privateregistriestestme-gh's Introduction
privateregistriestestme-gh's People
privateregistriestestme-gh's Issues
hibernate-core-5.0.6.Final.jar: 3 vulnerabilities (highest severity is: 7.5)
Vulnerable Library - hibernate-core-5.0.6.Final.jar
The core O/RM functionality as provided by Hibernate
Library home page: http://hibernate.org
Path to dependency file: /pom.xml
Path to vulnerable library: /ibernate/hibernate-core/5.0.6.Final/hibernate-core-5.0.6.Final.jar
Found in HEAD commit: 7ecc8e4d9f4df70bbd8de08e78ef22822b2b5082
Vulnerabilities
CVE | Severity | Dependency | Type | Fixed in | Remediation Available | |
---|---|---|---|---|---|---|
CVE-2018-1000632 | 7.5 | dom4j-1.6.1.jar | Transitive | 5.1.11.Final | ✅ | |
CVE-2020-25638 | 7.4 | hibernate-core-5.0.6.Final.jar | Direct | 5.3.20.Final | ✅ | |
CVE-2019-14900 | 6.5 | hibernate-core-5.0.6.Final.jar | Direct | 5.1.10.Final | ✅ |
Details
CVE-2018-1000632
Vulnerable Library - dom4j-1.6.1.jar
dom4j: the flexible XML framework for Java
Library home page: http://dom4j.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
Dependency Hierarchy:
- hibernate-core-5.0.6.Final.jar (Root Library)
- ❌ dom4j-1.6.1.jar (Vulnerable Library)
Found in HEAD commit: 7ecc8e4d9f4df70bbd8de08e78ef22822b2b5082
Found in base branch: main
Vulnerability Details
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Publish Date: 2018-08-20
URL: CVE-2018-1000632
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000632
Release Date: 2018-08-20
Fix Resolution (dom4j:dom4j): 20040902.021138
Direct dependency fix Resolution (org.hibernate:hibernate-core): 5.1.11.Final
⛑️ Automatic Remediation is available for this issue
CVE-2020-25638
Vulnerable Library - hibernate-core-5.0.6.Final.jar
The core O/RM functionality as provided by Hibernate
Library home page: http://hibernate.org
Path to dependency file: /pom.xml
Path to vulnerable library: /ibernate/hibernate-core/5.0.6.Final/hibernate-core-5.0.6.Final.jar
Dependency Hierarchy:
- ❌ hibernate-core-5.0.6.Final.jar (Vulnerable Library)
Found in HEAD commit: 7ecc8e4d9f4df70bbd8de08e78ef22822b2b5082
Found in base branch: main
Vulnerability Details
A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.
Publish Date: 2020-12-02
URL: CVE-2020-25638
CVSS 3 Score Details (7.4)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://in.relation.to/2020/11/19/hibernate-orm-5424-final-release/
Release Date: 2020-12-02
Fix Resolution: 5.3.20.Final
⛑️ Automatic Remediation is available for this issue
CVE-2019-14900
Vulnerable Library - hibernate-core-5.0.6.Final.jar
The core O/RM functionality as provided by Hibernate
Library home page: http://hibernate.org
Path to dependency file: /pom.xml
Path to vulnerable library: /ibernate/hibernate-core/5.0.6.Final/hibernate-core-5.0.6.Final.jar
Dependency Hierarchy:
- ❌ hibernate-core-5.0.6.Final.jar (Vulnerable Library)
Found in HEAD commit: 7ecc8e4d9f4df70bbd8de08e78ef22822b2b5082
Found in base branch: main
Vulnerability Details
A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.
Publish Date: 2020-07-06
URL: CVE-2019-14900
CVSS 3 Score Details (6.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14900
Release Date: 2020-07-06
Fix Resolution: 5.1.10.Final
⛑️ Automatic Remediation is available for this issue
⛑️ Automatic Remediation is available for this issue.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.