katerinaorg / ksa-reachability Goto Github PK
View Code? Open in Web Editor NEWThis project forked from xsocket/ksa
Testing Reachability for Java project
License: Apache License 2.0
This project forked from xsocket/ksa
Testing Reachability for Java project
License: Apache License 2.0
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (shiro-core version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2022-32532 | Critical | 9.8 | shiro-core-1.2.0.jar | Direct | 1.9.1 | ✅ | |
CVE-2023-34478 | Critical | 9.8 | shiro-core-1.2.0.jar | Direct | 1.12.0 | ✅ | |
CVE-2021-41303 | Critical | 9.8 | shiro-core-1.2.0.jar | Direct | 1.8.0 | ✅ | |
CVE-2016-4437 | High | 8.1 | shiro-core-1.2.0.jar | Direct | 1.2.5 | ✅ | |
CVE-2020-13933 | High | 7.5 | shiro-core-1.2.0.jar | Direct | 1.6.0 | ✅ | |
CVE-2014-0074 | High | 7.3 | shiro-core-1.2.0.jar | Direct | 1.2.3 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro before 1.9.1, A RegexRequestMatcher can be misconfigured to be bypassed on some servlet containers. Applications using RegExPatternMatcher with .
in the regular expression are possibly vulnerable to an authorization bypass.
Publish Date: 2022-06-29
URL: CVE-2022-32532
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4cf5-xmhp-3xj7
Release Date: 2022-06-29
Fix Resolution: 1.9.1
⛑️ Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro, before 1.12.0 or 2.0.0-alpha-3, may be susceptible to a path traversal attack that results in an authentication bypass when used together with APIs or other web frameworks that route requests based on non-normalized requests.
Mitigation: Update to Apache Shiro 1.12.0+ or 2.0.0-alpha-3+
Publish Date: 2023-07-24
URL: CVE-2023-34478
Base Score Metrics:
Type: Upgrade version
Release Date: 2023-07-24
Fix Resolution: 1.12.0
⛑️ Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro before 1.8.0, when using Apache Shiro with Spring Boot, a specially crafted HTTP request may cause an authentication bypass. Users should update to Apache Shiro 1.8.0.
Publish Date: 2021-09-17
URL: CVE-2021-41303
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f6jp-j6w3-w9hm
Release Date: 2021-09-17
Fix Resolution: 1.8.0
⛑️ Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro before 1.2.5, when a cipher key has not been configured for the "remember me" feature, allows remote attackers to execute arbitrary code or bypass intended access restrictions via an unspecified request parameter.
Publish Date: 2016-06-07
URL: CVE-2016-4437
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4437
Release Date: 2016-06-07
Fix Resolution: 1.2.5
⛑️ Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro before 1.6.0, when using Apache Shiro, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-08-17
URL: CVE-2020-13933
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-13933
Release Date: 2020-08-17
Fix Resolution: 1.6.0
⛑️ Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Library home page: http://shiro.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-core/1.2.0/shiro-core-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro 1.x before 1.2.3, when using an LDAP server with unauthenticated bind enabled, allows remote attackers to bypass authentication via an empty (1) username or (2) password.
Publish Date: 2014-10-06
URL: CVE-2014-0074
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0074
Release Date: 2014-10-06
Fix Resolution: 1.2.3
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
H2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /ksa-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (h2 version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2021-42392 | Critical | 9.8 | h2-1.3.162.jar | Direct | 2.0.206 | ✅ | |
CVE-2022-23221 | Critical | 9.8 | h2-1.3.162.jar | Direct | 2.1.210 | ✅ | |
CVE-2022-45868 | High | 7.8 | h2-1.3.162.jar | Direct | 2.2.220 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
H2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /ksa-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.
Publish Date: 2022-01-10
URL: CVE-2021-42392
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-h376-j262-vhq6
Release Date: 2022-01-10
Fix Resolution: 2.0.206
⛑️ Automatic Remediation will be attempted for this issue.
H2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /ksa-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.
Publish Date: 2022-01-19
URL: CVE-2022-23221
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-01-19
Fix Resolution: 2.1.210
⛑️ Automatic Remediation will be attempted for this issue.
H2 Database Engine
Library home page: http://www.h2database.com
Path to dependency file: /ksa-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar,/home/wss-scanner/.m2/repository/com/h2database/h2/1.3.162/h2-1.3.162.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
** DISPUTED ** The web-based admin console in H2 Database Engine through 2.1.214 can be started via the CLI with the argument -webAdminPassword, which allows the user to specify the password in cleartext for the web admin console. Consequently, a local user (or an attacker that has obtained local access through some means) would be able to discover the password by listing processes and their arguments. NOTE: the vendor states "This is not a vulnerability of H2 Console ... Passwords should never be passed on the command line and every qualified DBA or system administrator is expected to know that."
Publish Date: 2022-11-23
URL: CVE-2022-45868
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-22wj-vf5f-wrvj
Release Date: 2022-11-23
Fix Resolution: 2.2.220
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /ksa-web-root/ksa-security-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (wro4j-core version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2022-23305 | Critical | 9.8 | log4j-1.2.16.jar | Transitive | N/A* | ❌ | |
CVE-2019-17571 | Critical | 9.8 | log4j-1.2.16.jar | Transitive | N/A* | ❌ | |
CVE-2020-9493 | Critical | 9.8 | log4j-1.2.16.jar | Transitive | N/A* | ❌ | |
CVE-2022-23307 | High | 8.8 | log4j-1.2.16.jar | Transitive | N/A* | ❌ | |
CVE-2022-23302 | High | 8.8 | log4j-1.2.16.jar | Transitive | N/A* | ❌ | |
CVE-2021-4104 | High | 7.5 | log4j-1.2.16.jar | Transitive | N/A* | ❌ | |
CVE-2023-26464 | High | 7.5 | log4j-1.2.16.jar | Transitive | N/A* | ❌ | |
CVE-2020-9488 | Low | 3.7 | log4j-1.2.16.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Apache Log4j 1.2
Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
Apache Log4j 1.2
Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
Apache Log4j 1.2
Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Apache Log4j 1.2
Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Apache Log4j 1.2
Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Apache Log4j 1.2
Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
Apache Log4j 1.2
Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
** UNSUPPORTED WHEN ASSIGNED **
When using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested)
hashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.
This issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.
NOTE: This vulnerability only affects products that are no longer supported by the maintainer.
Publish Date: 2023-03-10
URL: CVE-2023-26464
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-vp98-w2p3-mv35
Release Date: 2023-03-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.0
Apache Log4j 1.2
Path to dependency file: /ksa-service-root/ksa-finance-service/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar,/home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (bootstrap version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2019-8331 | Medium | 6.1 | bootstrap-2.1.0.js | Direct | bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1 | ❌ | |
CVE-2018-14040 | Medium | 6.1 | bootstrap-2.1.0.js | Direct | org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0 | ❌ | |
CVE-2018-20676 | Medium | 6.1 | bootstrap-2.1.0.js | Direct | bootstrap - 3.4.0 | ❌ | |
CVE-2018-14042 | Medium | 6.1 | bootstrap-2.1.0.js | Direct | org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0 | ❌ | |
CVE-2016-10735 | Medium | 6.1 | bootstrap-2.1.0.js | Direct | bootstrap - 3.4.0, 4.0.0-beta.2 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.
Publish Date: 2018-07-13
URL: CVE-2018-14040
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.
Publish Date: 2018-07-13
URL: CVE-2018-14042
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-07-13
Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.
Mend Note: Converted from WS-2018-0021, on 2022-11-08.
Publish Date: 2019-01-09
URL: CVE-2016-10735
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10735
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0, 4.0.0-beta.2
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (ksa-security-dao version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2022-22965 | Critical | 9.8 | spring-beans-3.1.1.RELEASE.jar | Transitive | N/A* | ❌ | |
CVE-2022-22950 | Medium | 6.5 | spring-expression-3.1.1.RELEASE.jar | Transitive | N/A* | ❌ | |
CVE-2023-20861 | Medium | 6.5 | spring-expression-3.1.1.RELEASE.jar | Transitive | N/A* | ❌ | |
CVE-2023-20863 | Medium | 6.5 | spring-expression-3.1.1.RELEASE.jar | Transitive | N/A* | ❌ | |
WS-2021-0174 | Medium | 5.3 | spring-beans-3.1.1.RELEASE.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.
Publish Date: 2022-04-01
URL: CVE-2022-22965
Base Score Metrics:
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18
Spring Framework Parent
Path to dependency file: /ksa-dao-root/ksa-logistics-dao/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Publish Date: 2022-04-01
URL: CVE-2022-22950
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22950
Release Date: 2022-04-01
Fix Resolution: org.springframework:spring-expression:5.2.20,5.3.17
Spring Framework Parent
Path to dependency file: /ksa-dao-root/ksa-logistics-dao/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Spring Framework versions 6.0.0 - 6.0.6, 5.3.0 - 5.3.25, 5.2.0.RELEASE - 5.2.22.RELEASE, and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-03-23
URL: CVE-2023-20861
Base Score Metrics:
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20861
Release Date: 2023-03-23
Fix Resolution: org.springframework:spring-expression:x5.2.23.RELEASE,5.3.26,6.0.7
Spring Framework Parent
Path to dependency file: /ksa-dao-root/ksa-logistics-dao/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-expression/3.1.1.RELEASE/spring-expression-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In spring framework versions prior to 5.2.24 release+ ,5.3.27+ and 6.0.8+ , it is possible for a user to provide a specially crafted SpEL expression that may cause a denial-of-service (DoS) condition.
Publish Date: 2023-04-13
URL: CVE-2023-20863
Base Score Metrics:
Type: Upgrade version
Origin: https://spring.io/security/cve-2023-20863
Release Date: 2023-04-13
Fix Resolution: org.springframework:spring-expression - 5.2.24.RELEASE,5.3.27,6.0.8
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-beans/3.1.1.RELEASE/spring-beans-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In spring-framework, versions 4.0.0 to 4.0.1 and 3.0.0 to 3.2.18, are vulnerable against CGLIB memory leak for method injection as a result of mishandled callbacks and non-static classes.
Publish Date: 2021-06-29
URL: WS-2021-0174
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-06-29
Fix Resolution: org.springframework:spring-beans:4.0.2.RELEASE
The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.
Library home page: http://www.mybatis.org/core/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (mybatis version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2020-26945 | High | 8.1 | mybatis-3.1.1.jar | Direct | 3.5.6 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.
Library home page: http://www.mybatis.org/core/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar,/home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.1.1/mybatis-3.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
MyBatis before 3.5.6 mishandles deserialization of object streams.
Publish Date: 2020-10-10
URL: CVE-2020-26945
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-10-26
Fix Resolution: 3.5.6
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (ksa-finance-web version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
WS-2019-0379 | Medium | 6.5 | commons-codec-1.5.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar,/home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.5/commons-codec-1.5.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (mysql-connector-java version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2017-3523 | High | 8.5 | mysql-connector-java-5.1.18.jar | Direct | 5.1.21 | ✅ | |
CVE-2022-21363 | Medium | 6.6 | mysql-connector-java-5.1.18.jar | Direct | mysql:mysql-connector-java:8.0.28 | ✅ | |
CVE-2017-3586 | Medium | 6.4 | mysql-connector-java-5.1.18.jar | Direct | 5.1.21 | ✅ | |
CVE-2019-2692 | Medium | 6.3 | mysql-connector-java-5.1.18.jar | Direct | 5.1.48 | ✅ | |
CVE-2020-2934 | Medium | 5.0 | mysql-connector-java-5.1.18.jar | Direct | 5.1.49 | ✅ | |
CVE-2020-2875 | Medium | 4.7 | mysql-connector-java-5.1.18.jar | Direct | 5.1.49 | ✅ | |
CVE-2015-2575 | Medium | 4.2 | mysql-connector-java-5.1.18.jar | Direct | 5.1.35 | ✅ | |
CVE-2017-3589 | Low | 3.3 | mysql-connector-java-5.1.18.jar | Direct | 5.1.21 | ✅ | |
CVE-2020-2933 | Low | 2.2 | mysql-connector-java-5.1.18.jar | Direct | 5.1.49 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Publish Date: 2017-04-24
URL: CVE-2017-3523
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2xxh-f8r3-hvvr
Release Date: 2017-04-24
Fix Resolution: 5.1.21
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Publish Date: 2022-01-19
URL: CVE-2022-21363
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g76j-4cxx-23h9
Release Date: 2022-01-19
Fix Resolution: mysql:mysql-connector-java:8.0.28
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3586
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406
Release Date: 2017-04-24
Fix Resolution: 5.1.21
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Publish Date: 2019-04-23
URL: CVE-2019-2692
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jcq3-cprp-m333
Release Date: 2019-04-23
Fix Resolution: 5.1.48
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2934
Base Score Metrics:
Type: Upgrade version
Origin: https://www.oracle.com/security-alerts/cpuapr2020.html
Release Date: 2020-04-15
Fix Resolution: 5.1.49
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
Publish Date: 2020-04-15
URL: CVE-2020-2875
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-15
Fix Resolution: 5.1.49
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Publish Date: 2015-04-16
URL: CVE-2015-2575
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gc43-g62c-99g2
Release Date: 2015-04-16
Fix Resolution: 5.1.35
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3589
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589
Release Date: 2017-04-24
Fix Resolution: 5.1.21
⛑️ Automatic Remediation will be attempted for this issue.
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar,/home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.18/mysql-connector-java-5.1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2933
Base Score Metrics:
Type: Upgrade version
Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
Release Date: 2020-04-15
Fix Resolution: 5.1.49
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-dao-context/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (spring-core version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2018-1199 | Medium | 5.3 | spring-core-3.1.1.RELEASE.jar | Direct | 4.3.14.RELEASE | ✅ | |
CVE-2014-3578 | Medium | 5.3 | spring-core-3.1.1.RELEASE.jar | Direct | 3.2.9,4.0.5 | ✅ | |
CVE-2021-22060 | Medium | 4.3 | spring-core-3.1.1.RELEASE.jar | Direct | 5.2.19.RELEASE | ✅ | |
CVE-2021-22096 | Medium | 4.3 | spring-core-3.1.1.RELEASE.jar | Direct | 5.2.18.RELEASE | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Spring Framework Parent
Path to dependency file: /ksa-dao-context/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Publish Date: 2018-03-16
URL: CVE-2018-1199
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199
Release Date: 2018-01-29
Fix Resolution: 4.3.14.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-dao-context/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Directory traversal vulnerability in Pivotal Spring Framework 3.x before 3.2.9 and 4.0 before 4.0.5 allows remote attackers to read arbitrary files via a crafted URL.
Publish Date: 2015-02-19
URL: CVE-2014-3578
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3578
Release Date: 2015-02-19
Fix Resolution: 3.2.9,4.0.5
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-dao-context/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Spring Framework versions 5.3.0 - 5.3.13, 5.2.0 - 5.2.18, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries. This is a follow-up to CVE-2021-22096 that protects against additional types of input and in more places of the Spring Framework codebase.
Publish Date: 2022-01-10
URL: CVE-2021-22060
Base Score Metrics:
Type: Upgrade version
Origin: https://spring.io/security/cve-2021-22060
Release Date: 2022-01-10
Fix Resolution: 5.2.19.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-dao-context/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-core/3.1.1.RELEASE/spring-core-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution: 5.2.18.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: /ksa-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (junit version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2020-15250 | Medium | 5.5 | junit-4.8.2.jar | Direct | 4.13.1 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
JUnit is a regression testing framework. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: /ksa-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar,/home/wss-scanner/.m2/repository/junit/junit/4.8.2/junit-4.8.2.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: 4.13.1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (shiro-web version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2022-40664 | Critical | 9.8 | shiro-web-1.2.0.jar | Direct | 1.10.0 | ✅ | |
CVE-2020-17510 | Critical | 9.8 | shiro-web-1.2.0.jar | Direct | 1.7.0 | ✅ | |
CVE-2020-1957 | Critical | 9.8 | shiro-web-1.2.0.jar | Direct | 1.5.2 | ✅ | |
CVE-2020-11989 | Critical | 9.8 | shiro-web-1.2.0.jar | Direct | 1.5.3 | ✅ | |
CVE-2016-6802 | High | 7.5 | shiro-web-1.2.0.jar | Direct | 1.3.2 | ✅ | |
CVE-2019-10086 | High | 7.3 | commons-beanutils-1.8.3.jar | Transitive | 1.5.0 | ✅ | |
CVE-2014-0114 | High | 7.3 | commons-beanutils-1.8.3.jar | Transitive | 1.5.0 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro before 1.10.0, Authentication Bypass Vulnerability in Shiro when forwarding or including via RequestDispatcher.
Publish Date: 2022-10-12
URL: CVE-2022-40664
Base Score Metrics:
Type: Upgrade version
Origin: https://lists.apache.org/thread/loc2ktxng32xpy7lfwxto13k4lvnhjwg
Release Date: 2022-10-12
Fix Resolution: 1.10.0
⛑️ Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro before 1.7.0, when using Apache Shiro with Spring, a specially crafted HTTP request may cause an authentication bypass.
Publish Date: 2020-11-05
URL: CVE-2020-17510
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-11-05
Fix Resolution: 1.7.0
⛑️ Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro before 1.5.2, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-03-25
URL: CVE-2020-1957
Base Score Metrics:
Type: Upgrade version
Origin: https://shiro.apache.org/news.html
Release Date: 2020-03-25
Fix Resolution: 1.5.2
⛑️ Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro before 1.5.3, when using Apache Shiro with Spring dynamic controllers, a specially crafted request may cause an authentication bypass.
Publish Date: 2020-06-22
URL: CVE-2020-11989
Base Score Metrics:
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/SHIRO-753
Release Date: 2020-06-22
Fix Resolution: 1.5.3
⛑️ Automatic Remediation will be attempted for this issue.
Apache Shiro is a powerful and flexible open-source security framework that cleanly handles authentication, authorization, enterprise session management, single sign-on and cryptography services.
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/shiro/shiro-web/1.2.0/shiro-web-1.2.0.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Shiro before 1.3.2 allows attackers to bypass intended servlet filters and gain access by leveraging use of a non-root servlet context path.
Publish Date: 2016-09-20
URL: CVE-2016-6802
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6802
Release Date: 2016-09-20
Fix Resolution: 1.3.2
⛑️ Automatic Remediation will be attempted for this issue.
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4
Direct dependency fix Resolution (org.apache.shiro:shiro-web): 1.5.0
⛑️ Automatic Remediation will be attempted for this issue.
BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: /ksa-web-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar,/home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution (commons-beanutils:commons-beanutils): 1.9.4
Direct dependency fix Resolution (org.apache.shiro:shiro-web): 1.5.0
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (struts2-core version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2017-5638 | Critical | 10.0 | struts2-core-2.3.31.jar | Direct | 2.3.32 | ✅ | |
CVE-2021-31805 | Critical | 9.8 | struts2-core-2.3.31.jar | Direct | org.apache.struts:struts2-core:2.5.30 | ✅ | |
CVE-2019-0230 | Critical | 9.8 | struts2-core-2.3.31.jar | Direct | 2.5.22 | ✅ | |
CVE-2016-1000031 | Critical | 9.8 | commons-fileupload-1.2.2.jar | Transitive | 2.3.37 | ✅ | |
CVE-2017-12611 | Critical | 9.8 | struts2-core-2.3.31.jar | Direct | 2.3.34 | ✅ | |
CVE-2020-17530 | Critical | 9.8 | struts2-core-2.3.31.jar | Direct | 2.5.26 | ✅ | |
CVE-2018-11776 | High | 8.1 | struts2-core-2.3.31.jar | Direct | 2.3.35 | ✅ | |
CVE-2016-3092 | High | 7.5 | commons-fileupload-1.2.2.jar | Transitive | 2.3.32 | ✅ | |
CVE-2023-34396 | High | 7.5 | struts2-core-2.3.31.jar | Direct | 2.5.31 | ✅ | |
CVE-2017-9804 | High | 7.5 | detected in multiple dependencies | Transitive | 2.3.34 | ✅ | |
CVE-2023-24998 | High | 7.5 | commons-fileupload-1.2.2.jar | Transitive | 6.1.2 | ✅ | |
CVE-2019-0233 | High | 7.5 | struts2-core-2.3.31.jar | Direct | 2.5.22 | ✅ | |
CVE-2017-9787 | High | 7.5 | detected in multiple dependencies | Transitive | 2.3.33 | ✅ | |
WS-2014-0034 | High | 7.5 | commons-fileupload-1.2.2.jar | Transitive | 2.3.37 | ✅ | |
CVE-2013-2186 | High | 7.3 | commons-fileupload-1.2.2.jar | Transitive | N/A* | ❌ | |
CVE-2014-0050 | High | 7.3 | commons-fileupload-1.2.2.jar | Transitive | 2.3.32 | ✅ | |
CVE-2023-34149 | Medium | 6.5 | struts2-core-2.3.31.jar | Direct | 2.5.31 | ✅ | |
CVE-2021-29425 | Medium | 4.8 | commons-io-2.1.jar | Transitive | 6.1.2 | ✅ | |
CVE-2013-0248 | Medium | 4.0 | commons-fileupload-1.2.2.jar | Transitive | 2.3.32 | ✅ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The Jakarta Multipart parser in Apache Struts 2 2.3.x before 2.3.32 and 2.5.x before 2.5.10.1 has incorrect exception handling and error-message generation during file-upload attempts, which allows remote attackers to execute arbitrary commands via a crafted Content-Type, Content-Disposition, or Content-Length HTTP header, as exploited in the wild in March 2017 with a Content-Type header containing a #cmd= string.
Publish Date: 2017-03-11
URL: CVE-2017-5638
Base Score Metrics:
Type: Upgrade version
Release Date: 2017-03-11
Fix Resolution: 2.3.32
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The fix issued for CVE-2020-17530 was incomplete. So from Apache Struts 2.0.0 to 2.5.29, still some of the tag’s attributes could perform a double evaluation if a developer applied forced OGNL evaluation by using the %{...} syntax. Using forced OGNL evaluation on untrusted user input can lead to a Remote Code Execution and security degradation.
Publish Date: 2022-04-12
URL: CVE-2021-31805
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-062
Release Date: 2022-04-12
Fix Resolution: org.apache.struts:struts2-core:2.5.30
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Struts 2.0.0 to 2.5.20 forced double OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution.
Publish Date: 2020-09-14
URL: CVE-2019-0230
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-059
Release Date: 2020-09-14
Fix Resolution: 2.5.22
⛑️ Automatic Remediation will be attempted for this issue.
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.3
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Publish Date: 2017-09-20
URL: CVE-2017-12611
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-053
Release Date: 2017-09-07
Fix Resolution: 2.3.34
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Forced OGNL evaluation, when evaluated on raw user input in tag attributes, may lead to remote code execution. Affected software : Apache Struts 2.0.0 - Struts 2.5.25.
Publish Date: 2020-12-11
URL: CVE-2020-17530
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-061
Release Date: 2020-12-11
Fix Resolution: 2.5.26
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remote Code Execution when alwaysSelectFullNamespace is true (either by user or a plugin like Convention Plugin) and then: results are used with no namespace and in same time, its upper package have no or wildcard namespace and similar to results, same possibility when using url tag which doesn't have value and action set and in same time, its upper package have no or wildcard namespace.
Publish Date: 2018-08-22
URL: CVE-2018-11776
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-11776
Release Date: 2018-08-22
Fix Resolution: 2.3.35
⛑️ Automatic Remediation will be attempted for this issue.
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.2
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.32
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater
Publish Date: 2023-06-14
URL: CVE-2023-34396
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-4g42-gqrg-4633
Release Date: 2023-06-14
Fix Resolution: 2.5.31
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar
Dependency Hierarchy:
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application allows entering a URL in a form field and built-in URLValidator is used, it is possible to prepare a special URL which will be used to overload server process when performing validation of the URL. NOTE: this vulnerability exists because of an incomplete fix for S2-047 / CVE-2017-7672.
Publish Date: 2017-09-20
URL: CVE-2017-9804
Base Score Metrics:
Type: Upgrade version
Release Date: 2017-09-05
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.34
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.34
⛑️ Automatic Remediation will be attempted for this issue.
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.
Note that, like all of the file upload limits, the
new configuration option (FileUploadBase#setFileCountMax) is not
enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
Base Score Metrics:
Type: Upgrade version
Origin: https://tomcat.apache.org/security-10.html
Release Date: 2023-02-20
Fix Resolution (commons-fileupload:commons-fileupload): 1.5
Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.1.2
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
An access permission override in Apache Struts 2.0.0 to 2.5.20 may cause a Denial of Service when performing a file upload.
Publish Date: 2020-09-14
URL: CVE-2019-0233
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/ww/s2-060
Release Date: 2020-09-14
Fix Resolution: 2.5.22
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Library home page: http://struts.apache.org/
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/xwork/xwork-core/2.3.31/xwork-core-2.3.31.jar
Dependency Hierarchy:
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
When using a Spring AOP functionality to secure Struts actions it is possible to perform a DoS attack. Solution is to upgrade to Apache Struts version 2.5.12 or 2.3.33.
Publish Date: 2017-07-13
URL: CVE-2017-9787
Base Score Metrics:
Type: Upgrade version
Release Date: 2017-07-13
Fix Resolution (org.apache.struts.xwork:xwork-core): 2.3.33
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.33
⛑️ Automatic Remediation will be attempted for this issue.
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
Base Score Metrics:
Type: Upgrade version
Release Date: 2014-02-17
Fix Resolution (commons-fileupload:commons-fileupload): 1.4
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.37
⛑️ Automatic Remediation will be attempted for this issue.
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
Publish Date: 2013-10-28
URL: CVE-2013-2186
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
Release Date: 2013-10-28
Fix Resolution: commons-fileupload:commons-fileupload:1.3.1
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Publish Date: 2014-04-01
URL: CVE-2014-0050
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
Release Date: 2014-03-28
Fix Resolution (commons-fileupload:commons-fileupload): 1.3.1
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.32
⛑️ Automatic Remediation will be attempted for this issue.
Apache Struts 2
Path to dependency file: /ksa-web-root/ksa-system-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar,/home/wss-scanner/.m2/repository/org/apache/struts/struts2-core/2.3.31/struts2-core-2.3.31.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Allocation of Resources Without Limits or Throttling vulnerability in Apache Software Foundation Apache Struts.This issue affects Apache Struts: through 2.5.30, through 6.1.2.
Upgrade to Struts 2.5.31 or 6.1.2.1 or greater.
Publish Date: 2023-06-14
URL: CVE-2023-34149
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-8f6x-v685-g2xc
Release Date: 2023-06-14
Fix Resolution: 2.5.31
⛑️ Automatic Remediation will be attempted for this issue.
The Commons IO library contains utility classes, stream implementations, file filters, file comparators and endian classes.
Library home page: http://commons.apache.org/io/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar,/home/wss-scanner/.m2/repository/commons-io/commons-io/2.1/commons-io-2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution (commons-io:commons-io): 2.7
Direct dependency fix Resolution (org.apache.struts:struts2-core): 6.1.2
⛑️ Automatic Remediation will be attempted for this issue.
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /ksa-web-root/ksa-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar,/home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Publish Date: 2013-03-15
URL: CVE-2013-0248
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248
Release Date: 2013-03-15
Fix Resolution (commons-fileupload:commons-fileupload): 1.3
Direct dependency fix Resolution (org.apache.struts:struts2-core): 2.3.32
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (poi version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2017-12626 | High | 7.5 | poi-3.8.jar | Direct | 3.17-beta1 | ✅ | |
WS-2016-7061 | Medium | 4.8 | poi-3.8.jar | Direct | 3.16-beta1 | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
Publish Date: 2018-01-29
URL: CVE-2017-12626
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-01-26
Fix Resolution: 3.17-beta1
⛑️ Automatic Remediation will be attempted for this issue.
Apache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: /ksa-web-root/ksa-logistics-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar,/home/wss-scanner/.m2/repository/org/apache/poi/poi/3.8/poi-3.8.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Apache POI before 3.16-beta1 is vulnerable to bufferoverflow attack due to lack of length sanity check for length of embedded OLE10Native.
Publish Date: 2016-10-14
URL: WS-2016-7061
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-10-14
Fix Resolution: 3.16-beta1
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (spring-web version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2014-0225 | High | 8.8 | spring-web-3.1.1.RELEASE.jar | Direct | org.springframework:spring-web:4.0.5.RELEASE,3.2.9.RELEASE,org.springframework:spring-oxm:4.0.5.RELEASE,3.2.9.RELEASE | ✅ | |
CVE-2018-1272 | High | 7.5 | spring-web-3.1.1.RELEASE.jar | Direct | org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE | ✅ | |
CVE-2020-5421 | Medium | 6.5 | spring-web-3.1.1.RELEASE.jar | Direct | 4.3.29.RELEASE | ✅ | |
CVE-2015-3192 | Medium | 5.5 | spring-web-3.1.1.RELEASE.jar | Direct | 3.2.14.RELEASE | ✅ | |
CVE-2013-6430 | Medium | 5.4 | spring-web-3.1.1.RELEASE.jar | Direct | 3.1.5,3.2.2 | ✅ | |
CVE-2013-6429 | Medium | 5.3 | spring-web-3.1.1.RELEASE.jar | Direct | 3.2.5 | ✅ | |
CVE-2013-7315 | Medium | 5.3 | spring-web-3.1.1.RELEASE.jar | Direct | org.springframework:spring-web:3.2.4.RELEASE,org.springframework:spring-web:4.0.0.M3 | ✅ | |
CVE-2014-0054 | Medium | 5.3 | spring-web-3.1.1.RELEASE.jar | Direct | org.springframework:spring-web:3.2.8.RELEASE,4.0.2.RELEASE,org.springframework:spring-oxm:4.0.2.RELEASE,3.2.8.RELEASE | ✅ | |
CVE-2021-22096 | Medium | 4.3 | spring-web-3.1.1.RELEASE.jar | Direct | 5.2.18.RELEASE | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
When processing user provided XML documents, the Spring Framework 4.0.0 to 4.0.4, 3.0.0 to 3.2.8, and possibly earlier unsupported versions did not disable by default the resolution of URI references in a DTD declaration. This enabled an XXE attack.
Publish Date: 2017-05-25
URL: CVE-2014-0225
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0225
Release Date: 2017-05-25
Fix Resolution: org.springframework:spring-web:4.0.5.RELEASE,3.2.9.RELEASE,org.springframework:spring-oxm:4.0.5.RELEASE,3.2.9.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Publish Date: 2018-04-06
URL: CVE-2018-1272
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2018-1272
Release Date: 2018-04-05
Fix Resolution: org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Spring Framework versions 5.2.0 - 5.2.8, 5.1.0 - 5.1.17, 5.0.0 - 5.0.18, 4.3.0 - 4.3.28, and older unsupported versions, the protections against RFD attacks from CVE-2015-5211 may be bypassed depending on the browser used through the use of a jsessionid path parameter.
Publish Date: 2020-09-19
URL: CVE-2020-5421
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2020-5421
Release Date: 2020-09-19
Fix Resolution: 4.3.29.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
Pivotal Spring Framework before 3.2.14 and 4.x before 4.1.7 do not properly process inline DTD declarations when DTD is not entirely disabled, which allows remote attackers to cause a denial of service (memory consumption and out-of-memory errors) via a crafted XML file.
Publish Date: 2016-07-12
URL: CVE-2015-3192
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-3192
Release Date: 2016-07-12
Fix Resolution: 3.2.14.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The JavaScriptUtils.javaScriptEscape method in web/util/JavaScriptUtils.java in Spring MVC in Spring Framework before 3.2.2 does not properly escape certain characters, which allows remote attackers to conduct cross-site scripting (XSS) attacks via a (1) line separator or (2) paragraph separator Unicode character or (3) left or (4) right angle bracket.
Publish Date: 2020-01-10
URL: CVE-2013-6430
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-6430
Release Date: 2020-01-10
Fix Resolution: 3.1.5,3.2.2
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The SourceHttpMessageConverter in Spring MVC in Spring Framework before 3.2.5 and 4.0.0.M1 through 4.0.0.RC1 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152 and CVE-2013-7315.
Publish Date: 2014-01-26
URL: CVE-2013-6429
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-6429
Release Date: 2014-01-26
Fix Resolution: 3.2.5
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The Spring MVC in Spring Framework before 3.2.4 and 4.0.0.M1 through 4.0.0.M2 does not disable external entity resolution for the StAX XMLInputFactory, which allows context-dependent attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML with JAXB, aka an XML External Entity (XXE) issue, and a different vulnerability than CVE-2013-4152. NOTE: this issue was SPLIT from CVE-2013-4152 due to different affected versions.
Publish Date: 2014-01-23
URL: CVE-2013-7315
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-7315
Release Date: 2014-01-23
Fix Resolution: org.springframework:spring-web:3.2.4.RELEASE,org.springframework:spring-web:4.0.0.M3
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
The Jaxb2RootElementHttpMessageConverter in Spring MVC in Spring Framework before 3.2.8 and 4.0.0 before 4.0.2 does not disable external entity resolution, which allows remote attackers to read arbitrary files, cause a denial of service, and conduct CSRF attacks via crafted XML, aka an XML External Entity (XXE) issue. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-4152, CVE-2013-7315, and CVE-2013-6429.
Publish Date: 2014-04-17
URL: CVE-2014-0054
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0054
Release Date: 2014-04-17
Fix Resolution: org.springframework:spring-web:3.2.8.RELEASE,4.0.2.RELEASE,org.springframework:spring-oxm:4.0.2.RELEASE,3.2.8.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-web-root/ksa-finance-web/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-web/3.1.1.RELEASE/spring-web-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution: 5.2.18.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (spring-context version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2022-22968 | Medium | 5.3 | spring-context-3.1.1.RELEASE.jar | Direct | 5.2.21.RELEASE | ✅ | |
WS-2016-7112 | Medium | 4.9 | spring-context-3.1.1.RELEASE.jar | Direct | 3.2.18.RELEASE | ✅ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Spring Framework Parent
Path to dependency file: /ksa-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Spring Framework versions 5.3.0 - 5.3.18, 5.2.0 - 5.2.20, and older unsupported versions, the patterns for disallowedFields on a DataBinder are case sensitive which means a field is not effectively protected unless it is listed with both upper and lower case for the first character of the field, including upper and lower case for the first character of all nested fields within the property path.
Publish Date: 2022-04-14
URL: CVE-2022-22968
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22968
Release Date: 2022-04-14
Fix Resolution: 5.2.21.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
Spring Framework Parent
Path to dependency file: /ksa-core/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar,/home/wss-scanner/.m2/repository/org/springframework/spring-context/3.1.1.RELEASE/spring-context-3.1.1.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In Spring Framework, versions 3.0.0.RELEASE through 3.2.17.RELEASE, 4.0.0.RELEASE through 4.2.7.RELEASE and 4.3.0.RELEASE through 4.3.1.RELEASE are vulnerable to Stack-based Buffer Overflow, which allows an authenticated attacker to crash the application when giving CronSequenceGenerator a reversed range in the “minutes” or “hours” fields.
Publish Date: 2021-09-23
URL: WS-2016-7112
Base Score Metrics:
Type: Upgrade version
Release Date: 2016-07-14
Fix Resolution: 3.2.18.RELEASE
⛑️ Automatic Remediation will be attempted for this issue.
⛑️Automatic Remediation will be attempted for this issue.
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
CVE | Severity | CVSS | Dependency | Type | Fixed in (jquery version) | Remediation Possible** | Reachability |
---|---|---|---|---|---|---|---|
CVE-2020-11023 | Medium | 6.1 | jquery-1.7.2.min.js | Direct | jquery - 3.5.0;jquery-rails - 4.4.0 | ❌ | |
CVE-2020-11022 | Medium | 6.1 | jquery-1.7.2.min.js | Direct | jQuery - 3.5.0 | ❌ | |
CVE-2015-9251 | Medium | 6.1 | jquery-1.7.2.min.js | Direct | jQuery - 3.0.0 | ❌ | |
CVE-2019-11358 | Medium | 6.1 | jquery-1.7.2.min.js | Direct | jquery - 3.4.0 | ❌ | |
CVE-2020-7656 | Medium | 6.1 | jquery-1.7.2.min.js | Direct | jquery - 1.9.0 | ❌ | |
CVE-2012-6708 | Medium | 6.1 | jquery-1.7.2.min.js | Direct | jQuery - v1.9.0 | ❌ |
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11022
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - 3.0.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.
Publish Date: 2019-04-20
URL: CVE-2019-11358
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358
Release Date: 2019-04-20
Fix Resolution: jquery - 3.4.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-19
Fix Resolution: jquery - 1.9.0
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Path to vulnerable library: /ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Dependency Hierarchy:
Found in HEAD commit: 204dd0b060fd6e5bb82b7a7e2f313a5ea51e87b5
Found in base branch: master
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.