one-rename's People
one-rename's Issues
CVE-2020-15250 (Medium) detected in junit-4.11.jar - autoclosed
CVE-2020-15250 - Medium Severity Vulnerability
Vulnerable Library - junit-4.11.jar
JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to vulnerable library: /junit-4.11.jar
Dependency Hierarchy:
- ❌ junit-4.11.jar (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: 4.13.1
CVE-2020-25638 (High) detected in hibernate-core-5.0.6.Final.jar - autoclosed
CVE-2020-25638 - High Severity Vulnerability
Vulnerable Library - hibernate-core-5.0.6.Final.jar
The core O/RM functionality as provided by Hibernate
Library home page: http://hibernate.org
Path to vulnerable library: /hibernate-core-5.0.6.Final.jar
Dependency Hierarchy:
- ❌ hibernate-core-5.0.6.Final.jar (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Publish Date: 2020-12-02
URL: CVE-2020-25638
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://in.relation.to/2020/11/19/hibernate-orm-5424-final-release/
Release Date: 2020-12-02
Fix Resolution: 5.3.20.Final
CVE-2022-29217 (High) detected in PyJWT-1.7.1-py2.py3-none-any.whl
CVE-2022-29217 - High Severity Vulnerability
Vulnerable Library - PyJWT-1.7.1-py2.py3-none-any.whl
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl
Path to dependency file: /folder3/requirements.txt
Path to vulnerable library: /folder3/requirements.txt
Dependency Hierarchy:
- ❌ PyJWT-1.7.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: master
Vulnerability Details
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms()
to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms()
has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
Publish Date: 2022-05-24
URL: CVE-2022-29217
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217
Release Date: 2022-05-24
Fix Resolution: PyJWT - 2.4.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-26137 (Medium) detected in urllib3-1.21.1-py2.py3-none-any.whl - autoclosed
CVE-2020-26137 - Medium Severity Vulnerability
Vulnerable Library - urllib3-1.21.1-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/24/53/f397db567de0aa0e81b211d81c13c41a779f14893e42189cf5bdb97611b2/urllib3-1.21.1-py2.py3-none-any.whl
Path to dependency file: /folder1/requirements.txt
Path to vulnerable library: /folder1/requirements.txt
Dependency Hierarchy:
- ❌ urllib3-1.21.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
urllib3 before 1.25.9 allows CRLF injection if the attacker controls the HTTP request method, as demonstrated by inserting CR and LF control characters in the first argument of putrequest(). NOTE: this is similar to CVE-2020-26116.
Publish Date: 2020-09-30
URL: CVE-2020-26137
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26137
Release Date: 2020-09-30
Fix Resolution: 1.25.9
⛑️ Automatic Remediation is available for this issue
WS-2018-0125 (Medium) detected in jackson-core-2.6.7.jar - autoclosed
WS-2018-0125 - Medium Severity Vulnerability
Vulnerable Library - jackson-core-2.6.7.jar
Core Jackson abstractions, basic JSON streaming API implementation
Library home page: https://github.com/FasterXML/jackson-core
Path to dependency file: one/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.7/jackson-core-2.6.7.jar
Dependency Hierarchy:
- aws-java-sdk-1.11.856.jar (Root Library)
- aws-java-sdk-core-1.11.856.jar
- jackson-databind-2.6.7.3.jar
- ❌ jackson-core-2.6.7.jar (Vulnerable Library)
- jackson-databind-2.6.7.3.jar
- aws-java-sdk-core-1.11.856.jar
Found in HEAD commit: 5038c01bcf1697f16f6b761e157a03cf65101b69
Found in base branch: master
Vulnerability Details
OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.
Publish Date: 2016-08-25
URL: WS-2018-0125
Suggested Fix
Type: Upgrade version
Origin: https://github.com/FasterXML/jackson-core/releases/tag/jackson-core-2.7.7
Release Date: 2016-08-25
Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.7.7
CVE-2019-10751 (High) detected in httpie-0.2.0.tar.gz
CVE-2019-10751 - High Severity Vulnerability
Vulnerable Library - httpie-0.2.0.tar.gz
HTTPie - a CLI, cURL-like tool for humans.
Library home page: https://files.pythonhosted.org/packages/37/ad/b2ce98d7db29eb071deea837f5fe8e382e81f27fb81fc77862a1d5f3fbac/httpie-0.2.0.tar.gz
Path to dependency file: /folder2/requirements.txt
Path to vulnerable library: /folder2/requirements.txt
Dependency Hierarchy:
- ❌ httpie-0.2.0.tar.gz (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: master
Vulnerability Details
All versions of the HTTPie package prior to version 1.0.3 are vulnerable to Open Redirect that allows an attacker to write an arbitrary file with supplied filename and content to the current directory, by redirecting a request from HTTP to a crafted URL pointing to a server in his or hers control.
Publish Date: 2019-08-23
URL: CVE-2019-10751
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://gitlab.alpinelinux.org/alpine/aports/issues/10840
Release Date: 2019-09-02
Fix Resolution: 1.0.3
⛑️ Automatic Remediation is available for this issue
CVE-2022-29217 (High) detected in PyJWT-1.7.1-py2.py3-none-any.whl - autoclosed
CVE-2022-29217 - High Severity Vulnerability
Vulnerable Library - PyJWT-1.7.1-py2.py3-none-any.whl
JSON Web Token implementation in Python
Library home page: https://files.pythonhosted.org/packages/87/8b/6a9f14b5f781697e51259d81657e6048fd31a113229cf346880bb7545565/PyJWT-1.7.1-py2.py3-none-any.whl
Path to dependency file: /folder3/requirements.txt
Path to vulnerable library: /folder3/requirements.txt
Dependency Hierarchy:
- ❌ PyJWT-1.7.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branches: branch1, master
Vulnerability Details
PyJWT is a Python implementation of RFC 7519. PyJWT supports multiple different JWT signing algorithms. With JWT, an attacker submitting the JWT token can choose the used signing algorithm. The PyJWT library requires that the application chooses what algorithms are supported. The application can specify jwt.algorithms.get_default_algorithms()
to get support for all algorithms, or specify a single algorithm. The issue is not that big as algorithms=jwt.algorithms.get_default_algorithms()
has to be used. Users should upgrade to v2.4.0 to receive a patch for this issue. As a workaround, always be explicit with the algorithms that are accepted and expected when decoding.
Publish Date: 2022-05-24
URL: CVE-2022-29217
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29217
Release Date: 2022-05-24
Fix Resolution: PyJWT - 2.4.0
⛑️ Automatic Remediation is available for this issue
CVE-2020-28491 (High) detected in jackson-dataformat-cbor-2.6.7.jar - autoclosed
CVE-2020-28491 - High Severity Vulnerability
Vulnerable Library - jackson-dataformat-cbor-2.6.7.jar
Support for reading and writing Concise Binary Object Representation ([CBOR](https://www.rfc-editor.org/info/rfc7049) encoded data using Jackson abstractions (streaming API, data binding, tree model)
Path to dependency file: one/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/dataformat/jackson-dataformat-cbor/2.6.7/jackson-dataformat-cbor-2.6.7.jar
Dependency Hierarchy:
- aws-java-sdk-1.11.856.jar (Root Library)
- aws-java-sdk-core-1.11.856.jar
- ❌ jackson-dataformat-cbor-2.6.7.jar (Vulnerable Library)
- aws-java-sdk-core-1.11.856.jar
Found in base branch: master
Vulnerability Details
This affects the package com.fasterxml.jackson.dataformat:jackson-dataformat-cbor from 0 and before 2.11.4, from 2.12.0-rc1 and before 2.12.1. Unchecked allocation of byte buffer can cause a java.lang.OutOfMemoryError exception.
Publish Date: 2021-02-18
URL: CVE-2020-28491
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28491
Release Date: 2021-02-18
Fix Resolution: com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.11.4, com.fasterxml.jackson.dataformat:jackson-dataformat-cbor:2.12.1
CVE-2020-25638 (High) detected in hibernate-core-5.0.6.Final.jar - autoclosed
CVE-2020-25638 - High Severity Vulnerability
Vulnerable Library - hibernate-core-5.0.6.Final.jar
The core O/RM functionality as provided by Hibernate
Library home page: http://hibernate.org
Path to vulnerable library: /hibernate-core-5.0.6.Final.jar
Dependency Hierarchy:
- ❌ hibernate-core-5.0.6.Final.jar (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Publish Date: 2020-12-02
URL: CVE-2020-25638
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://in.relation.to/2020/11/19/hibernate-orm-5424-final-release/
Release Date: 2020-12-02
Fix Resolution: 5.3.20.Final
CVE-2020-15250 (Medium) detected in junit-4.11.jar - autoclosed
CVE-2020-15250 - Medium Severity Vulnerability
Vulnerable Library - junit-4.11.jar
JUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to vulnerable library: /junit-4.11.jar
Dependency Hierarchy:
- ❌ junit-4.11.jar (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: 4.13.1
CVE-2020-13956 (Medium) detected in httpclient-4.5.9.jar - autoclosed
CVE-2020-13956 - Medium Severity Vulnerability
Vulnerable Library - httpclient-4.5.9.jar
Apache HttpComponents Client
Library home page: http://hc.apache.org/
Path to dependency file: one/pom.xml
Path to vulnerable library: onents/httpclient/4.5.9/httpclient-4.5.9.jar
Dependency Hierarchy:
- aws-java-sdk-1.11.856.jar (Root Library)
- aws-java-sdk-core-1.11.856.jar
- ❌ httpclient-4.5.9.jar (Vulnerable Library)
- aws-java-sdk-core-1.11.856.jar
Found in HEAD commit: 5038c01bcf1697f16f6b761e157a03cf65101b69
Found in base branch: master
Vulnerability Details
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Publish Date: 2020-12-02
URL: CVE-2020-13956
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
Release Date: 2020-07-21
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3
CVE-2019-14900 (Medium) detected in hibernate-core-5.0.6.Final.jar - autoclosed
CVE-2019-14900 - Medium Severity Vulnerability
Vulnerable Library - hibernate-core-5.0.6.Final.jar
The core O/RM functionality as provided by Hibernate
Library home page: http://hibernate.org
Path to vulnerable library: /hibernate-core-5.0.6.Final.jar
Dependency Hierarchy:
- ❌ hibernate-core-5.0.6.Final.jar (Vulnerable Library)
Found in base branch: branch1
Vulnerability Details
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
Publish Date: 2020-07-06
URL: CVE-2019-14900
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14900
Release Date: 2020-07-06
Fix Resolution: 5.1.10.Final
WS-2019-0379 (Medium) detected in commons-codec-1.11.jar - autoclosed
WS-2019-0379 - Medium Severity Vulnerability
Vulnerable Library - commons-codec-1.11.jar
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: one/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar
Dependency Hierarchy:
- aws-java-sdk-1.11.856.jar (Root Library)
- aws-java-sdk-core-1.11.856.jar
- httpclient-4.5.9.jar
- ❌ commons-codec-1.11.jar (Vulnerable Library)
- httpclient-4.5.9.jar
- aws-java-sdk-core-1.11.856.jar
Found in HEAD commit: 5038c01bcf1697f16f6b761e157a03cf65101b69
Found in base branch: master
Vulnerability Details
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
CVE-2021-27293 (High) detected in restsharp.106.11.7.nupkg - autoclosed
CVE-2021-27293 - High Severity Vulnerability
Vulnerable Library - restsharp.106.11.7.nupkg
Simple REST and HTTP API Client
Library home page: https://api.nuget.org/packages/restsharp.106.11.7.nupkg
Path to dependency file: one/constant.csproj
Path to vulnerable library: canner/.nuget/packages/restsharp/106.11.7/restsharp.106.11.7.nupkg
Dependency Hierarchy:
- ❌ restsharp.106.11.7.nupkg (Vulnerable Library)
Found in base branch: master
Vulnerability Details
RestSharp < 106.11.8-alpha.0.13 uses a regular expression which is vulnerable to Regular Expression Denial of Service (ReDoS) when converting strings into DateTimes. If a server responds with a malicious string, the client using RestSharp will be stuck processing it for an exceedingly long time. Thus the remote server can trigger Denial of Service.
Publish Date: 2021-07-12
URL: CVE-2021-27293
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-9pq7-rcxv-47vq
Release Date: 2021-07-12
Fix Resolution: RestSharp - 106.11.8-alpha.0.13
⛑️ Automatic Remediation is available for this issue
CVE-2019-11324 (High) detected in urllib3-1.21.1-py2.py3-none-any.whl - autoclosed
CVE-2019-11324 - High Severity Vulnerability
Vulnerable Library - urllib3-1.21.1-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/24/53/f397db567de0aa0e81b211d81c13c41a779f14893e42189cf5bdb97611b2/urllib3-1.21.1-py2.py3-none-any.whl
Path to dependency file: /folder1/requirements.txt
Path to vulnerable library: /folder1/requirements.txt
Dependency Hierarchy:
- ❌ urllib3-1.21.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
The urllib3 library before 1.24.2 for Python mishandles certain cases where the desired set of CA certificates is different from the OS store of CA certificates, which results in SSL connections succeeding in situations where a verification failure is the correct outcome. This is related to use of the ssl_context, ca_certs, or ca_certs_dir argument.
Publish Date: 2019-04-18
URL: CVE-2019-11324
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11324
Release Date: 2019-04-18
Fix Resolution: 1.24.2
⛑️ Automatic Remediation is available for this issue
WS-2018-0124 (Medium) detected in jackson-core-2.6.7.jar - autoclosed
WS-2018-0124 - Medium Severity Vulnerability
Vulnerable Library - jackson-core-2.6.7.jar
Core Jackson abstractions, basic JSON streaming API implementation
Library home page: https://github.com/FasterXML/jackson-core
Path to dependency file: one/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-core/2.6.7/jackson-core-2.6.7.jar
Dependency Hierarchy:
- aws-java-sdk-1.11.856.jar (Root Library)
- aws-java-sdk-core-1.11.856.jar
- jackson-databind-2.6.7.3.jar
- ❌ jackson-core-2.6.7.jar (Vulnerable Library)
- jackson-databind-2.6.7.3.jar
- aws-java-sdk-core-1.11.856.jar
Found in HEAD commit: 5038c01bcf1697f16f6b761e157a03cf65101b69
Found in base branch: master
Vulnerability Details
In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.
Publish Date: 2018-06-24
URL: WS-2018-0124
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=WS-2018-0124
Release Date: 2018-01-24
Fix Resolution: 2.8.6
CVE-2021-33503 (High) detected in urllib3-1.21.1-py2.py3-none-any.whl - autoclosed
CVE-2021-33503 - High Severity Vulnerability
Vulnerable Library - urllib3-1.21.1-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/24/53/f397db567de0aa0e81b211d81c13c41a779f14893e42189cf5bdb97611b2/urllib3-1.21.1-py2.py3-none-any.whl
Path to dependency file: /folder1/requirements.txt
Path to vulnerable library: /folder1/requirements.txt
Dependency Hierarchy:
- ❌ urllib3-1.21.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
An issue was discovered in urllib3 before 1.26.5. When provided with a URL containing many @ characters in the authority component, the authority regular expression exhibits catastrophic backtracking, causing a denial of service if a URL were passed as a parameter or redirected to via an HTTP redirect.
Publish Date: 2021-06-29
URL: CVE-2021-33503
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: GHSA-q2q7-5pp4-w6pg
Release Date: 2021-06-29
Fix Resolution: urllib3 - 1.26.5
⛑️ Automatic Remediation is available for this issue
CVE-2019-9740 (Medium) detected in urllib3-1.21.1-py2.py3-none-any.whl - autoclosed
CVE-2019-9740 - Medium Severity Vulnerability
Vulnerable Library - urllib3-1.21.1-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/24/53/f397db567de0aa0e81b211d81c13c41a779f14893e42189cf5bdb97611b2/urllib3-1.21.1-py2.py3-none-any.whl
Path to dependency file: /folder1/requirements.txt
Path to vulnerable library: /folder1/requirements.txt
Dependency Hierarchy:
- ❌ urllib3-1.21.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
Publish Date: 2019-03-13
URL: CVE-2019-9740
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740
Release Date: 2019-03-13
Fix Resolution: v2.7.17,v3.5.8,v3.6.9,3.7.4,3.7.5
⛑️ Automatic Remediation is available for this issue
CVE-2021-21290 (Medium) detected in netty-codec-http-4.1.48.Final.jar, netty-handler-4.1.48.Final.jar - autoclosed
CVE-2021-21290 - Medium Severity Vulnerability
Vulnerable Libraries - netty-codec-http-4.1.48.Final.jar, netty-handler-4.1.48.Final.jar
netty-codec-http-4.1.48.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: one/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-codec-http/4.1.48.Final/netty-codec-http-4.1.48.Final.jar
Dependency Hierarchy:
- aws-java-sdk-1.11.856.jar (Root Library)
- aws-java-sdk-kinesisvideo-1.11.856.jar
- ❌ netty-codec-http-4.1.48.Final.jar (Vulnerable Library)
- aws-java-sdk-kinesisvideo-1.11.856.jar
netty-handler-4.1.48.Final.jar
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: one/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-handler/4.1.48.Final/netty-handler-4.1.48.Final.jar
Dependency Hierarchy:
- aws-java-sdk-1.11.856.jar (Root Library)
- aws-java-sdk-kinesisvideo-1.11.856.jar
- ❌ netty-handler-4.1.48.Final.jar (Vulnerable Library)
- aws-java-sdk-kinesisvideo-1.11.856.jar
Found in HEAD commit: 5038c01bcf1697f16f6b761e157a03cf65101b69
Found in base branch: master
Vulnerability Details
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
Publish Date: 2021-02-08
URL: CVE-2021-21290
CVSS 3 Score Details (5.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-5mcr-gq6c-3hq2
Release Date: 2021-02-08
Fix Resolution: io.netty:netty-codec-http:4.1.59.Final
CVE-2019-14900 (Medium) detected in hibernate-core-5.0.6.Final.jar - autoclosed
CVE-2019-14900 - Medium Severity Vulnerability
Vulnerable Library - hibernate-core-5.0.6.Final.jar
The core O/RM functionality as provided by Hibernate
Library home page: http://hibernate.org
Path to vulnerable library: /hibernate-core-5.0.6.Final.jar
Dependency Hierarchy:
- ❌ hibernate-core-5.0.6.Final.jar (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
Publish Date: 2020-07-06
URL: CVE-2019-14900
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14900
Release Date: 2020-07-06
Fix Resolution: 5.1.10.Final
CVE-2019-0820 (High) detected in system.text.regularexpressions.4.3.1.nupkg - autoclosed
CVE-2019-0820 - High Severity Vulnerability
Vulnerable Library - system.text.regularexpressions.4.3.1.nupkg
Provides the System.Text.RegularExpressions.Regex class, an implementation of a regular expression e...
Library home page: https://api.nuget.org/packages/system.text.regularexpressions.4.3.1.nupkg
Path to dependency file: one/constant.csproj
Path to vulnerable library: canner/.nuget/packages/system.text.regularexpressions/4.3.1/system.text.regularexpressions.4.3.1.nupkg,/home/wss-scanner/.nuget/packages/system.text.regularexpressions/4.3.1/system.text.regularexpressions.4.3.1.nupkg
Dependency Hierarchy:
- ❌ system.text.regularexpressions.4.3.1.nupkg (Vulnerable Library)
Found in HEAD commit: 677b0d9e87e97f70144f88a6fe092f51c98d455a
Found in base branch: master
Vulnerability Details
A denial of service vulnerability exists when .NET Framework and .NET Core improperly process RegEx strings, aka '.NET Framework and .NET Core Denial of Service Vulnerability'. This CVE ID is unique from CVE-2019-0980, CVE-2019-0981.
Publish Date: 2019-05-16
URL: CVE-2019-0820
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
CVE-2022-24737 (Medium) detected in httpie-0.2.0.tar.gz
CVE-2022-24737 - Medium Severity Vulnerability
Vulnerable Library - httpie-0.2.0.tar.gz
HTTPie - a CLI, cURL-like tool for humans.
Library home page: https://files.pythonhosted.org/packages/37/ad/b2ce98d7db29eb071deea837f5fe8e382e81f27fb81fc77862a1d5f3fbac/httpie-0.2.0.tar.gz
Path to dependency file: /folder2/requirements.txt
Path to vulnerable library: /folder2/requirements.txt
Dependency Hierarchy:
- ❌ httpie-0.2.0.tar.gz (Vulnerable Library)
Found in HEAD commit: 791b04c3cb959033a8316d3a840e94c302f01243
Found in base branch: master
Vulnerability Details
HTTPie is a command-line HTTP client. HTTPie has the practical concept of sessions, which help users to persistently store some of the state that belongs to the outgoing requests and incoming responses on the disk for further usage. Before 3.1.0, HTTPie didn‘t distinguish between cookies and hosts they belonged. This behavior resulted in the exposure of some cookies when there are redirects originating from the actual host to a third party website. Users are advised to upgrade. There are no known workarounds.
Publish Date: 2022-03-07
URL: CVE-2022-24737
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-9w4w-cpc8-h2fq
Release Date: 2022-03-07
Fix Resolution: httpie - 3.1.0
⛑️ Automatic Remediation is available for this issue
CVE-2022-0430 (Medium) detected in httpie-0.2.0.tar.gz
CVE-2022-0430 - Medium Severity Vulnerability
Vulnerable Library - httpie-0.2.0.tar.gz
HTTPie - a CLI, cURL-like tool for humans.
Library home page: https://files.pythonhosted.org/packages/37/ad/b2ce98d7db29eb071deea837f5fe8e382e81f27fb81fc77862a1d5f3fbac/httpie-0.2.0.tar.gz
Path to dependency file: /folder2/requirements.txt
Path to vulnerable library: /folder2/requirements.txt
Dependency Hierarchy:
- ❌ httpie-0.2.0.tar.gz (Vulnerable Library)
Found in base branch: master
Vulnerability Details
Exposure of Sensitive Information to an Unauthorized Actor in GitHub repository httpie/httpie prior to 3.1.0.
Publish Date: 2022-03-15
URL: CVE-2022-0430
CVSS 3 Score Details (5.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/dafb2e4f-c6b6-4768-8ef5-b396cd6a801f/
Release Date: 2022-03-15
Fix Resolution: httpie - 3.1.0
⛑️ Automatic Remediation is available for this issue
CVE-2019-11236 (Medium) detected in urllib3-1.21.1-py2.py3-none-any.whl - autoclosed
CVE-2019-11236 - Medium Severity Vulnerability
Vulnerable Library - urllib3-1.21.1-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/24/53/f397db567de0aa0e81b211d81c13c41a779f14893e42189cf5bdb97611b2/urllib3-1.21.1-py2.py3-none-any.whl
Path to dependency file: /folder1/requirements.txt
Path to vulnerable library: /folder1/requirements.txt
Dependency Hierarchy:
- ❌ urllib3-1.21.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
In the urllib3 library through 1.24.1 for Python, CRLF injection is possible if the attacker controls the request parameter.
Publish Date: 2019-04-15
URL: CVE-2019-11236
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11236
Release Date: 2019-04-15
Fix Resolution: 1.24.3
⛑️ Automatic Remediation is available for this issue
CVE-2021-21330 (Medium) detected in aiohttp-0.16.3.tar.gz
CVE-2021-21330 - Medium Severity Vulnerability
Vulnerable Library - aiohttp-0.16.3.tar.gz
Async http client/server framework (asyncio)
Library home page: https://files.pythonhosted.org/packages/69/f0/dc5959f1b2f641c40357e66a516214ef7d2d13a5ce3cdb044d78f7c57f39/aiohttp-0.16.3.tar.gz
Path to dependency file: /folder2/requirements.txt
Path to vulnerable library: /folder2/requirements.txt
Dependency Hierarchy:
- ❌ aiohttp-0.16.3.tar.gz (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: master
Vulnerability Details
aiohttp is an asynchronous HTTP client/server framework for asyncio and Python. In aiohttp before version 3.7.4 there is an open redirect vulnerability. A maliciously crafted link to an aiohttp-based web-server could redirect the browser to a different website. It is caused by a bug in the aiohttp.web_middlewares.normalize_path_middleware
middleware. This security problem has been fixed in 3.7.4. Upgrade your dependency using pip as follows "pip install aiohttp >= 3.7.4". If upgrading is not an option for you, a workaround can be to avoid using aiohttp.web_middlewares.normalize_path_middleware
in your applications.
Publish Date: 2021-02-26
URL: CVE-2021-21330
CVSS 3 Score Details (6.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: GHSA-v6wp-4m6f-gcjg
Release Date: 2021-02-26
Fix Resolution: v3.7.4
⛑️ Automatic Remediation is available for this issue
CVE-2018-20060 (High) detected in urllib3-1.21.1-py2.py3-none-any.whl - autoclosed
CVE-2018-20060 - High Severity Vulnerability
Vulnerable Library - urllib3-1.21.1-py2.py3-none-any.whl
HTTP library with thread-safe connection pooling, file post, and more.
Library home page: https://files.pythonhosted.org/packages/24/53/f397db567de0aa0e81b211d81c13c41a779f14893e42189cf5bdb97611b2/urllib3-1.21.1-py2.py3-none-any.whl
Path to dependency file: /folder1/requirements.txt
Path to vulnerable library: /folder1/requirements.txt
Dependency Hierarchy:
- ❌ urllib3-1.21.1-py2.py3-none-any.whl (Vulnerable Library)
Found in HEAD commit: 6b0c64ea59feda03497ff343e6a84689235bc03a
Found in base branch: branch1
Vulnerability Details
urllib3 before version 1.23 does not remove the Authorization HTTP header when following a cross-origin redirect (i.e., a redirect that differs in host, port, or scheme). This can allow for credentials in the Authorization header to be exposed to unintended hosts or transmitted in cleartext.
Publish Date: 2018-12-11
URL: CVE-2018-20060
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20060
Release Date: 2018-12-11
Fix Resolution: 1.23
⛑️ Automatic Remediation is available for this issue
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.