contrast-agent's People
contrast-agent's Issues
commons-net-1.4.1.jar: 1 vulnerabilities (highest severity is: 6.5)
Vulnerable Library - commons-net-1.4.1.jar
Path to vulnerable library: /commons-net-1.4.1.jar
Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (commons-net version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2021-37533 | Medium | 6.5 | commons-net-1.4.1.jar | Direct | 3.9.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-37533
Vulnerable Library - commons-net-1.4.1.jar
Path to vulnerable library: /commons-net-1.4.1.jar
Dependency Hierarchy:
- ❌ commons-net-1.4.1.jar (Vulnerable Library)
Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d
Found in base branch: main
Vulnerability Details
Prior to Apache Commons Net 3.9.0, Net's FTP client trusts the host from PASV response by default. A malicious server can redirect the Commons Net code to use a different host, but the user has to connect to the malicious server in the first place. This may lead to leakage of information about services running on the private network of the client. The default in version 3.9.0 is now false to ignore such hosts, as cURL does. See https://issues.apache.org/jira/browse/NET-711.
Publish Date: 2022-12-03
URL: CVE-2021-37533
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2021-37533
Release Date: 2022-12-03
Fix Resolution: 3.9.0
Step up your Open Source Security Game with Mend here
itext-1.3.jar: 1 vulnerabilities (highest severity is: 8.8)
Vulnerable Library - itext-1.3.jar
Path to vulnerable library: /itext-1.3.jar
Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (itext version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2017-9096 | High | 8.8 | itext-1.3.jar | Direct | com.itextpdf:itextpdf:5.5.12 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2017-9096
Vulnerable Library - itext-1.3.jar
Path to vulnerable library: /itext-1.3.jar
Dependency Hierarchy:
- ❌ itext-1.3.jar (Vulnerable Library)
Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d
Found in base branch: main
Vulnerability Details
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
Publish Date: 2017-11-08
URL: CVE-2017-9096
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9096
Release Date: 2017-11-08
Fix Resolution: com.itextpdf:itextpdf:5.5.12
Step up your Open Source Security Game with Mend here
jsoup-1.9.2.jar: 2 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - jsoup-1.9.2.jar
jsoup HTML parser
Path to vulnerable library: /jsoup-1.9.2.jar
Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (jsoup version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2021-37714 | High | 7.5 | jsoup-1.9.2.jar | Direct | 1.14.2 | ❌ |
CVE-2022-36033 | Medium | 6.1 | jsoup-1.9.2.jar | Direct | 1.15.3 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2021-37714
Vulnerable Library - jsoup-1.9.2.jar
jsoup HTML parser
Path to vulnerable library: /jsoup-1.9.2.jar
Dependency Hierarchy:
- ❌ jsoup-1.9.2.jar (Vulnerable Library)
Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d
Found in base branch: main
Vulnerability Details
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
Publish Date: 2021-08-18
URL: CVE-2021-37714
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://jsoup.org/news/release-1.14.2
Release Date: 2021-08-18
Fix Resolution: 1.14.2
Step up your Open Source Security Game with Mend here
CVE-2022-36033
Vulnerable Library - jsoup-1.9.2.jar
jsoup HTML parser
Path to vulnerable library: /jsoup-1.9.2.jar
Dependency Hierarchy:
- ❌ jsoup-1.9.2.jar (Vulnerable Library)
Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d
Found in base branch: main
Vulnerability Details
jsoup is a Java HTML parser, built for HTML editing, cleaning, scraping, and cross-site scripting (XSS) safety. jsoup may incorrectly sanitize HTML including javascript:
URL expressions, which could allow XSS attacks when a reader subsequently clicks that link. If the non-default SafeList.preserveRelativeLinks
option is enabled, HTML including javascript:
URLs that have been crafted with control characters will not be sanitized. If the site that this HTML is published on does not set a Content Security Policy, an XSS attack is then possible. This issue is patched in jsoup 1.15.3. Users should upgrade to this version. Additionally, as the unsanitized input may have been persisted, old content should be cleaned again using the updated version. To remediate this issue without immediately upgrading: - disable SafeList.preserveRelativeLinks
, which will rewrite input URLs as absolute URLs - ensure an appropriate Content Security Policy is defined. (This should be used regardless of upgrading, as a defence-in-depth best practice.)
Publish Date: 2022-08-29
URL: CVE-2022-36033
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-gp7f-rwcx-9369
Release Date: 2022-08-29
Fix Resolution: 1.15.3
Step up your Open Source Security Game with Mend here
commons-httpclient-3.1.jar: 1 vulnerabilities (highest severity is: 4.8)
Vulnerable Library - commons-httpclient-3.1.jar
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to vulnerable library: /commons-httpclient-3.1.jar
Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d
Vulnerabilities
CVE | Severity | CVSS | Dependency | Type | Fixed in (commons-httpclient version) | Remediation Possible** |
---|---|---|---|---|---|---|
CVE-2012-5783 | Medium | 4.8 | commons-httpclient-3.1.jar | Direct | 20020423 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
CVE-2012-5783
Vulnerable Library - commons-httpclient-3.1.jar
The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Path to vulnerable library: /commons-httpclient-3.1.jar
Dependency Hierarchy:
- ❌ commons-httpclient-3.1.jar (Vulnerable Library)
Found in HEAD commit: f4af44974d9ee719d6895a867a2b0abfd3b8432d
Found in base branch: main
Vulnerability Details
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
CVSS 3 Score Details (4.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-5783
Release Date: 2012-11-04
Fix Resolution: 20020423
Step up your Open Source Security Game with Mend here
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.