Giter Site home page Giter Site logo

katerinaorg / ksa-reachability Goto Github PK

View Code? Open in Web Editor NEW

This project forked from xsocket/ksa

0.0 0.0 0.0 4.58 MB

Testing Reachability for Java project

License: Apache License 2.0

Shell 0.01% JavaScript 21.78% Java 25.95% CSS 2.10% FreeMarker 50.17%

ksa-reachability's Introduction

杭州凯思爱物流管理系统

变更日志:

v3.9.2

  • 调整结算单权限控制,进入审批阶段后任何信息不能变更;

v3.9.1

  • 修复【证件代办】面单的导出功能
  • 修复【证件代办】导出结算单没有表头的BUG;
  • 筛选过滤加入【证件代办】,费用查询加入【销售担当】;
  • 修复【证件代办】类型缺失导致的排序问题;

v3.9.0

  • 升级struts2到2.3.31;
  • 更新利润计算公式;
  • 修复图表渲染BUG;
  • 新增脱单类型【证件代办】;
  • 脱单增加4个字段;

v3.8.9

  • 添加按费用项目查询脱单的功能;
  • 修复已开单费用还能编辑的BUG;
  • 其他细节问题修改

v3.8.8

  • 添加托单类型变更的功能;
  • 修复费用汇率不能按照记账月份选择的BUG;

v3.8.7

  • 费用录入按录入顺序排列;
  • 修改操作主管对结算单的控制;
  • 结算单删除功能BUG修改;

v3.8.6

  • 在托单编辑页面,增加箱型箱量自动刷新的功能;
  • 国内运输 类型的托单页面,去除 航线 等不必要的数据内容;
  • 在查询费用时,加入统一的排序标准;
  • 新增 托单共享查看共享托单 的权限,解决广州分事务所的托单查看与共享问题;
-- 增加新的权限数据
insert into KSA_SECURITY_PERMISSION ( ID, NAME, DESCRIPTION ) values ( 'bookingnote:share:gz', '托单共享-广州', '将广州事务所的托单共享出来,供有权限的人员查看和编辑。' );
insert into KSA_SECURITY_PERMISSION ( ID, NAME, DESCRIPTION ) values ( 'bookingnote:viewshare:gz', '托单查看-广州共享', '查看广州事务所共享出来的托单。' );

v3.8.5

  • 修复版本v3.8.4托单数据过滤未过滤“退单管理”页面的问题;
  • 另外加入五种业务类型:KB-捆包业务、RH-内联行、CC-仓储业务、BC-搬场业务、TL-公铁联运

v3.8.4

  • 修复版本v3.8.0托单查看的bug,基本的托单查看权限只允许查看自己创建或负责销售的托单;

v3.8.3

  • 改进费用信息表格:默认显示【备注】列;

v3.8.2

  • 解决了导出面单中费用明细最多显示20条的限制;

v3.8.1

  • 更新了结算单中单位的名称联系地址

v3.8.0

  • 改进了托单查看的权限控制,新增了仅查看个人业务的权限;
  • 涉及到了相应数据库的变更:
-- 增加新的权限数据
insert into KSA_SECURITY_PERMISSION ( ID, NAME, DESCRIPTION ) values ( 'bookingnote:viewall', 	'托单查看-全部', '可以查看所有的业务托单,但是并没有编辑的权限。' );
-- 更新原权限的名称和说明
update KSA_SECURITY_PERMISSION set NAME	= '托单查看-个人', DESCRIPTION = '仅可以查看个人创建的业务托单,其他业务托单无权查看。' where ID = 'bookingnote:edit:view';

-- 将新的权限赋予相应的角色: 操作主管、财务、财务主管、经理、系统管理员
insert into KSA_SECURITY_ROLEPERMISSION ( ROLE_ID, PERMISSION_ID ) values ( 'operator-supervisor', 'bookingnote:viewall' );
insert into KSA_SECURITY_ROLEPERMISSION ( ROLE_ID, PERMISSION_ID ) values ( 'accountant', 'bookingnote:viewall' );
insert into KSA_SECURITY_ROLEPERMISSION ( ROLE_ID, PERMISSION_ID ) values ( 'accountant-supervisor', 'bookingnote:viewall' );
insert into KSA_SECURITY_ROLEPERMISSION ( ROLE_ID, PERMISSION_ID ) values ( 'manager', 'bookingnote:viewall' );
insert into KSA_SECURITY_ROLEPERMISSION ( ROLE_ID, PERMISSION_ID ) values ( 'administrator', 'bookingnote:viewall' );

v3.7.9

  • 更新了利润统计图的展示方式;

ksa-reachability's People

Contributors

katerinaozerova avatar mend-for-github-com[bot] avatar xsocket avatar

ksa-reachability's Issues

struts2-core-2.3.31.jar: 19 vulnerabilities (highest severity is: 10.0)

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (struts2-core version) Remediation Possible** Reachability
CVE-2017-5638 Critical 10.0 struts2-core-2.3.31.jar Direct 2.3.32
CVE-2021-31805 Critical 9.8 struts2-core-2.3.31.jar Direct org.apache.struts:struts2-core:2.5.30
CVE-2019-0230 Critical 9.8 struts2-core-2.3.31.jar Direct 2.5.22
CVE-2016-1000031 Critical 9.8 commons-fileupload-1.2.2.jar Transitive 2.3.37
CVE-2017-12611 Critical 9.8 struts2-core-2.3.31.jar Direct 2.3.34
CVE-2020-17530 Critical 9.8 struts2-core-2.3.31.jar Direct 2.5.26
CVE-2018-11776 High 8.1 struts2-core-2.3.31.jar Direct 2.3.35
CVE-2016-3092 High 7.5 commons-fileupload-1.2.2.jar Transitive 2.3.32
CVE-2023-34396 High 7.5 struts2-core-2.3.31.jar Direct 2.5.31
CVE-2017-9804 High 7.5 detected in multiple dependencies Transitive 2.3.34
CVE-2023-24998 High 7.5 commons-fileupload-1.2.2.jar Transitive 6.1.2
CVE-2019-0233 High 7.5 struts2-core-2.3.31.jar Direct 2.5.22
CVE-2017-9787 High 7.5 detected in multiple dependencies Transitive 2.3.33
WS-2014-0034 High 7.5 commons-fileupload-1.2.2.jar Transitive 2.3.37
CVE-2013-2186 High 7.3 commons-fileupload-1.2.2.jar Transitive N/A*
CVE-2014-0050 High 7.3 commons-fileupload-1.2.2.jar Transitive 2.3.32
CVE-2023-34149 Medium 6.5 struts2-core-2.3.31.jar Direct 2.5.31
CVE-2021-29425 Medium 4.8 commons-io-2.1.jar Transitive 6.1.2
CVE-2013-0248 Medium 4.0 commons-fileupload-1.2.2.jar Transitive 2.3.32

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-5638

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.

Publish Date: 2017-03-11

URL: CVE-2017-5638

CVSS 3 Score Details (10.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-03-11

Fix Resolution: 2.3.32

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-31805

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.

Publish Date: 2022-04-12

URL: CVE-2021-31805

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-062

Release Date: 2022-04-12

Fix Resolution: org.apache.struts:struts2-core:2.5.30

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-0230

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.

Publish Date: 2020-09-14

URL: CVE-2019-0230

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/ww/s2-059

Release Date: 2020-09-14

Fix Resolution: 2.5.22

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-1000031

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /ksa-web-root/ksa-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

Publish Date: 2016-10-25

URL: CVE-2016-1000031

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031

Release Date: 2016-10-25

Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-12611

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.

Publish Date: 2017-09-20

URL: CVE-2017-12611

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-053

Release Date: 2017-09-07

Fix Resolution: 2.3.34

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-17530

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.

Publish Date: 2020-12-11

URL: CVE-2020-17530

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/WW/S2-061

Release Date: 2020-12-11

Fix Resolution: 2.5.26

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-11776

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.

Publish Date: 2018-08-22

URL: CVE-2018-11776

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11776

Release Date: 2018-08-22

Fix Resolution: 2.3.35

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-3092

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /ksa-web-root/ksa-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Publish Date: 2016-07-04

URL: CVE-2016-3092

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092

Release Date: 2016-07-04

Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.32

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-34396

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.

Upgrade to Struts 2.5.31 or 6.1.2.1 or greater

Publish Date: 2023-06-14

URL: CVE-2023-34396

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4g42-gqrg-4633

Release Date: 2023-06-14

Fix Resolution: 2.5.31

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-9804

Vulnerable Libraries - xwork-core-2.3.31.jar, struts2-core-2.3.31.jar

xwork-core-2.3.31.jar

Apache Struts 2

Library home page: http://struts.apache.org/

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • xwork-core-2.3.31.jar (Vulnerable Library)

struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.

Publish Date: 2017-09-20

URL: CVE-2017-9804

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-09-05

Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.34

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.34

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-24998

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /ksa-web-root/ksa-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.

Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.

Publish Date: 2023-02-20

URL: CVE-2023-24998

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tomcat.apache.org/security-10.html

Release Date: 2023-02-20

Fix Resolution (commons-fileupload:commons-fileupload): 1.5

Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.1.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-0233

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.

Publish Date: 2020-09-14

URL: CVE-2019-0233

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cwiki.apache.org/confluence/display/ww/s2-060

Release Date: 2020-09-14

Fix Resolution: 2.5.22

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-9787

Vulnerable Libraries - xwork-core-2.3.31.jar, struts2-core-2.3.31.jar

xwork-core-2.3.31.jar

Apache Struts 2

Library home page: http://struts.apache.org/

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • xwork-core-2.3.31.jar (Vulnerable Library)

struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.

Publish Date: 2017-07-13

URL: CVE-2017-9787

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-07-13

Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.33

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.33

⛑️ Automatic Remediation will be attempted for this issue.

WS-2014-0034

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /ksa-web-root/ksa-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.

Publish Date: 2014-02-17

URL: WS-2014-0034

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2014-02-17

Fix Resolution (commons-fileupload:commons-fileupload): 1.4

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2013-2186

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /ksa-web-root/ksa-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

Publish Date: 2013-10-28

URL: CVE-2013-2186

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186

Release Date: 2013-10-28

Fix Resolution: commons-fileupload:commons-fileupload:1.3.1

CVE-2014-0050

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /ksa-web-root/ksa-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

Publish Date: 2014-04-01

URL: CVE-2014-0050

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050

Release Date: 2014-03-28

Fix Resolution (commons-fileupload:commons-fileupload): 1.3.1

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.32

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-34149

Vulnerable Library - struts2-core-2.3.31.jar

Apache Struts 2

Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.

Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.

Publish Date: 2023-06-14

URL: CVE-2023-34149

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-8f6x-v685-g2xc

Release Date: 2023-06-14

Fix Resolution: 2.5.31

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-29425

Vulnerable Library - commons-io-2.1.jar

The Commons IO library contains utility classes, stream implementations, file filters, file comparators and endian classes.

Library home page: http://commons.apache.org/io/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • commons-io-2.1.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.

Publish Date: 2021-04-13

URL: CVE-2021-29425

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425

Release Date: 2021-04-13

Fix Resolution (commons-io:commons-io): 2.7

Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.1.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2013-0248

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /ksa-web-root/ksa-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

  • struts2-core-2.3.31.jar (Root Library)
    • commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.

Publish Date: 2013-03-15

URL: CVE-2013-0248

CVSS 3 Score Details (4.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248

Release Date: 2013-03-15

Fix Resolution (commons-fileupload:commons-fileupload): 1.3

Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.32

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

mybatis-3.1.1.jar: 1 vulnerabilities (highest severity is: 8.1)

Vulnerable Library - mybatis-3.1.1.jar

The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.

Library home page: http://www.mybatis.org/core/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mybatis version) Remediation Possible** Reachability
CVE-2020-26945 High 8.1 mybatis-3.1.1.jar Direct 3.5.6

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-26945

Vulnerable Library - mybatis-3.1.1.jar

The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.

Library home page: http://www.mybatis.org/core/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar

Dependency Hierarchy:

  • mybatis-3.1.1.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

MyBatis before 3.5.6 mishandles deserialization of object streams.

Publish Date: 2020-10-10

URL: CVE-2020-26945

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-26

Fix Resolution: 3.5.6

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

ksa-security-dao-3.9.2.jar: 5 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - ksa-security-dao-3.9.2.jar

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (ksa-security-dao version) Remediation Possible** Reachability
CVE-2022-22965 Critical 9.8 spring-beans-3.1.1.RELEASE.jar Transitive N/A*
CVE-2022-22950 Medium 6.5 spring-expression-3.1.1.RELEASE.jar Transitive N/A*
CVE-2023-20861 Medium 6.5 spring-expression-3.1.1.RELEASE.jar Transitive N/A*
CVE-2023-20863 Medium 6.5 spring-expression-3.1.1.RELEASE.jar Transitive N/A*
WS-2021-0174 Medium 5.3 spring-beans-3.1.1.RELEASE.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-22965

Vulnerable Library - spring-beans-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • ksa-security-dao-3.9.2.jar (Root Library)
    • ksa-core-3.9.2.jar
      • spring-context-3.1.1.RELEASE.jar
        • spring-aop-3.1.1.RELEASE.jar
          • spring-beans-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

CVE-2022-22950

Vulnerable Library - spring-expression-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-root/ksa-logistics-dao/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • ksa-security-dao-3.9.2.jar (Root Library)
    • ksa-core-3.9.2.jar
      • spring-context-3.1.1.RELEASE.jar
        • spring-expression-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.

Publish Date: 2022-04-01

URL: CVE-2022-22950

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22950

Release Date: 2022-04-01

Fix Resolution: org.springframework:spring-expression:5.2.20,5.3.17

CVE-2023-20861

Vulnerable Library - spring-expression-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-root/ksa-logistics-dao/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • ksa-security-dao-3.9.2.jar (Root Library)
    • ksa-core-3.9.2.jar
      • spring-context-3.1.1.RELEASE.jar
        • spring-expression-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-03-23

URL: CVE-2023-20861

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20861

Release Date: 2023-03-23

Fix Resolution: org.springframework:spring-expression:x5.2.23.RELEASE,5.3.26,6.0.7

CVE-2023-20863

Vulnerable Library - spring-expression-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-root/ksa-logistics-dao/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • ksa-security-dao-3.9.2.jar (Root Library)
    • ksa-core-3.9.2.jar
      • spring-context-3.1.1.RELEASE.jar
        • spring-expression-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.

Publish Date: 2023-04-13

URL: CVE-2023-20863

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2023-20863

Release Date: 2023-04-13

Fix Resolution: org.springframework:spring-expression - 5.2.24.RELEASE,5.3.27,6.0.8

WS-2021-0174

Vulnerable Library - spring-beans-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • ksa-security-dao-3.9.2.jar (Root Library)
    • ksa-core-3.9.2.jar
      • spring-context-3.1.1.RELEASE.jar
        • spring-aop-3.1.1.RELEASE.jar
          • spring-beans-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In spring-framework, versions 4.0.0 to 4.0.1 and 3.0.0 to 3.2.18, are vulnerable against CGLIB memory leak for method injection as a result of mishandled callbacks and non-static classes.

Publish Date: 2021-06-29

URL: WS-2021-0174

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2021-06-29

Fix Resolution: org.springframework:spring-beans:4.0.2.RELEASE

bootstrap-2.1.0.js: 5 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (bootstrap version) Remediation Possible** Reachability
CVE-2019-8331 Medium 6.1 bootstrap-2.1.0.js Direct bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
CVE-2018-14040 Medium 6.1 bootstrap-2.1.0.js Direct org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
CVE-2018-20676 Medium 6.1 bootstrap-2.1.0.js Direct bootstrap - 3.4.0
CVE-2018-14042 Medium 6.1 bootstrap-2.1.0.js Direct org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
CVE-2016-10735 Medium 6.1 bootstrap-2.1.0.js Direct bootstrap - 3.4.0, 4.0.0-beta.2

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2019-8331

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js

Dependency Hierarchy:

  • bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

CVE-2018-14040

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js

Dependency Hierarchy:

  • bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

CVE-2018-20676

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js

Dependency Hierarchy:

  • bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

CVE-2018-14042

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js

Dependency Hierarchy:

  • bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

CVE-2016-10735

Vulnerable Library - bootstrap-2.1.0.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js

Dependency Hierarchy:

  • bootstrap-2.1.0.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Mend Note: Converted from WS-2018-0021, on 2022-11-08.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2

spring-context-3.1.1.RELEASE.jar: 2 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - spring-context-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-context version) Remediation Possible** Reachability
CVE-2022-22968 Medium 5.3 spring-context-3.1.1.RELEASE.jar Direct 5.2.21.RELEASE
WS-2016-7112 Medium 4.9 spring-context-3.1.1.RELEASE.jar Direct 3.2.18.RELEASE

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-22968

Vulnerable Library - spring-context-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-context-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.

Publish Date: 2022-04-14

URL: CVE-2022-22968

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22968

Release Date: 2022-04-14

Fix Resolution: 5.2.21.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

WS-2016-7112

Vulnerable Library - spring-context-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-context-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Spring Framework, versions 3.0.0.RELEASE through 3.2.17.RELEASE, 4.0.0.RELEASE through 4.2.7.RELEASE and 4.3.0.RELEASE through 4.3.1.RELEASE are vulnerable to Stack-based Buffer Overflow, which allows an authenticated attacker to crash the application when giving CronSequenceGenerator a reversed range in the “minutes” or “hours” fields.

Publish Date: 2021-09-23

URL: WS-2016-7112

CVSS 3 Score Details (4.9)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-07-14

Fix Resolution: 3.2.18.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

wro4j-core-1.4.0.jar: 8 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - wro4j-core-1.4.0.jar

Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (wro4j-core version) Remediation Possible** Reachability
CVE-2022-23305 Critical 9.8 log4j-1.2.16.jar Transitive N/A*
CVE-2019-17571 Critical 9.8 log4j-1.2.16.jar Transitive N/A*
CVE-2020-9493 Critical 9.8 log4j-1.2.16.jar Transitive N/A*
CVE-2022-23307 High 8.8 log4j-1.2.16.jar Transitive N/A*
CVE-2022-23302 High 8.8 log4j-1.2.16.jar Transitive N/A*
CVE-2021-4104 High 7.5 log4j-1.2.16.jar Transitive N/A*
CVE-2023-26464 High 7.5 log4j-1.2.16.jar Transitive N/A*
CVE-2020-9488 Low 3.7 log4j-1.2.16.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-23305

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • wro4j-core-1.4.0.jar (Root Library)
    • slf4j-log4j12-1.6.1.jar
      • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

CVE-2019-17571

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • wro4j-core-1.4.0.jar (Root Library)
    • slf4j-log4j12-1.6.1.jar
      • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

CVE-2020-9493

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • wro4j-core-1.4.0.jar (Root Library)
    • slf4j-log4j12-1.6.1.jar
      • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2022-23307

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • wro4j-core-1.4.0.jar (Root Library)
    • slf4j-log4j12-1.6.1.jar
      • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2022-23302

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • wro4j-core-1.4.0.jar (Root Library)
    • slf4j-log4j12-1.6.1.jar
      • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

CVE-2021-4104

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • wro4j-core-1.4.0.jar (Root Library)
    • slf4j-log4j12-1.6.1.jar
      • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

CVE-2023-26464

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • wro4j-core-1.4.0.jar (Root Library)
    • slf4j-log4j12-1.6.1.jar
      • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED **

When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.

This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.

NOTE: This vulnerability only affects products that are no longer supported by the maintainer.

Publish Date: 2023-03-10

URL: CVE-2023-26464

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-vp98-w2p3-mv35

Release Date: 2023-03-10

Fix Resolution: org.apache.logging.log4j:log4j-core:2.0

CVE-2020-9488

Vulnerable Library - log4j-1.2.16.jar

Apache Log4j 1.2

Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar

Dependency Hierarchy:

  • wro4j-core-1.4.0.jar (Root Library)
    • slf4j-log4j12-1.6.1.jar
      • log4j-1.2.16.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

ksa-finance-web-3.9.2.jar: 1 vulnerabilities (highest severity is: 6.5)

Vulnerable Library - ksa-finance-web-3.9.2.jar

Path to dependency file: /ksa-web-root/ksa-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (ksa-finance-web version) Remediation Possible** Reachability
WS-2019-0379 Medium 6.5 commons-codec-1.5.jar Transitive N/A*

*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

WS-2019-0379

Vulnerable Library - commons-codec-1.5.jar

The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar

Dependency Hierarchy:

  • ksa-finance-web-3.9.2.jar (Root Library)
    • ksa-logistics-web-3.9.2.jar
      • poi-3.8.jar
        • commons-codec-1.5.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.

Publish Date: 2019-05-20

URL: WS-2019-0379

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-05-20

Fix Resolution: commons-codec:commons-codec:1.13

spring-web-3.1.1.RELEASE.jar: 9 vulnerabilities (highest severity is: 8.8)

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-web version) Remediation Possible** Reachability
CVE-2014-0225 High 8.8 spring-web-3.1.1.RELEASE.jar Direct org.springframework:spring-web:4.0.5.RELEASE,3.2.9.RELEASE,org.springframework:spring-oxm:4.0.5.RELEASE,3.2.9.RELEASE
CVE-2018-1272 High 7.5 spring-web-3.1.1.RELEASE.jar Direct org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE
CVE-2020-5421 Medium 6.5 spring-web-3.1.1.RELEASE.jar Direct 4.3.29.RELEASE
CVE-2015-3192 Medium 5.5 spring-web-3.1.1.RELEASE.jar Direct 3.2.14.RELEASE
CVE-2013-6430 Medium 5.4 spring-web-3.1.1.RELEASE.jar Direct 3.1.5,3.2.2
CVE-2013-6429 Medium 5.3 spring-web-3.1.1.RELEASE.jar Direct 3.2.5
CVE-2013-7315 Medium 5.3 spring-web-3.1.1.RELEASE.jar Direct org.springframework:spring-web:3.2.4.RELEASE,org.springframework:spring-web:4.0.0.M3
CVE-2014-0054 Medium 5.3 spring-web-3.1.1.RELEASE.jar Direct org.springframework:spring-web:3.2.8.RELEASE,4.0.2.RELEASE,org.springframework:spring-oxm:4.0.2.RELEASE,3.2.8.RELEASE
CVE-2021-22096 Medium 4.3 spring-web-3.1.1.RELEASE.jar Direct 5.2.18.RELEASE

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2014-0225

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-web-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.

Publish Date: 2017-05-25

URL: CVE-2014-0225

CVSS 3 Score Details (8.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225

Release Date: 2017-05-25

Fix Resolution: org.springframework:spring-web:4.0.5.RELEASE,3.2.9.RELEASE,org.springframework:spring-oxm:4.0.5.RELEASE,3.2.9.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2018-1272

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-web-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2018-1272

Release Date: 2018-04-05

Fix Resolution: org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-5421

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-web-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.

Publish Date: 2020-09-19

URL: CVE-2020-5421

CVSS 3 Score Details (6.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2020-5421

Release Date: 2020-09-19

Fix Resolution: 4.3.29.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2015-3192

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-web-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.

Publish Date: 2016-07-12

URL: CVE-2015-3192

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3192

Release Date: 2016-07-12

Fix Resolution: 3.2.14.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2013-6430

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-web-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.

Publish Date: 2020-01-10

URL: CVE-2013-6430

CVSS 3 Score Details (5.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6430

Release Date: 2020-01-10

Fix Resolution: 3.1.5,3.2.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2013-6429

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-web-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.

Publish Date: 2014-01-26

URL: CVE-2013-6429

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6429

Release Date: 2014-01-26

Fix Resolution: 3.2.5

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2013-7315

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-web-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.

Publish Date: 2014-01-23

URL: CVE-2013-7315

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-7315

Release Date: 2014-01-23

Fix Resolution: org.springframework:spring-web:3.2.4.RELEASE,org.springframework:spring-web:4.0.0.M3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2014-0054

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-web-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.

Publish Date: 2014-04-17

URL: CVE-2014-0054

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0054

Release Date: 2014-04-17

Fix Resolution: org.springframework:spring-web:3.2.8.RELEASE,4.0.2.RELEASE,org.springframework:spring-oxm:4.0.2.RELEASE,3.2.8.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22096

Vulnerable Library - spring-web-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-web-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution: 5.2.18.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

jquery-1.7.2.min.js: 6 vulnerabilities (highest severity is: 6.1)

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (jquery version) Remediation Possible** Reachability
CVE-2020-11023 Medium 6.1 jquery-1.7.2.min.js Direct jquery - 3.5.0;jquery-rails - 4.4.0
CVE-2020-11022 Medium 6.1 jquery-1.7.2.min.js Direct jQuery - 3.5.0
CVE-2015-9251 Medium 6.1 jquery-1.7.2.min.js Direct jQuery - 3.0.0
CVE-2019-11358 Medium 6.1 jquery-1.7.2.min.js Direct jquery - 3.4.0
CVE-2020-7656 Medium 6.1 jquery-1.7.2.min.js Direct jquery - 1.9.0
CVE-2012-6708 Medium 6.1 jquery-1.7.2.min.js Direct jQuery - v1.9.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-11023

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/jquery/jquery/security/advisories/GHSA-jpcq-cgw6-v4j6,https://github.com/rails/jquery-rails/blob/master/CHANGELOG.md#440

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0

CVE-2020-11022

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

CVE-2015-9251

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: jQuery - 3.0.0

CVE-2019-11358

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: jquery - 3.4.0

CVE-2020-7656

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.

Publish Date: 2020-05-19

URL: CVE-2020-7656

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-q4m3-2j7h-f7xw

Release Date: 2020-05-19

Fix Resolution: jquery - 1.9.0

CVE-2012-6708

Vulnerable Library - jquery-1.7.2.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js

Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js

Dependency Hierarchy:

  • jquery-1.7.2.min.js (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.

Publish Date: 2018-01-18

URL: CVE-2012-6708

CVSS 3 Score Details (6.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708

Release Date: 2018-01-18

Fix Resolution: jQuery - v1.9.0

mysql-connector-java-5.1.18.jar: 9 vulnerabilities (highest severity is: 8.5)

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (mysql-connector-java version) Remediation Possible** Reachability
CVE-2017-3523 High 8.5 mysql-connector-java-5.1.18.jar Direct 5.1.21
CVE-2022-21363 Medium 6.6 mysql-connector-java-5.1.18.jar Direct mysql:mysql-connector-java:8.0.28
CVE-2017-3586 Medium 6.4 mysql-connector-java-5.1.18.jar Direct 5.1.21
CVE-2019-2692 Medium 6.3 mysql-connector-java-5.1.18.jar Direct 5.1.48
CVE-2020-2934 Medium 5.0 mysql-connector-java-5.1.18.jar Direct 5.1.49
CVE-2020-2875 Medium 4.7 mysql-connector-java-5.1.18.jar Direct 5.1.49
CVE-2015-2575 Medium 4.2 mysql-connector-java-5.1.18.jar Direct 5.1.35
CVE-2017-3589 Low 3.3 mysql-connector-java-5.1.18.jar Direct 5.1.21
CVE-2020-2933 Low 2.2 mysql-connector-java-5.1.18.jar Direct 5.1.49

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-3523

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Publish Date: 2017-04-24

URL: CVE-2017-3523

CVSS 3 Score Details (8.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-2xxh-f8r3-hvvr

Release Date: 2017-04-24

Fix Resolution: 5.1.21

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-21363

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

Publish Date: 2022-01-19

URL: CVE-2022-21363

CVSS 3 Score Details (6.6)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-g76j-4cxx-23h9

Release Date: 2022-01-19

Fix Resolution: mysql:mysql-connector-java:8.0.28

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-3586

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3586

CVSS 3 Score Details (6.4)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406

Release Date: 2017-04-24

Fix Resolution: 5.1.21

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-2692

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2019-04-23

URL: CVE-2019-2692

CVSS 3 Score Details (6.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-jcq3-cprp-m333

Release Date: 2019-04-23

Fix Resolution: 5.1.48

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-2934

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2934

CVSS 3 Score Details (5.0)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/security-alerts/cpuapr2020.html

Release Date: 2020-04-15

Fix Resolution: 5.1.49

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-2875

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

Publish Date: 2020-04-15

URL: CVE-2020-2875

CVSS 3 Score Details (4.7)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Changed
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-15

Fix Resolution: 5.1.49

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2015-2575

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.

Publish Date: 2015-04-16

URL: CVE-2015-2575

CVSS 3 Score Details (4.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-gc43-g62c-99g2

Release Date: 2015-04-16

Fix Resolution: 5.1.35

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2017-3589

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3589

CVSS 3 Score Details (3.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589

Release Date: 2017-04-24

Fix Resolution: 5.1.21

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-2933

Vulnerable Library - mysql-connector-java-5.1.18.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar

Dependency Hierarchy:

  • mysql-connector-java-5.1.18.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2933

CVSS 3 Score Details (2.2)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: High
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

Release Date: 2020-04-15

Fix Resolution: 5.1.49

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

poi-3.8.jar: 2 vulnerabilities (highest severity is: 7.5)

Vulnerable Library - poi-3.8.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (poi version) Remediation Possible** Reachability
CVE-2017-12626 High 7.5 poi-3.8.jar Direct 3.17-beta1
WS-2016-7061 Medium 4.8 poi-3.8.jar Direct 3.16-beta1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2017-12626

Vulnerable Library - poi-3.8.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar

Dependency Hierarchy:

  • poi-3.8.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).

Publish Date: 2018-01-29

URL: CVE-2017-12626

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: None
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/453d9af5dbabaccd9afb58d27279a9dbfe8e35f4e5ea1645ddd6960b@%3Cdev.poi.apache.org%3E

Release Date: 2018-01-26

Fix Resolution: 3.17-beta1

⛑️ Automatic Remediation will be attempted for this issue.

WS-2016-7061

Vulnerable Library - poi-3.8.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar

Dependency Hierarchy:

  • poi-3.8.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache POI before 3.16-beta1 is vulnerable to bufferoverflow attack due to lack of length sanity check for length of embedded OLE10Native.

Publish Date: 2016-10-14

URL: WS-2016-7061

CVSS 3 Score Details (4.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2016-10-14

Fix Resolution: 3.16-beta1

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

spring-core-3.1.1.RELEASE.jar: 4 vulnerabilities (highest severity is: 5.3)

Vulnerable Library - spring-core-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-context/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (spring-core version) Remediation Possible** Reachability
CVE-2018-1199 Medium 5.3 spring-core-3.1.1.RELEASE.jar Direct 4.3.14.RELEASE
CVE-2014-3578 Medium 5.3 spring-core-3.1.1.RELEASE.jar Direct 3.2.9,4.0.5
CVE-2021-22060 Medium 4.3 spring-core-3.1.1.RELEASE.jar Direct 5.2.19.RELEASE
CVE-2021-22096 Medium 4.3 spring-core-3.1.1.RELEASE.jar Direct 5.2.18.RELEASE

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2018-1199

Vulnerable Library - spring-core-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-context/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-core-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Publish Date: 2018-03-16

URL: CVE-2018-1199

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199

Release Date: 2018-01-29

Fix Resolution: 4.3.14.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2014-3578

Vulnerable Library - spring-core-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-context/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-core-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.

Publish Date: 2015-02-19

URL: CVE-2014-3578

CVSS 3 Score Details (5.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3578

Release Date: 2015-02-19

Fix Resolution: 3.2.9,4.0.5

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22060

Vulnerable Library - spring-core-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-context/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-core-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.

Publish Date: 2022-01-10

URL: CVE-2021-22060

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/security/cve-2021-22060

Release Date: 2022-01-10

Fix Resolution: 5.2.19.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-22096

Vulnerable Library - spring-core-3.1.1.RELEASE.jar

Spring Framework Parent

Path to dependency file: /ksa-dao-context/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar

Dependency Hierarchy:

  • spring-core-3.1.1.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: Low
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution: 5.2.18.RELEASE

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

shiro-web-1.2.0.jar: 7 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (shiro-web version) Remediation Possible** Reachability
CVE-2022-40664 Critical 9.8 shiro-web-1.2.0.jar Direct 1.10.0
CVE-2020-17510 Critical 9.8 shiro-web-1.2.0.jar Direct 1.7.0
CVE-2020-1957 Critical 9.8 shiro-web-1.2.0.jar Direct 1.5.2
CVE-2020-11989 Critical 9.8 shiro-web-1.2.0.jar Direct 1.5.3
CVE-2016-6802 High 7.5 shiro-web-1.2.0.jar Direct 1.3.2
CVE-2019-10086 High 7.3 commons-beanutils-1.8.3.jar Transitive 1.5.0
CVE-2014-0114 High 7.3 commons-beanutils-1.8.3.jar Transitive 1.5.0

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-40664

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Dependency Hierarchy:

  • shiro-web-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.

Publish Date: 2022-10-12

URL: CVE-2022-40664

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg

Release Date: 2022-10-12

Fix Resolution: 1.10.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-17510

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Dependency Hierarchy:

  • shiro-web-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.

Publish Date: 2020-11-05

URL: CVE-2020-17510

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/rc2cff2538b683d480426393eecf1ce8dd80e052fbef49303b4f47171%40%3Cdev.shiro.apache.org%3E

Release Date: 2020-11-05

Fix Resolution: 1.7.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-1957

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Dependency Hierarchy:

  • shiro-web-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Publish Date: 2020-03-25

URL: CVE-2020-1957

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://shiro.apache.org/news.html

Release Date: 2020-03-25

Fix Resolution: 1.5.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-11989

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Dependency Hierarchy:

  • shiro-web-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.

Publish Date: 2020-06-22

URL: CVE-2020-11989

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://issues.apache.org/jira/browse/SHIRO-753

Release Date: 2020-06-22

Fix Resolution: 1.5.3

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-6802

Vulnerable Library - shiro-web-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar

Dependency Hierarchy:

  • shiro-web-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.

Publish Date: 2016-09-20

URL: CVE-2016-6802

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: None
    • Integrity Impact: High
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6802

Release Date: 2016-09-20

Fix Resolution: 1.3.2

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2019-10086

Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy:

  • shiro-web-1.2.0.jar (Root Library)
    • shiro-core-1.2.0.jar
      • commons-beanutils-1.8.3.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Publish Date: 2019-08-20

URL: CVE-2019-10086

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2019-08-20

Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4

Direct dependency fix Resolution (org.apache.shiro:shiro-web): 1.5.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2014-0114

Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Path to dependency file: /ksa-web-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy:

  • shiro-web-1.2.0.jar (Root Library)
    • shiro-core-1.2.0.jar
      • commons-beanutils-1.8.3.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Release Date: 2014-04-30

Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4

Direct dependency fix Resolution (org.apache.shiro:shiro-web): 1.5.0

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

junit-4.8.2.jar: 1 vulnerabilities (highest severity is: 5.5)

Vulnerable Library - junit-4.8.2.jar

JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /ksa-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (junit version) Remediation Possible** Reachability
CVE-2020-15250 Medium 5.5 junit-4.8.2.jar Direct 4.13.1

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2020-15250

Vulnerable Library - junit-4.8.2.jar

JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.

Library home page: http://junit.org

Path to dependency file: /ksa-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar

Dependency Hierarchy:

  • junit-4.8.2.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.

Publish Date: 2020-10-12

URL: CVE-2020-15250

CVSS 3 Score Details (5.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: Required
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-269g-pwp5-87pp

Release Date: 2020-10-12

Fix Resolution: 4.13.1

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

h2-1.3.162.jar: 3 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - h2-1.3.162.jar

H2 Database Engine

Library home page: http://www.h2database.com

Path to dependency file: /ksa-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (h2 version) Remediation Possible** Reachability
CVE-2021-42392 Critical 9.8 h2-1.3.162.jar Direct 2.0.206
CVE-2022-23221 Critical 9.8 h2-1.3.162.jar Direct 2.1.210
CVE-2022-45868 High 7.8 h2-1.3.162.jar Direct 2.2.220

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2021-42392

Vulnerable Library - h2-1.3.162.jar

H2 Database Engine

Library home page: http://www.h2database.com

Path to dependency file: /ksa-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar

Dependency Hierarchy:

  • h2-1.3.162.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

Publish Date: 2022-01-10

URL: CVE-2021-42392

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h376-j262-vhq6

Release Date: 2022-01-10

Fix Resolution: 2.0.206

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-23221

Vulnerable Library - h2-1.3.162.jar

H2 Database Engine

Library home page: http://www.h2database.com

Path to dependency file: /ksa-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar

Dependency Hierarchy:

  • h2-1.3.162.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

Publish Date: 2022-01-19

URL: CVE-2022-23221

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-19

Fix Resolution: 2.1.210

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2022-45868

Vulnerable Library - h2-1.3.162.jar

H2 Database Engine

Library home page: http://www.h2database.com

Path to dependency file: /ksa-core/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar

Dependency Hierarchy:

  • h2-1.3.162.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

** DISPUTED ** The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."

Publish Date: 2022-11-23

URL: CVE-2022-45868

CVSS 3 Score Details (7.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Local
    • Attack Complexity: Low
    • Privileges Required: Low
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-22wj-vf5f-wrvj

Release Date: 2022-11-23

Fix Resolution: 2.2.220

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

shiro-core-1.2.0.jar: 6 vulnerabilities (highest severity is: 9.8)

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Vulnerabilities

CVE Severity CVSS Dependency Type Fixed in (shiro-core version) Remediation Possible** Reachability
CVE-2022-32532 Critical 9.8 shiro-core-1.2.0.jar Direct 1.9.1
CVE-2023-34478 Critical 9.8 shiro-core-1.2.0.jar Direct 1.12.0
CVE-2021-41303 Critical 9.8 shiro-core-1.2.0.jar Direct 1.8.0
CVE-2016-4437 High 8.1 shiro-core-1.2.0.jar Direct 1.2.5
CVE-2020-13933 High 7.5 shiro-core-1.2.0.jar Direct 1.6.0
CVE-2014-0074 High 7.3 shiro-core-1.2.0.jar Direct 1.2.3

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2022-32532

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar

Dependency Hierarchy:

  • shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with . in the regular expression are possibly vulnerable to an authorization bypass.

Publish Date: 2022-06-29

URL: CVE-2022-32532

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-4cf5-xmhp-3xj7

Release Date: 2022-06-29

Fix Resolution: 1.9.1

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2023-34478

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar

Dependency Hierarchy:

  • shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.

Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+

Publish Date: 2023-07-24

URL: CVE-2023-34478

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2023-07-24

Fix Resolution: 1.12.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2021-41303

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar

Dependency Hierarchy:

  • shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.

Publish Date: 2021-09-17

URL: CVE-2021-41303

CVSS 3 Score Details (9.8)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-f6jp-j6w3-w9hm

Release Date: 2021-09-17

Fix Resolution: 1.8.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2016-4437

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar

Dependency Hierarchy:

  • shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.

Publish Date: 2016-06-07

URL: CVE-2016-4437

CVSS 3 Score Details (8.1)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: High
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: High
    • Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437

Release Date: 2016-06-07

Fix Resolution: 1.2.5

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2020-13933

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar

Dependency Hierarchy:

  • shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.

Publish Date: 2020-08-17

URL: CVE-2020-13933

CVSS 3 Score Details (7.5)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: High
    • Integrity Impact: None
    • Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-13933

Release Date: 2020-08-17

Fix Resolution: 1.6.0

⛑️ Automatic Remediation will be attempted for this issue.

CVE-2014-0074

Vulnerable Library - shiro-core-1.2.0.jar

Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.

Library home page: http://shiro.apache.org/

Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar

Dependency Hierarchy:

  • shiro-core-1.2.0.jar (Vulnerable Library)

Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5

Found in base branch: master

Vulnerability Details

Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.

Publish Date: 2014-10-06

URL: CVE-2014-0074

CVSS 3 Score Details (7.3)

Base Score Metrics:

  • Exploitability Metrics:
    • Attack Vector: Network
    • Attack Complexity: Low
    • Privileges Required: None
    • User Interaction: None
    • Scope: Unchanged
  • Impact Metrics:
    • Confidentiality Impact: Low
    • Integrity Impact: Low
    • Availability Impact: Low

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0074

Release Date: 2014-10-06

Fix Resolution: 1.2.3

⛑️ Automatic Remediation will be attempted for this issue.

⛑️Automatic Remediation will be attempted for this issue.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.