTTP Content-* headers. It is used by the hapijs framework to provide this functionality. The module is vulnerable to regular expression denial of service when passed a specifically crafted Content-Type or Content-Disposition header.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.
Description:
JSON (JavaScript Object Notation) is a lightweight data-interchange format.
It is easy for humans to read and write. It is easy for machines to parse and generate.
It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition
- December 1999. JSON is a text format that is completely language independent but uses
conventions that are familiar to programmers of the C-family of languages, including C, C++, C#,
Java, JavaScript, Perl, Python, and many others.
These properties make JSON an ideal data-interchange language.
File Path: /home/ciagent/.m2/repository/org/json/json/20070829/json-20070829.jar MD5: 4a913140f9099519dfc0212fa5d9a457 SHA1: 89190ff77b57203c3417555f32226998da97ff38
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
artifactid
json
Low
Vendor
pom
organization url
http://json.org/
Medium
Vendor
pom
url
http://www.json.org/java/index.html
Highest
Vendor
jar
package name
json
Low
Vendor
file
name
json-20070829
High
Vendor
pom
groupid
org.json
Highest
Vendor
pom
organization name
JSON
High
Vendor
pom
name
JSON (JavaScript Object Notation)
High
Vendor
pom
groupid
json
Highest
Vendor
pom
description
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but...
Low
Vendor
central
groupid
org.json
Highest
Product
pom
artifactid
json
Highest
Product
pom
url
http://www.json.org/java/index.html
Medium
Product
file
name
json-20070829
High
Product
pom
groupid
json
Low
Product
pom
name
JSON (JavaScript Object Notation)
High
Product
pom
description
JSON (JavaScript Object Notation) is a lightweight data-interchange format. It is easy for humans to read and write. It is easy for machines to parse and generate. It is based on a subset of the JavaScript Programming Language, Standard ECMA-262 3rd Edition - December 1999. JSON is a text format that is completely language independent but...
Description:
A framework for constructing recognizers, compilers,
and translators from grammatical descriptions containing
Java, C#, C++, or Python actions.
License:
BSD License: http://www.antlr.org/license.html
File Path: /home/ciagent/.m2/repository/antlr/antlr/2.7.7/antlr-2.7.7.jar MD5: f8f1352c52a4c6a500b597596501fc64 SHA1: 83cd2cd674a217ade95a4bb83a8a14f351f48bd0
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
AntLR Parser Generator
High
Vendor
pom
url
http://www.antlr.org/
Highest
Vendor
pom
groupid
antlr
Highest
Vendor
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Low
Vendor
pom
artifactid
antlr
Low
Vendor
central
groupid
antlr
Highest
Vendor
file
name
antlr
High
Vendor
jar
package name
antlr
Low
Product
pom
name
AntLR Parser Generator
High
Product
central
artifactid
antlr
Highest
Product
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Description:
Caja is a HTML/CSS/JavaScript compiler which allows websites to safely embed web applications
from third parties, and enables rich interaction between the embedding page and the embedded
applications using an object-capability security model.
File Path: /home/ciagent/.m2/repository/caja/caja/r5054/caja-r5054.jar MD5: 7379ecf5bc7945ca6ab533b905e449a3 SHA1: 18b47afa0172413346d9c8ae1595b6ffbbddd499
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
google.caja
Highest
Vendor
pom
groupid
caja
Highest
Vendor
pom
artifactid
caja
Low
Vendor
pom
url
http://code.google.com/p/google-caja
Highest
Vendor
jar
package name
google
Low
Vendor
pom
organization name
Google
High
Vendor
jar
package name
caja
Low
Vendor
file
name
caja-r5054
High
Vendor
pom
name
Caja
High
Vendor
pom
description
Caja is a HTML/CSS/JavaScript compiler which allows websites to safely embed web applications from third parties, and enables rich interaction between the embedding page and the embedded applications using an object-capability security model.
Low
Vendor
pom
organization url
http://www.google.com
Medium
Product
pom
organization name
Google
Low
Product
pom
url
http://code.google.com/p/google-caja
Medium
Product
pom
organization url
http://www.google.com
Low
Product
pom
groupid
google.caja
Low
Product
pom
artifactid
caja
Highest
Product
jar
package name
caja
Low
Product
file
name
caja-r5054
High
Product
pom
name
Caja
High
Product
pom
description
Caja is a HTML/CSS/JavaScript compiler which allows websites to safely embed web applications from third parties, and enables rich interaction between the embedding page and the embedded applications using an object-capability security model.
Low
Version
pom
version
r5054
Highest
Version
file
version
5054
Medium
Version
file
name
caja-r5054
Medium
Identifiers
maven: com.google.caja:caja:r5054
Confidence:High
htmlparser-r4209.jar
Description:
A patched version of the nu.validator v1.2.1 HTML parser.
License:
No Warranty
File Path: /home/ciagent/.m2/repository/caja/htmlparser/r4209/htmlparser-r4209.jar MD5: 31c18bc52991e53ed4eaa28347c44189 SHA1: 0573217e5c9bf8fad6ce827a94191ca0f5785087
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
caja
Highest
Vendor
file
name
htmlparser-r4209
High
Vendor
pom
organization url
http://validator.nu
Medium
Vendor
pom
url
http://code.google.com/p/google-caja
Highest
Vendor
pom
artifactid
htmlparser
Low
Vendor
pom
name
HtmlParser
High
Vendor
jar
package name
validator
Low
Vendor
jar
package name
nu
Low
Vendor
pom
description
A patched version of the nu.validator v1.2.1 HTML parser.
Medium
Vendor
pom
organization name
Validator.nu
High
Vendor
jar
package name
htmlparser
Low
Product
pom
url
http://code.google.com/p/google-caja
Medium
Product
pom
artifactid
htmlparser
Highest
Product
file
name
htmlparser-r4209
High
Product
pom
organization url
http://validator.nu
Low
Product
pom
name
HtmlParser
High
Product
jar
package name
validator
Low
Product
pom
description
A patched version of the nu.validator v1.2.1 HTML parser.
Medium
Product
pom
groupid
caja
Low
Product
pom
organization name
Validator.nu
Low
Product
jar
package name
htmlparser
Low
Version
file
version
4209
Medium
Version
file
name
htmlparser-r4209
Medium
Version
pom
version
r4209
Highest
Identifiers
maven: caja:htmlparser:r4209
Confidence:High
oauth-consumer-20090617.jar
File Path: /home/ciagent/.m2/repository/net/oauth/core/oauth-consumer/20090617/oauth-consumer-20090617.jar MD5: f0e2849d152f4d8bf725aa4e11b8f969 SHA1: fb70a4c98119c27e78320c5e42a99f0b9eb7c356
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Description: All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it
easy to work in Java with most syndication formats. Today it accepts all flavors of RSS
(0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes
a set of parsers and generators for the various flavors of feeds, as well as converters
to convert from one format to another. The parsers can give you back Java objects that
are either specific for the format you want to work with, or a generic normalized
SyndFeed object that lets you work on with the data without bothering about the
underlying format.
File Path: /home/ciagent/.m2/repository/rome/rome/1.0/rome-1.0.jar MD5: 53d38c030287b939f4e6d745ba1269a7 SHA1: 022b33347f315833e9348cec2751af1a5d5656e4
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
embed-directory
META-INF/lib
Low
Vendor
pom
organization url
http://java.sun.com/
Medium
Vendor
pom
description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Low
Vendor
pom
organization name
Sun Microsystems
High
Vendor
central
groupid
rome
Highest
Vendor
Manifest
bundle-docurl
http://java.sun.com/
Low
Vendor
pom
name
ROME, RSS and atOM utilitiEs for Java
High
Vendor
pom
url
https://rome.dev.java.net/
Highest
Vendor
Manifest
bundle-symbolicname
rome.rome
Medium
Vendor
pom
artifactid
rome
Low
Vendor
pom
groupid
rome
Highest
Vendor
manifest
Bundle-Description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Low
Vendor
file
name
rome
High
Vendor
Manifest
originally-created-by
1.6.0_10 (Sun Microsystems Inc.)
Low
Product
Manifest
embed-directory
META-INF/lib
Low
Product
pom
groupid
rome
Low
Product
pom
organization url
http://java.sun.com/
Low
Product
pom
organization name
Sun Microsystems
Low
Product
pom
description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Low
Product
central
artifactid
rome
Highest
Product
pom
url
https://rome.dev.java.net/
Medium
Product
Manifest
bundle-docurl
http://java.sun.com/
Low
Product
Manifest
Bundle-Name
ROME, RSS and atOM utilitiEs for Java
Medium
Product
pom
name
ROME, RSS and atOM utilitiEs for Java
High
Product
Manifest
bundle-symbolicname
rome.rome
Medium
Product
pom
artifactid
rome
Highest
Product
manifest
Bundle-Description
All Roads Lead to ROME. ROME is a set of Atom/RSS Java utilities that make it easy to work in Java with most syndication formats. Today it accepts all flavors of RSS (0.90, 0.91, 0.92, 0.93, 0.94, 1.0 and 2.0), Atom 0.3 and Atom 1.0 feeds. Rome includes a set of parsers and generators for the various flavors of feeds, as well as converters to convert from one format to another. The parsers can give you back Java objects that are either specific for the format you want to work with, or a generic normalized SyndFeed object that lets you work on with the data without bothering about the underlying format.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The uloc_acceptLanguageFromHTTP function in common/uloc.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ does not ensure that there is a '\0' character at the end of a certain temporary array, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a call with a long httpAcceptLanguage argument.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
Stack-based buffer overflow in the Locale class in common/locid.cpp in International Components for Unicode (ICU) through 57.1 for C/C++ allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a long locale string.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-415 Double Free
Double free in i18n/zonemeta.cpp in International Components for Unicode (ICU) for C/C++ through 59.1 allows remote attackers to execute arbitrary code via a crafted string, aka a "redundant UVector entry clean up function call" issue.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
A stack buffer overflow in NumberingSystem in International Components for Unicode (ICU) for C/C++ before 60.2, as used in V8 in Google Chrome prior to 62.0.3202.75 and other products, allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-190 Integer Overflow or Wraparound
Integer overflow in international date handling in International Components for Unicode (ICU) for C/C++ before 60.1, as used in V8 in Google Chrome prior to 63.0.3239.84 and other products, allowed a remote attacker to perform an out of bounds memory read via a crafted HTML page.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-119 Improper Restriction of Operations within the Bounds of a Memory Buffer
The ucnv_UTF8FromUTF8 function in ucnv_u8.cpp in International Components for Unicode (ICU) for C/C++ through 60.1 mishandles ucnv_convertEx calls for UTF-8 to UTF-8 conversion, which allows remote attackers to cause a denial of service (stack-based buffer overflow and application crash) or possibly have unspecified other impact via a crafted string, as demonstrated by ZNC.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-787 Out-of-bounds Write
International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_setNativeIndex* function.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-787 Out-of-bounds Write
International Components for Unicode (ICU) for C/C++ before 2017-02-13 has an out-of-bounds write caused by a heap-based buffer overflow related to the utf8TextAccess function in common/utext.cpp and the utext_moveIndex32* function.
Description:
The Digester package lets you configure an XML to Java object mapping module
which triggers certain actions called rules whenever a particular
pattern of nested XML elements is recognized.
File Path: /home/ciagent/.m2/repository/commons-digester/commons-digester/2.1/commons-digester-2.1.jar MD5: 528445033f22da28f5047b6abcd1c7c9 SHA1: 73a8001e7a54a255eef0f03521ec1805dc738ca0
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
artifactid
commons-digester
Low
Vendor
pom
groupid
commons-digester
Highest
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
url
http://commons.apache.org/digester/
Highest
Vendor
Manifest
bundle-docurl
http://commons.apache.org/digester/
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
manifest
Bundle-Description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Low
Vendor
central
groupid
commons-digester
Highest
Vendor
file
name
commons-digester
High
Vendor
pom
name
Commons Digester
High
Vendor
Manifest
Implementation-Vendor-Id
org.apache
Medium
Vendor
pom
description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Low
Vendor
Manifest
bundle-symbolicname
org.apache.commons.digester
Medium
Product
pom
parent-artifactid
commons-parent
Medium
Product
Manifest
bundle-docurl
http://commons.apache.org/digester/
Low
Product
manifest
Bundle-Description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Low
Product
file
name
commons-digester
High
Product
Manifest
Bundle-Name
Commons Digester
Medium
Product
central
artifactid
commons-digester
Highest
Product
pom
artifactid
commons-digester
Highest
Product
pom
name
Commons Digester
High
Product
pom
groupid
commons-digester
Low
Product
pom
parent-groupid
org.apache.commons
Low
Product
pom
description
The Digester package lets you configure an XML to Java object mapping module which triggers certain actions called rules whenever a particular pattern of nested XML elements is recognized.
Description:
The Apache FontBox library is an open source Java tool to obtain low level information
from font files. FontBox is a subproject of Apache PDFBox.
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
Description:
The Apache JempBox library is an open source Java tool that implements Adobe's XMP(TM)
specification. JempBox is a subproject of Apache PDFBox.
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.
In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
The XLSX2CSV example in Apache POI before 3.14 allows remote attackers to read arbitrary files via a crafted OpenXML document containing an external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.
Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.
Description: This is the core Apache Tika™ toolkit library from which all other modules inherit functionality. It also includes the core facades for the Tika API.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
Severity:
Medium
CVSS Score: 5.8
(AV:N/AC:M/Au:N/C:N/I:P/A:P)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
In Apache Tika 0.9 to 1.18, in a rare edge case where a user does not specify an extract directory on the commandline (--extract-dir=) and the input file has an embedded file with an absolute path, such as "C:/evil.bat", tika-app would overwrite that file.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Apache Tika before 1.14 allows Java code execution for serialized objects embedded in MATLAB files. The issue exists because Tika invokes JMatIO to do native deserialization.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 0.1 to 1.18, the XML parsers were not configured to limit entity expansion. They were therefore vulnerable to an entity expansion vulnerability which can lead to a denial of service attack.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Tika 1.19 (CVE-2018-11761), we added an entity expansion limit for XML parsing. However, Tika reuses SAXParsers and calls reset() after each parse, which, for Xerces2 parsers, as per the documentation, removes the user-specified SecurityManager and thus removes entity expansion limits after the first parse. Apache Tika versions from 0.1 to 1.19 are therefore still vulnerable to entity expansions which can lead to a denial of service attack. Users should upgrade to 1.19.1 or later.
Severity:
High
CVSS Score: 9.3
(AV:N/AC:M/Au:N/C:C/I:C/A:C)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
From Apache Tika versions 1.7 to 1.17, clients could send carefully crafted headers to tika-server that could be used to inject commands into the command line of the server running tika-server. This vulnerability only affects those running tika-server on a server that is open to untrusted clients. The mitigation is to upgrade to Tika 1.18.
scripts/xzgrep.in in xzgrep 5.2.x before 5.2.0, before 5.0.0 does not properly process file names containing semicolons, which allows remote attackers to execute arbitrary code by having a user run xzgrep on a crafted file name.
Description:
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
File Path: /home/ciagent/.m2/repository/org/apache/commons/commons-compress/1.5/commons-compress-1.5.jar MD5: 5e18cfcf472548c2e0b90a4ea1cedf42 SHA1: d2bd2c0bd328f1dabdf33e10b6d223ebcbe93343
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
groupid
org.apache.commons
Highest
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
pom
groupid
apache.commons
Highest
Vendor
file
name
commons-compress
High
Vendor
pom
name
Commons Compress
High
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
central
groupid
org.apache.commons
Highest
Vendor
Manifest
extension-name
org.apache.commons.compress
Medium
Vendor
Manifest
bundle-docurl
http://commons.apache.org/compress/
Low
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
Manifest
bundle-symbolicname
org.apache.commons.compress
Medium
Vendor
pom
description
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Apache Commons Compress software defines an API for working with compression and archive formats.These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Low
Vendor
pom
artifactid
commons-compress
Low
Product
pom
parent-artifactid
commons-parent
Medium
Product
pom
artifactid
commons-compress
Highest
Product
file
name
commons-compress
High
Product
pom
name
Commons Compress
High
Product
Manifest
extension-name
org.apache.commons.compress
Medium
Product
Manifest
bundle-docurl
http://commons.apache.org/compress/
Low
Product
central
artifactid
commons-compress
Highest
Product
Manifest
specification-title
Commons Compress
Medium
Product
Manifest
Implementation-Title
Commons Compress
High
Product
Manifest
bundle-symbolicname
org.apache.commons.compress
Medium
Product
pom
groupid
apache.commons
Low
Product
Manifest
Bundle-Name
Commons Compress
Medium
Product
pom
description
Apache Commons Compress software defines an API for working with compression and archive formats.
These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Apache Commons Compress software defines an API for working with compression and archive formats.These include: bzip2, gzip, pack200, xz and ar, cpio, jar, tar, zip, dump.
Description: The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider such as the one provided with the Bouncy Castle Cryptography APIs. If the S/MIME API is used, the JavaMail API and the Java activation framework will also be needed.
File Path: /home/ciagent/.m2/repository/org/bouncycastle/bcmail-jdk15/1.45/bcmail-jdk15-1.45.jar MD5: 13321fc7eff7bcada7b4fedfb592025c SHA1: 3aed7e642dd8d39dc14ed1dec3ff79e084637148
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
org.bouncycastle
Highest
Vendor
file
name
bcmail-jdk15
High
Vendor
pom
groupid
bouncycastle
Highest
Vendor
pom
name
Bouncy Castle CMS and S/MIME API
High
Vendor
pom
groupid
org.bouncycastle
Highest
Vendor
Manifest
Implementation-Vendor-Id
org.bouncycastle
Medium
Vendor
Manifest
extension-name
org.bouncycastle.bcmail
Medium
Vendor
pom
artifactid
bcmail-jdk15
Low
Vendor
pom
description
The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider ...
Low
Vendor
pom
url
http://www.bouncycastle.org/java.html
Highest
Vendor
Manifest
specification-vendor
BouncyCastle.org
Low
Vendor
Manifest
Implementation-Vendor
BouncyCastle.org
High
Product
file
name
bcmail-jdk15
High
Product
pom
url
http://www.bouncycastle.org/java.html
Medium
Product
central
artifactid
bcmail-jdk15
Highest
Product
pom
name
Bouncy Castle CMS and S/MIME API
High
Product
Manifest
extension-name
org.bouncycastle.bcmail
Medium
Product
pom
artifactid
bcmail-jdk15
Highest
Product
pom
groupid
bouncycastle
Low
Product
pom
description
The Bouncy Castle Java CMS and S/MIME APIs for handling the CMS and S/MIME protocols. This jar contains CMS and S/MIME APIs for JDK 1.5. The APIs can be used in conjunction with a JCE/JCA provider ...
Description: The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.
File Path: /home/ciagent/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar MD5: 2062f8e3d15748443ea60a94b266371c SHA1: 7741883cb07b4634e8b5fd3337113b6ea770a9bb
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
org.bouncycastle
Highest
Vendor
pom
groupid
bouncycastle
Highest
Vendor
pom
name
Bouncy Castle Provider
High
Vendor
pom
groupid
org.bouncycastle
Highest
Vendor
Manifest
Implementation-Vendor-Id
org.bouncycastle
Medium
Vendor
pom
artifactid
bcprov-jdk15
Low
Vendor
file
name
bcprov-jdk15
High
Vendor
pom
url
http://www.bouncycastle.org/java.html
Highest
Vendor
Manifest
specification-vendor
BouncyCastle.org
Low
Vendor
Manifest
Implementation-Vendor
BouncyCastle.org
High
Vendor
pom
description
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.
Low
Vendor
Manifest
extension-name
org.bouncycastle.bcprovider
Medium
Product
pom
artifactid
bcprov-jdk15
Highest
Product
pom
url
http://www.bouncycastle.org/java.html
Medium
Product
pom
name
Bouncy Castle Provider
High
Product
pom
description
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Description: TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
File Path: /home/ciagent/.m2/repository/org/ccil/cowan/tagsoup/tagsoup/1.2.1/tagsoup-1.2.1.jar MD5: ae73a52cdcbec10cd61d9ef22fab5936 SHA1: 5584627487e984c03456266d3f8802eb85a9ce97
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
org.ccil.cowan.tagsoup
Highest
Vendor
pom
description
TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
Low
Vendor
pom
groupid
ccil.cowan.tagsoup
Highest
Vendor
file
name
tagsoup
High
Vendor
pom
url
http://home.ccil.org/~cowan/XML/tagsoup/
Highest
Vendor
pom
artifactid
tagsoup
Low
Vendor
pom
groupid
org.ccil.cowan.tagsoup
Highest
Vendor
pom
name
TagSoup
High
Product
pom
groupid
ccil.cowan.tagsoup
Low
Product
pom
description
TagSoup is a SAX-compliant parser written in Java that, instead of parsing well-formed or valid XML, parses HTML as it is found in the wild: poor, nasty and brutish, though quite often far from short. TagSoup is designed for people who have to process this stuff using some semblance of a rational application design. By providing a SAX interface, it allows standard XML tools to be applied to even the worst HTML. TagSoup also includes a command-line processor that reads HTML files and can generate either clean HTML or well-formed XML that is a close approximation to XHTML.
Severity:
Low
CVSS Score: 2.1
(AV:N/AC:H/Au:S/C:N/I:P/A:N)
CWE: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
Cross-site scripting (XSS) vulnerability in the Boxes module 7.x-1.x before 7.x-1.1 for Drupal allows remote authenticated users with administer or edit boxes permissions to inject arbitrary web script or HTML via the subject parameter.
Description:
JHighlight is an embeddable pure Java syntax highlighting
library that supports Java, HTML, XHTML, XML and LZX
languages and outputs to XHTML.
It also supports RIFE templates tags and highlights them
clearly so that you can easily identify the difference
between your RIFE markup and the actual marked up source.
License:
CDDL, v1.0: http://www.opensource.org/licenses/cddl1.php
LGPL, v2.1 or later: http://www.opensource.org/licenses/lgpl-license.php
File Path: /home/ciagent/.m2/repository/com/uwyn/jhighlight/1.0/jhighlight-1.0.jar MD5: 0ad5cf1bc56657f5e9e327e5e768da0a SHA1: 0b1774029ee29472df8c25e5ba796431f7689fd6
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
JHighlight
High
Vendor
pom
artifactid
jhighlight
Low
Vendor
pom
groupid
com.uwyn
Highest
Vendor
pom
description
JHighlight is an embeddable pure Java syntax highlighting library that supports Java, HTML, XHTML, XML and LZX languages and outputs to XHTML. It also supports RIFE templates tags and highlights them clearly so that you can easily identify the difference between your RIFE markup and the actual marked up source.
Low
Vendor
pom
url
https://jhighlight.dev.java.net/
Highest
Vendor
pom
groupid
uwyn
Highest
Vendor
pom
organization url
http://uwyn.com/
Medium
Vendor
jar
package name
uwyn
Low
Vendor
file
name
jhighlight
High
Vendor
central
groupid
com.uwyn
Highest
Vendor
pom
organization name
Uwyn
High
Vendor
jar
package name
jhighlight
Low
Product
pom
artifactid
jhighlight
Highest
Product
pom
name
JHighlight
High
Product
pom
groupid
uwyn
Low
Product
pom
organization url
http://uwyn.com/
Low
Product
central
artifactid
jhighlight
Highest
Product
file
name
jhighlight
High
Product
pom
organization name
Uwyn
Low
Product
pom
description
JHighlight is an embeddable pure Java syntax highlighting library that supports Java, HTML, XHTML, XML and LZX languages and outputs to XHTML. It also supports RIFE templates tags and highlights them clearly so that you can easily identify the difference between your RIFE markup and the actual marked up source.
Description: This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/ws/commons/ws-commons-util/1.0.1/ws-commons-util-1.0.1.jar MD5: 66919d22287ddab742a135da764c2cd6 SHA1: 126e80ff798fece634bc94e61f8be8a8da00be60
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
extension-name
ws-commons-util
Medium
Vendor
file
name
ws-commons-util
High
Vendor
Manifest
specification-vendor
Apache Software Foundation
Low
Vendor
pom
organization url
http://www.apache.org/
Medium
Vendor
pom
groupid
org.apache.ws.commons
Highest
Vendor
pom
description
This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
Low
Vendor
central
groupid
org.apache.ws.commons
High
Vendor
pom
organization name
Apache Software Foundation
High
Vendor
Manifest
Implementation-Vendor
Apache Software Foundation
High
Vendor
pom
name
Apache WebServices Common Utilities
High
Vendor
pom
groupid
apache.ws.commons
Highest
Vendor
central
groupid
ws-commons-util
High
Vendor
pom
url
http://ws.apache.org/commons/util
Highest
Vendor
pom
artifactid
ws-commons-util
Low
Product
Manifest
extension-name
ws-commons-util
Medium
Product
file
name
ws-commons-util
High
Product
pom
organization name
Apache Software Foundation
Low
Product
central
artifactid
ws-commons-util
High
Product
pom
description
This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
Low
Product
Manifest
specification-title
This is a small collection of utility classes, that allow high performance XML processing based on SAX. Basically, it is assumed, that you are using an JAXP 1.1 compliant XML parser and nothing else. In particular, no dependency on the javax.xml.transform package is introduced.
ws is a "simple to use, blazing fast and thoroughly tested websocket client, server and console for node.js, up-to-date against RFC-6455". By sending an overly long websocket payload to a `ws` server, it is possible to crash the node process. This affects ws 1.1.0 and earlier.
Description: StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output.
StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization.
It evolved over years of effort developing jGuru.com.
StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic
is that unlike other engines, it strictly enforces model-view separation.
Strict separation makes websites and code generators more flexible
and maintainable; it also provides an excellent defense against malicious
template authors.
There are currently about 600 StringTemplate source downloads a month.
License:
BSD licence: http://antlr.org/license.html
File Path: /home/ciagent/.m2/repository/org/antlr/stringtemplate/3.2.1/stringtemplate-3.2.1.jar MD5: b58ca53e518a92a1991eb63b61917582 SHA1: 59ec8083721eae215c6f3caee944c410d2be34de
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
org.antlr
Highest
Vendor
pom
url
http://www.stringtemplate.org
Highest
Vendor
jar
package name
stringtemplate
Low
Vendor
pom
artifactid
stringtemplate
Low
Vendor
pom
groupid
org.antlr
Highest
Vendor
pom
groupid
antlr
Highest
Vendor
file
name
stringtemplate
High
Vendor
pom
description
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output. StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. It evolved over years of effort developing jGuru.com. StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic is that un...
Low
Vendor
jar
package name
language
Low
Vendor
pom
name
ANTLR StringTemplate
High
Vendor
jar
package name
antlr
Low
Product
pom
url
http://www.stringtemplate.org
Medium
Product
pom
artifactid
stringtemplate
Highest
Product
jar
package name
stringtemplate
Low
Product
file
name
stringtemplate
High
Product
pom
description
StringTemplate is a java template engine for generating source code,
web pages, emails, or any other formatted text output. StringTemplate is particularly good at multi-targeted code generators,
multiple site skins, and internationalization/localization. It evolved over years of effort developing jGuru.com. StringTemplate also generates the stringtemplate website: http://www.stringtemplate.org
and powers the ANTLR v3 code generator. Its distinguishing characteristic is that un...
Description: A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
File Path: /home/ciagent/.m2/repository/org/antlr/antlr-runtime/3.5/antlr-runtime-3.5.jar MD5: aa6d7c8b425df59f5f5bc98c58cfd9fc SHA1: 0baa82bff19059401e90e1b90020beb9c96305d7
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
central
groupid
org.antlr
Highest
Vendor
pom
groupid
org.antlr
Highest
Vendor
Manifest
Implementation-Vendor-Id
org.antlr
Medium
Vendor
pom
name
ANTLR 3 Runtime
High
Vendor
pom
groupid
antlr
Highest
Vendor
pom
url
http://www.antlr.org
Highest
Vendor
Manifest
Implementation-Vendor
ANTLR
High
Vendor
pom
parent-groupid
org.antlr
Medium
Vendor
pom
artifactid
antlr-runtime
Low
Vendor
pom
parent-artifactid
antlr-master
Low
Vendor
file
name
antlr-runtime
High
Vendor
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Low
Product
pom
artifactid
antlr-runtime
Highest
Product
Manifest
Implementation-Title
ANTLR 3 Runtime
High
Product
pom
parent-artifactid
antlr-master
Medium
Product
pom
url
http://www.antlr.org
Medium
Product
pom
parent-groupid
org.antlr
Low
Product
file
name
antlr-runtime
High
Product
pom
name
ANTLR 3 Runtime
High
Product
pom
description
A framework for constructing recognizers, compilers, and translators from grammatical descriptions containing Java, C#, C++, or Python actions.
Description:
JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be
used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the
document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.
License:
Java HTML Tidy License: http://jtidy.svn.sourceforge.net/viewvc/jtidy/trunk/jtidy/LICENSE.txt?revision=95
File Path: /home/ciagent/.m2/repository/net/sf/jtidy/jtidy/r938/jtidy-r938.jar MD5: 6a9121561b8f98c0a8fb9b6e57f50e6b SHA1: ab08d87a225a715a69107732b67f21e1da930349
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
organization url
http://sourceforge.net
Medium
Vendor
pom
name
JTidy
High
Vendor
jar
package name
tidy
Low
Vendor
pom
artifactid
jtidy
Low
Vendor
file
name
jtidy-r938
High
Vendor
pom
groupid
net.sf.jtidy
Highest
Vendor
pom
organization name
sourceforge
High
Vendor
jar
package name
w3c
Low
Vendor
pom
description
JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.
Low
Vendor
central
groupid
net.sf.jtidy
Highest
Vendor
pom
url
http://jtidy.sourceforge.net
Highest
Product
central
artifactid
jtidy
Highest
Product
pom
name
JTidy
High
Product
jar
package name
tidy
Low
Product
pom
organization name
sourceforge
Low
Product
file
name
jtidy-r938
High
Product
pom
groupid
net.sf.jtidy
Low
Product
pom
description
JTidy is a Java port of HTML Tidy, a HTML syntax checker and pretty printer. Like its non-Java cousin, JTidy can be used as a tool for cleaning up malformed and faulty HTML. In addition, JTidy provides a DOM interface to the document that is being processed, which effectively makes you able to use JTidy as a DOM parser for real-world HTML.
Description:
Guava is a suite of core and expanded libraries that include
utility classes, google's collections, io classes, and much
much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.
File Path: /home/ciagent/.m2/repository/com/google/guava/guava/20.0/guava-20.0.jar MD5: f32a8a2524620dbecc9f6bf6a20c293f SHA1: 89507701249388e1ed5ddcf8c41f4ce1be7831ef
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
Guava: Google Core Libraries for Java
High
Vendor
file
name
guava
High
Vendor
manifest
Bundle-Description
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.
Low
Vendor
Manifest
bundle-symbolicname
com.google.guava
Medium
Vendor
pom
artifactid
guava
Low
Vendor
pom
groupid
google.guava
Highest
Vendor
pom
groupid
com.google.guava
Highest
Vendor
pom
description
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.
Low
Product
pom
parent-artifactid
guava-parent
Medium
Product
Manifest
bundle-symbolicname
com.google.guava
Medium
Product
pom
description
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more. Guava has only one code dependency - javax.annotation, per the JSR-305 spec.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:N/I:N/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Description:
The Apache Commons Codec package contains simple encoder and decoders for
various formats such as Base64 and Hexadecimal. In addition to these
widely used encoders and decoders, the codec package also maintains a
collection of phonetic encoding utilities.
File Path: /home/ciagent/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar MD5: 353cf6a2bdba09595ccfa073b78c7fcb SHA1: 4b95f4897fa13f2cd904aee711aeafc0c5295cd8
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
Manifest
bundle-symbolicname
org.apache.commons.codec
Medium
Vendor
manifest
Bundle-Description
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Low
Vendor
Manifest
specification-vendor
The Apache Software Foundation
Low
Vendor
Manifest
bundle-docurl
http://commons.apache.org/proper/commons-codec/
Low
Vendor
pom
parent-artifactid
commons-parent
Low
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation
High
Vendor
pom
parent-groupid
org.apache.commons
Medium
Vendor
central
groupid
commons-codec
Highest
Vendor
file
name
commons-codec
High
Vendor
pom
groupid
commons-codec
Highest
Vendor
pom
description
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Low
Product
pom
parent-artifactid
commons-parent
Medium
Product
central
artifactid
commons-codec
Highest
Product
Manifest
bundle-docurl
http://commons.apache.org/proper/commons-codec/
Low
Product
Manifest
Bundle-Name
Apache Commons Codec
Medium
Product
Manifest
Implementation-Title
Apache Commons Codec
High
Product
Manifest
specification-title
Apache Commons Codec
Medium
Product
file
name
commons-codec
High
Product
pom
description
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Description:
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart
file upload functionality to servlets and web applications.
License:
https://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/commons-fileupload/commons-fileupload/1.3.3/commons-fileupload-1.3.3.jar MD5: dd77e787b7b5dc56f6a1cb658716d55d SHA1: 04ff14d809195b711fd6bcc87e6777f886730ca1
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
manifest
Bundle-Description
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-16 Configuration
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-19 Data Handling
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-16 Configuration
Apache Tomcat through 7.0.x allows remote attackers to cause a denial of service (daemon outage) via partial HTTP requests, as demonstrated by Slowloris.
** DISPUTED ** The readObject method in the DiskFileItem class in Apache Tomcat and JBoss Web, as used in Red Hat JBoss Enterprise Application Platform 6.1.0 and Red Hat JBoss Portal 6.0.0, allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance, a similar issue to CVE-2013-2186. NOTE: this issue is reportedly disputed by the Apache Tomcat team, although Red Hat considers it a vulnerability. The dispute appears to regard whether it is the responsibility of applications to avoid providing untrusted data to be deserialized, or whether this class should inherently protect against this issue.
Severity:
Medium
CVSS Score: 6.8
(AV:N/AC:M/Au:N/C:P/I:P/A:P)
CWE: CWE-94 Improper Control of Generation of Code ('Code Injection')
Unrestricted file upload vulnerability in Apache Tomcat 7.x before 7.0.40, in certain situations involving outdated java.io.File code and a custom JMX configuration, allows remote attackers to execute arbitrary code by uploading and accessing a JSP file.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-19 Data Handling
java/org/apache/coyote/http11/filters/ChunkedInputFilter.java in Apache Tomcat 6.x before 6.0.42, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle attempts to continue reading data after an error has occurred, which allows remote attackers to conduct HTTP request smuggling attacks or cause a denial of service (resource consumption) by streaming data with malformed chunked transfer coding.
Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.55, and 8.x before 8.0.9 does not properly handle cases where an HTTP response occurs before finishing the reading of an entire request body, which allows remote attackers to cause a denial of service (thread consumption) via a series of aborted upload attempts.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-284 Improper Access Control
The Expression Language (EL) implementation in Apache Tomcat 6.x before 6.0.44, 7.x before 7.0.58, and 8.x before 8.0.16 does not properly consider the possibility of an accessible interface implemented by an inaccessible class, which allows attackers to bypass a SecurityManager protection mechanism via a web application that leverages use of incorrect privileges during EL evaluation.
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Directory traversal vulnerability in RequestUtil.java in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.65, and 8.x before 8.0.27 allows remote authenticated users to bypass intended SecurityManager restrictions and list a parent directory via a /.. (slash dot dot) in a pathname used by a web application in a getResource, getResourceAsStream, or getResourcePaths call, as demonstrated by the $CATALINA_BASE/webapps directory.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
The Mapper component in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.30, and 9.x before 9.0.0.M2 processes redirects before considering security constraints and Filters, which allows remote attackers to determine the existence of a directory via a URL that lacks a trailing / (slash) character.
Severity:
Medium
CVSS Score: 4.0
(AV:N/AC:L/Au:S/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 does not place org.apache.catalina.manager.StatusManagerServlet on the org/apache/catalina/core/RestrictedServlets.properties list, which allows remote authenticated users to bypass intended SecurityManager restrictions and read arbitrary HTTP requests, and consequently discover session ID values, via a crafted web application.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The session-persistence implementation in Apache Tomcat 6.x before 6.0.45, 7.x before 7.0.68, 8.x before 8.0.31, and 9.x before 9.0.0.M2 mishandles session attributes, which allows remote authenticated users to bypass intended SecurityManager restrictions and execute arbitrary code in a privileged context via a web application that places a crafted object in a session.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Realm implementations in Apache Tomcat versions 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not process the supplied password if the supplied user name did not exist. This made a timing attack possible to determine valid user names. Note that the default configuration includes the LockOutRealm which makes exploitation of this vulnerability harder.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 a malicious web application was able to bypass a configured SecurityManager via a Tomcat utility method that was accessible to web applications.
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Apache Tomcat 7.x through 7.0.70 and 8.x through 8.5.4, when the CGI Servlet is enabled, follows RFC 3875 section 4.1.18 and therefore does not protect applications from the presence of untrusted client data in the HTTP_PROXY environment variable, which might allow remote attackers to redirect an application's outbound HTTP traffic to an arbitrary proxy server via a crafted Proxy header in an HTTP request, aka an "httpoxy" issue. NOTE: the vendor states "A mitigation is planned for future releases of Tomcat, tracked as CVE-2016-5388"; in other words, this is not a CVE ID for a vulnerability.
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 7, Fedora, CentOS, Oracle Linux, and possibly other Linux distributions uses weak permissions for /usr/lib/tmpfiles.d/tomcat.conf, which allows local users to gain root privileges by leveraging membership in the tomcat group.
Severity:
High
CVSS Score: 7.2
(AV:L/AC:L/Au:N/C:C/I:C/A:C)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The Tomcat package on Red Hat Enterprise Linux (RHEL) 5 through 7, JBoss Web Server 3.0, and JBoss EWS 2 uses weak permissions for (1) /etc/sysconfig/tomcat and (2) /etc/tomcat/tomcat.conf, which allows local users to gain privileges by leveraging membership in the tomcat group.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
When a SecurityManager is configured, a web application's ability to read system properties should be controlled by the SecurityManager. In Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70, 6.0.0 to 6.0.45 the system property replacement feature for configuration files could be used by a malicious web application to bypass the SecurityManager and read system properties that should not be visible.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:P/A:N)
CWE: CWE-254 Security Features
A malicious web application running on Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 was able to bypass a configured SecurityManager via manipulation of the configuration parameters for the JSP Servlet.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-284 Improper Access Control
The ResourceLinkFactory implementation in Apache Tomcat 9.0.0.M1 to 9.0.0.M9, 8.5.0 to 8.5.4, 8.0.0.RC1 to 8.0.36, 7.0.0 to 7.0.70 and 6.0.0 to 6.0.45 did not limit web application access to global JNDI resources to those resources explicitly linked to the web application. Therefore, it was possible for a web application to access any global JNDI resource whether an explicit ResourceLink had been configured or not.
The code in Apache Tomcat 9.0.0.M1 to 9.0.0.M11, 8.5.0 to 8.5.6, 8.0.0.RC1 to 8.0.38, 7.0.0 to 7.0.72, and 6.0.0 to 6.0.47 that parsed the HTTP request line permitted invalid characters. This could be exploited, in conjunction with a proxy that also permitted the invalid characters but with a different interpretation, to inject data into the HTTP response. By manipulating the HTTP response the attacker could poison a web-cache, perform an XSS attack and/or obtain sensitive information from requests other then their own.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-284 Improper Access Control
Remote code execution is possible with Apache Tomcat before 6.0.48, 7.x before 7.0.73, 8.x before 8.0.39, 8.5.x before 8.5.7, and 9.x before 9.0.0.M12 if JmxRemoteLifecycleListener is used and an attacker can reach JMX ports. The issue exists because this listener wasn't updated for consistency with the CVE-2016-3427 Oracle patch that affected credential types.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
A bug in the handling of the pipelined requests in Apache Tomcat 9.0.0.M1 to 9.0.0.M18, 8.5.0 to 8.5.12, 8.0.0.RC1 to 8.0.42, 7.0.0 to 7.0.76, and 6.0.0 to 6.0.52, when send file was used, results in the pipelined request being lost when send file processing of the previous request completed. This could result in responses appearing to be sent for the wrong request. For example, a user agent that sent requests A, B and C could see the correct response for request A, the response for request C for request B and no response for request C.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:N/I:N/A:P)
CWE: CWE-19 Data Handling
It was discovered that a programming error in the processing of HTTPS requests in the Apache Tomcat servlet and JSP engine may result in denial of service via an infinite loop. The denial of service is easily achievable as a consequence of backporting a CVE-2016-6816 fix but not backporting the fix for Tomcat bug 57544. Distributions affected by this backporting issue include Debian (before 7.0.56-3+deb8u8 and 8.0.14-1+deb8u7 in jessie) and Ubuntu.
A design flaw in image processing software that modifies JPEG images might not modify the original EXIF thumbnail, which could lead to an information leak of potentially sensitive visual information that had been removed from the main JPEG image.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
Processing Foundation Processing version 3.4 and earlier contains a XML External Entity (XXE) vulnerability in loadXML() function that can result in An attacker can read arbitrary files and exfiltrate their contents via HTTP requests. This attack appear to be exploitable via The victim must use Processing to parse a crafted XML document.
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Description:
Apache Commons Lang, a package of Java utility classes for the
classes that are in java.lang's hierarchy, or are considered to be so
standard as to justify existence in java.lang.
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Vendor
central
groupid
org.apache.commons
Highest
Vendor
pom
artifactid
commons-lang3
Low
Vendor
manifest
Bundle-Description
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Low
Product
Manifest
specification-title
Apache Commons Lang
Medium
Product
manifest
Bundle-Description
Apache Commons Lang, a package of Java utility classes for the classes that are in java.lang's hierarchy, or are considered to be so standard as to justify existence in java.lang.
Description:
HtmlCleaner is an HTML parser written in Java. It transforms dirty HTML to well-formed XML following
the same rules that most web-browsers use.
Description:
Xerces2 is the next generation of high performance, fully compliant XML parsers in the
Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),
a complete framework for building parser components and configurations that is extremely
modular and easy to program.
File Path: /home/ciagent/.m2/repository/xerces/xercesImpl/2.9.1/xercesImpl-2.9.1.jar MD5: f807f86d7d9db25edbfc782aca7ca2a9 SHA1: 7bc7e49ddfe4fb5f193ed37ecc96c12292c8ceb6
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
manifest: org/w3c/dom/ls/
Implementation-Vendor
World Wide Web Consortium
Medium
Vendor
manifest: javax/xml/datatype/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/apache/xerces/impl/Version.class
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: javax/xml/xpath/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
parent-artifactid
apache
Low
Vendor
pom
description
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Low
Vendor
pom
name
Xerces2 Java Parser
High
Vendor
pom
groupid
xerces
Highest
Vendor
manifest: javax/xml/transform/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
central
groupid
xerces
Highest
Vendor
manifest: org/xml/sax/
Implementation-Vendor
David Megginson
Medium
Vendor
manifest: org/w3c/dom/
Implementation-Vendor
World Wide Web Consortium
Medium
Vendor
file
name
xercesImpl
High
Vendor
pom
url
http://xerces.apache.org/xerces2-j
Highest
Vendor
pom
artifactid
xercesImpl
Low
Vendor
manifest: javax/xml/parsers/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/apache/xerces/xni/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: javax/xml/validation/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
parent-groupid
org.apache
Medium
Product
pom
artifactid
xercesImpl
Highest
Product
manifest: javax/xml/datatype/
Implementation-Title
javax.xml.datatype
Medium
Product
manifest: org/w3c/dom/
Implementation-Title
org.w3c.dom
Medium
Product
manifest: javax/xml/validation/
Specification-Title
Java API for XML Processing
Medium
Product
manifest: org/w3c/dom/
Specification-Title
Document Object Model, Level 3 Core
Medium
Product
central
artifactid
xercesImpl
Highest
Product
pom
name
Xerces2 Java Parser
High
Product
manifest: org/apache/xerces/xni/
Specification-Title
Xerces Native Interface
Medium
Product
manifest: org/apache/xerces/xni/
Implementation-Title
org.apache.xerces.xni
Medium
Product
manifest: javax/xml/parsers/
Implementation-Title
javax.xml.parsers
Medium
Product
pom
parent-groupid
org.apache
Low
Product
manifest: org/w3c/dom/ls/
Implementation-Title
org.w3c.dom.ls
Medium
Product
pom
parent-artifactid
apache
Medium
Product
manifest: org/w3c/dom/ls/
Specification-Title
Document Object Model, Level 3 Load and Save
Medium
Product
manifest: javax/xml/xpath/
Implementation-Title
javax.xml.xpath
Medium
Product
pom
groupid
xerces
Low
Product
pom
description
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Description: xml-commons provides an Apache-hosted set of DOM, SAX, and
JAXP interfaces for use in other xml-based projects. Our hope is that we
can standardize on both a common version and packaging scheme for these
critical XML standards interfaces to make the lives of both our developers
and users easier. The External Components portion of xml-commons contains
interfaces that are defined by external standards organizations. For DOM,
that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for
JAXP it's Sun.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/xml-apis/xml-apis/1.0.b2/xml-apis-1.0.b2.jar MD5: 458715c0f7646a56b1c6ad3138098beb SHA1: 3136ca936f64c9d68529f048c2618bd356bf85c9
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
file
name
xml-apis
High
Vendor
pom
groupid
xml-apis
Highest
Vendor
manifest: javax/xml/parsers/
Implementation-Vendor
Sun Microsystems Inc.
Medium
Vendor
manifest: org/apache/xmlcommons/Version
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
description
xml-commons provides an Apache-hosted set of DOM, SAX, and JAXP interfaces for use in other xml-based projects. Our hope is that we can standardize on both a common version and packaging scheme for these critical XML standards interfaces to make the lives of both our developers and users easier. The External Components portion of xml-commons contains interfaces that are defined by external standards organizations. For DOM, that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for JAXP it's Sun.
Low
Vendor
manifest: javax/xml/transform/
Implementation-Vendor
Sun Microsystems Inc.
Medium
Vendor
pom
name
XML Commons External Components XML APIs
High
Vendor
pom
artifactid
xml-apis
Low
Vendor
pom
organization url
http://www.apache.org/
Medium
Vendor
central
groupid
xml-apis
High
Vendor
pom
url
http://xml.apache.org/commons/#external
Highest
Vendor
pom
organization name
Apache Software Foundation
High
Vendor
manifest: org/xml/sax/
Implementation-Vendor
David Megginson
Medium
Vendor
manifest: org/w3c/dom/
Implementation-Vendor
World Wide Web Consortium
Medium
Product
file
name
xml-apis
High
Product
manifest: org/w3c/dom/
Implementation-Title
org.w3c.dom
Medium
Product
pom
url
http://xml.apache.org/commons/#external
Medium
Product
pom
description
xml-commons provides an Apache-hosted set of DOM, SAX, and JAXP interfaces for use in other xml-based projects. Our hope is that we can standardize on both a common version and packaging scheme for these critical XML standards interfaces to make the lives of both our developers and users easier. The External Components portion of xml-commons contains interfaces that are defined by external standards organizations. For DOM, that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for JAXP it's Sun.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:N/I:P/A:P)
CWE: CWE-91 XML Injection (aka Blind XPath Injection)
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Description:
The Commons IO library contains utility classes, stream implementations, file filters,
file comparators, endian transformation classes, and much more.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
The hotrod java client in infinispan before 9.1.0.Final automatically deserializes bytearray message contents in certain events. A malicious user could exploit this flaw by injecting a specially-crafted serialized object to attain remote code execution or conduct other attacks.
Severity:
Medium
CVSS Score: 6.5
(AV:N/AC:L/Au:S/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
It was found that the Hotrod client in Infinispan before 9.2.0.CR1 would unsafely read deserialized data on information from the cache. An authenticated attacker could inject a malicious object into the data cache and attain deserialization on the client, and possibly conduct further attacks.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:P/A:N)
CWE: CWE-287 Improper Authentication
It was found that the REST API in Infinispan before version 9.0.0 did not properly enforce auth constraints. An attacker could use this vulnerability to read or modify data in the default cache or a known cache name.
Description:
JCommon is a free general purpose Java class library that is used in
several projects at www.jfree.org, including JFreeChart and
JFreeReport.
License:
GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /home/ciagent/.m2/repository/org/jfree/jcommon/1.0.17/jcommon-1.0.17.jar MD5: d123cd511e2ebc4542e8b424cd20bbde SHA1: 7bcb68fde08258e59fe7bcc758c08af830fb2c1d
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
JCommon
High
Vendor
pom
artifactid
jcommon
Low
Vendor
jar
package name
jfree
Low
Vendor
pom
organization url
http://www.jfree.org/
Medium
Vendor
central
groupid
org.jfree
Highest
Vendor
file
name
jcommon
High
Vendor
pom
organization name
JFree.org
High
Vendor
pom
url
http://www.jfree.org/jcommon/
Highest
Vendor
pom
groupid
jfree
Highest
Vendor
pom
description
JCommon is a free general purpose Java class library that is used in several projects at www.jfree.org, including JFreeChart and JFreeReport.
Low
Vendor
pom
groupid
org.jfree
Highest
Product
pom
name
JCommon
High
Product
pom
artifactid
jcommon
Highest
Product
central
artifactid
jcommon
Highest
Product
pom
organization name
JFree.org
Low
Product
pom
url
http://www.jfree.org/jcommon/
Medium
Product
file
name
jcommon
High
Product
pom
groupid
jfree
Low
Product
pom
description
JCommon is a free general purpose Java class library that is used in several projects at www.jfree.org, including JFreeChart and JFreeReport.
Description:
JFreeChart is a class library, written in Java, for generating charts.
Utilising the Java2D APIs, it currently supports bar charts, pie charts,
line charts, XY-plots and time series plots.
License:
GNU Lesser General Public Licence: http://www.gnu.org/licenses/lgpl.txt
File Path: /home/ciagent/.m2/repository/org/jfree/jfreechart/1.0.14/jfreechart-1.0.14.jar MD5: e0ac6e8ecb858f946200b326209fe639 SHA1: fa67c798b0ae80b84f3854d69e341abacd3867c5
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
JFreeChart
High
Vendor
pom
description
JFreeChart is a class library, written in Java, for generating charts. Utilising the Java2D APIs, it currently supports bar charts, pie charts, line charts, XY-plots and time series plots.
Low
Vendor
jar
package name
chart
Low
Vendor
pom
artifactid
jfreechart
Low
Vendor
jar
package name
jfree
Low
Vendor
file
name
jfreechart
High
Vendor
central
groupid
org.jfree
Highest
Vendor
pom
groupid
jfree
Highest
Vendor
pom
url
http://www.jfree.org/jfreechart/
Highest
Vendor
pom
organization url
http://www.jfree.org/
Medium
Vendor
pom
organization name
JFree.org
High
Vendor
pom
groupid
org.jfree
Highest
Product
pom
name
JFreeChart
High
Product
pom
description
JFreeChart is a class library, written in Java, for generating charts. Utilising the Java2D APIs, it currently supports bar charts, pie charts, line charts, XY-plots and time series plots.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Fasterxml Jackson version Before 2.9.8 contains a CWE-20: Improper Input Validation vulnerability in Jackson-Modules-Java8 that can result in Causes a denial-of-service (DoS). This attack appear to be exploitable via The victim deserializes malicious input, specifically very large values in the nanoseconds field of a time value. This vulnerability appears to have been fixed in 2.9.8.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Severity:
Medium
CVSS Score: 5.1
(AV:N/AC:H/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-184 Incomplete Blacklist
FasterXML jackson-databind before 2.7.9.3, 2.8.x before 2.8.11.1 and 2.9.x before 2.9.5 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the c3p0 libraries are available in the classpath.
Severity:
Medium
CVSS Score: 5.0
(AV:N/AC:L/Au:N/C:P/I:N/A:N)
CWE: CWE-200 Information Exposure
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Description: The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Severity:
Medium
CVSS Score: 6.4
(AV:N/AC:L/Au:N/C:P/I:N/A:P)
XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.
Severity:
High
CVSS Score: 7.9
(AV:N/AC:M/Au:S/C:C/I:N/A:C)
CWE: CWE-611 Improper Restriction of XML External Entity Reference ('XXE')
In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-502 Deserialization of Untrusted Data
In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.
Description:
Apache XML Graphics Commons is a library that consists of several reusable
components used by Apache Batik and Apache FOP. Many of these components
can easily be used separately outside the domains of SVG and XSL-FO.
License:
The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt
File Path: /home/ciagent/.m2/repository/org/apache/xmlgraphics/xmlgraphics-commons/1.3.1/xmlgraphics-commons-1.3.1.jar MD5: e63589601d939739349a50a029dab120 SHA1: f7d0fa54e2750acd82b1a241c043be6fce1bf0dc
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
Evidence
Type
Source
Name
Value
Confidence
Vendor
pom
name
Apache XML Graphics Commons
High
Vendor
pom
description
Apache XML Graphics Commons is a library that consists of several reusable components used by Apache Batik and Apache FOP. Many of these components can easily be used separately outside the domains of SVG and XSL-FO.
Low
Vendor
file
name
xmlgraphics-commons
High
Vendor
pom
organization name
Apache Software Foundation
High
Vendor
pom
groupid
apache.xmlgraphics
Highest
Vendor
pom
url
http://xmlgraphics.apache.org/commons/
Highest
Vendor
pom
groupid
org.apache.xmlgraphics
Highest
Vendor
pom
organization url
http://www.apache.org/
Medium
Vendor
central
groupid
org.apache.xmlgraphics
Highest
Vendor
pom
artifactid
xmlgraphics-commons
Low
Vendor
Manifest
Implementation-Vendor
The Apache Software Foundation (http://xmlgraphics.apache.org/)
High
Product
pom
name
Apache XML Graphics Commons
High
Product
pom
description
Apache XML Graphics Commons is a library that consists of several reusable components used by Apache Batik and Apache FOP. Many of these components can easily be used separately outside the domains of SVG and XSL-FO.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Description:
Xalan-Java is an XSLT processor for transforming XML documents into HTML,
text, or other XML document types. It implements XSL Transformations (XSLT)
Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from
the command line, in an applet or a servlet, or as a module in other program.
File Path: /home/ciagent/.m2/repository/xalan/xalan/2.7.1/xalan-2.7.1.jar MD5: d43aad24f2c143b675292ccfef487f9c SHA1: 75f1d83ce27bab5f29fff034fc74aa9f7266f22a
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:runtime
Evidence
Type
Source
Name
Value
Confidence
Vendor
manifest: org/apache/xalan/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
manifest: org/apache/regexp/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
description
Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.
Low
Vendor
pom
parent-artifactid
apache
Low
Vendor
central
groupid
xalan
Highest
Vendor
manifest: java_cup/runtime/
Implementation-Vendor
Princeton University
Medium
Vendor
manifest: org/apache/bcel/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
artifactid
xalan
Low
Vendor
pom
name
Xalan Java
High
Vendor
manifest: org/apache/xml/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
file
name
xalan
High
Vendor
manifest: org/apache/xalan/xsltc/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
url
http://xml.apache.org/xalan-j/
Highest
Vendor
pom
groupid
xalan
Highest
Vendor
manifest: org/apache/xpath/
Implementation-Vendor
Apache Software Foundation
Medium
Vendor
pom
parent-groupid
org.apache
Medium
Product
manifest: org/apache/xalan/xsltc/
Implementation-Title
org.apache.xalan.xsltc
Medium
Product
pom
description
Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-264 Permissions, Privileges, and Access Controls
The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.
Description: MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
License:
Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt
Public Domain: http://creativecommons.org/licenses/publicdomain
Apache Software License, version 1.1: http://www.apache.org/licenses/LICENSE-1.1
File Path: /home/ciagent/.m2/repository/xpp3/xpp3/1.1.4c/xpp3-1.1.4c.jar MD5: 6e3c39f391e4994888b7d0030f775804 SHA1: 9b988ea84b9e4e9f1874e390ce099b8ac12cfff5
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs ...
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs ...
Description: MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs such as Hotspot in JDK 1.4+.
License:
Indiana University Extreme! Lab Software License, vesion 1.1.1: http://www.extreme.indiana.edu/viewcvs/~checkout~/XPP3/java/LICENSE.txt
Public Domain: http://creativecommons.org/licenses/publicdomain
File Path: /home/ciagent/.m2/repository/xpp3/xpp3_min/1.1.4c/xpp3_min-1.1.4c.jar MD5: dcd95bcb84b09897b2b66d4684c040da SHA1: 19d4e90b43059058f6e056f794f0ea4030d60b86
Referenced In Project/Scope:
eXo PLF:: Wiki Renderer:compile
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs ...
MXP1 is a stable XmlPull parsing engine that is based on ideas from XPP and in particular XPP2 but completely revised and rewritten to take the best advantage of latest JIT JVMs ...
Severity:
High
CVSS Score: 7.5
(AV:N/AC:L/Au:N/C:P/I:P/A:P)
CWE: CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection')
Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.
Description:
Closure Compiler is a JavaScript optimizing compiler. It parses your
JavaScript, analyzes it, removes dead code and rewrites and minimizes
what's left. It also checks syntax, variable references, and types, and
warns about common JavaScript pitfalls. It is used in many of Google's
JavaScript apps, including Gmail, Google Web Search, Google Maps, and
Google Docs.
Closure Compiler is a JavaScript optimizing compiler. It parses your JavaScript, analyzes it, removes dead code and rewrites and minimizes what's left. It also checks syntax, variable references, and types, and warns about common JavaScript pitfalls. It is used in many of Google's JavaScript apps, including Gmail, Google Web Search, Google Maps, and Google Docs.
Low
Vendor
pom
url
https://developers.google.com/closure/compiler/
Highest
Vendor
pom
groupid
google.javascript
Highest
Vendor
pom
artifactid
closure-compiler
Low
Vendor
pom
parent-artifactid
closure-compiler-main
Low
Product
pom
parent-groupid
com.google.javascript
Low
Product
pom
groupid
google.javascript
Low
Product
pom
artifactid
closure-compiler
Highest
Product
pom
name
Closure Compiler
High
Product
pom
description
Closure Compiler is a JavaScript optimizing compiler. It parses your JavaScript, analyzes it, removes dead code and rewrites and minimizes what's left. It also checks syntax, variable references, and types, and warns about common JavaScript pitfalls. It is used in many of Google's JavaScript apps, including Gmail, Google Web Search, Google Maps, and Google Docs.
Severity:
Medium
CVSS Score: 4.3
(AV:N/AC:M/Au:N/C:P/I:N/A:N)
CWE: CWE-310 Cryptographic Issues
The S/MIME specification allows a Cipher Block Chaining (CBC) malleability-gadget attack that can indirectly lead to plaintext exfiltration, aka EFAIL.