Npm Workspaces Mono Repo From the root run:
npm i -g npm@7 # or 8
npm i
This project forked from zackerydev/monorepo
Lerna Mono Repo
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
CookieInterceptor in Apache Struts 2.x before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and modify session state via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0113.
Publish Date: 2014-05-08
URL: CVE-2014-0116
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0116
Release Date: 2014-05-08
Fix Resolution: 2.3.16.3
⛑️ Automatic Remediation is available for this issue
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz
Dependency Hierarchy:
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Dependency Hierarchy:
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, [email protected]
, that mitigates this issue. As a workaround, one may ensure /${locale}/_next/
is blocked from reaching the Next.js instance until it becomes feasible to upgrade.
Publish Date: 2022-01-28
URL: CVE-2022-21721
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wr66-vrwm-5g5x
Release Date: 2022-01-28
Fix Resolution: next - 12.0.9
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-3749 | High | 7.5 | axios-0.21.1.tgz | Transitive | N/A | ❌ |
CVE-2022-0144 | High | 7.1 | shelljs-0.8.4.tgz | Transitive | N/A | ❌ |
CVE-2022-0235 | Medium | 6.1 | node-fetch-2.6.6.tgz | Transitive | N/A | ❌ |
CVE-2021-23566 | Medium | 5.5 | nanoid-3.1.30.tgz | Transitive | N/A | ❌ |
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/axios/axios/releases/tag/v0.21.2
Release Date: 2021-08-31
Fix Resolution: axios - 0.21.2
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
shelljs is vulnerable to Improper Privilege Management
Publish Date: 2022-01-11
URL: CVE-2022-0144
Base Score Metrics:
Type: Upgrade version
Origin: shelljs/shelljs@d919d22
Release Date: 2022-01-11
Fix Resolution: shelljs - 0.8.5
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
A tiny (130 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
Base Score Metrics:
Type: Upgrade version
Origin: ai/nanoid#328
Release Date: 2022-01-14
Fix Resolution: nanoid - 3.1.31
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-0155 | Medium | 6.5 | follow-redirects-1.14.5.tgz | Transitive | N/A | ❌ |
CVE-2022-0536 | Medium | 5.9 | follow-redirects-1.14.5.tgz | Transitive | N/A | ❌ |
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution: follow-redirects - v1.14.7
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution: follow-redirects - 1.14.8
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
Publish Date: 2022-02-18
URL: CVE-2022-23647
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3949-f494-cm99
Release Date: 2022-02-18
Fix Resolution: prismjs- v1.27.0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.39.Final/38b9d79e31f6b00bd680f88c0289a2522d30d05b/netty-codec-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all::4.1.68.Final
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
Publish Date: 2022-02-11
URL: CVE-2021-23555
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23555
Release Date: 2022-02-11
Fix Resolution: vm2 - 3.9.6
Core Jackson abstractions, basic JSON streaming API implementation
Library home page: https://github.com/FasterXML/jackson-core
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-core/2.7.9/9b530cec4fd2eb841ab8e79f19fc7cf0ec487b2/jackson-core-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.
Publish Date: 2018-06-24
URL: WS-2018-0124
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=WS-2018-0124
Release Date: 2018-01-24
Fix Resolution: 2.8.6
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
ParametersInterceptor in Apache Struts before 2.3.20 does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Publish Date: 2014-04-29
URL: CVE-2014-0112
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0112
Release Date: 2014-04-29
Fix Resolution: 2.3.16.2
⛑️ Automatic Remediation is available for this issue
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33587 | High | 7.5 | css-what-3.4.2.tgz | Transitive | N/A | ❌ |
CVE-2021-3807 | High | 7.5 | multiple | Transitive | N/A | ❌ |
CVE-2021-3803 | High | 7.5 | multiple | Transitive | N/A | ❌ |
WS-2022-0008 | Medium | 6.6 | node-forge-0.10.0.tgz | Transitive | N/A | ❌ |
CVE-2022-0122 | Medium | 6.1 | node-forge-0.10.0.tgz | Transitive | N/A | ❌ |
CVE-2022-23647 | Medium | 6.1 | prismjs-1.25.0.tgz | Transitive | N/A | ❌ |
CVE-2022-0235 | Medium | 6.1 | node-fetch-1.7.3.tgz | Transitive | N/A | ❌ |
CVE-2020-15168 | Medium | 5.3 | node-fetch-1.7.3.tgz | Transitive | N/A | ❌ |
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution: ansi-regex - 5.0.1,6.0.1
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Dependency Hierarchy:
Parses and compiles CSS nth-checks to highly optimized functions.
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
Base Score Metrics:
Type: Upgrade version
Origin: fb55/nth-check@v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution: node-forge - 1.0.0
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution: node-forge - 1.0.0
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
Publish Date: 2022-02-18
URL: CVE-2022-23647
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3949-f494-cm99
Release Date: 2022-02-18
Fix Resolution: prismjs- v1.27.0
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution: 2.6.1,3.0.0-beta.9
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-0155 | Medium | 6.5 | follow-redirects-1.14.5.tgz | Transitive | N/A | ❌ |
CVE-2022-0536 | Medium | 5.9 | follow-redirects-1.14.5.tgz | Transitive | N/A | ❌ |
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution: follow-redirects - v1.14.7
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution: follow-redirects - 1.14.8
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz
Dependency Hierarchy:
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution: follow-redirects - v1.14.7
JavaScript micro templates.
Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3777
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/daaku/nodejs-tmpl/releases/tag/v1.0.5
Release Date: 2021-09-15
Fix Resolution: tmpl - 1.0.5
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Dependency Hierarchy:
Parses and compiles CSS nth-checks to highly optimized functions.
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
Base Score Metrics:
Type: Upgrade version
Origin: fb55/nth-check@v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz
Dependency Hierarchy:
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.5.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution: follow-redirects - 1.14.8
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.codehaus.plexus/plexus-utils/2.0.3/df24cc90fc59f7200f3a1d15c80febb736db9e23/plexus-utils-2.0.3.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
Plexus-utils before 3.0.16 is vulnerable to command injection because it does not correctly process the contents of double quoted strings.
Publish Date: 2018-01-03
URL: CVE-2017-1000487
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-1000487
Release Date: 2018-01-03
Fix Resolution: 3.0.16
⛑️ Automatic Remediation is available for this issue
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
CookieInterceptor in Apache Struts before 2.3.20, when a wildcard cookiesName value is used, does not properly restrict access to the getClass method, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via a crafted request. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-0094.
Publish Date: 2014-04-29
URL: CVE-2014-0113
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-0113
Release Date: 2014-04-29
Fix Resolution: 2.3.16.2
⛑️ Automatic Remediation is available for this issue
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
In Apache Struts 2.0.0 through 2.3.33 and 2.5 through 2.5.10.1, using an unintentional expression in a Freemarker tag instead of string literals can lead to a RCE attack.
Publish Date: 2017-09-20
URL: CVE-2017-12611
Base Score Metrics:
Type: Upgrade version
Origin: https://cwiki.apache.org/confluence/display/WW/S2-053
Release Date: 2017-09-20
Fix Resolution: org.apache.struts:struts2-core:2.3.34;org.apache.struts:struts2-core:2.5.12
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-23555 | High | 9.8 | vm2-3.9.5.tgz | Transitive | N/A | ❌ |
CVE-2021-3777 | High | 7.5 | tmpl-1.0.4.tgz | Transitive | N/A | ❌ |
CVE-2022-0155 | Medium | 6.5 | follow-redirects-1.14.6.tgz | Transitive | N/A | ❌ |
CVE-2022-0536 | Medium | 5.9 | follow-redirects-1.14.6.tgz | Transitive | N/A | ❌ |
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
Publish Date: 2022-02-11
URL: CVE-2021-23555
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23555
Release Date: 2022-02-11
Fix Resolution: vm2 - 3.9.6
JavaScript micro templates.
Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3777
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/daaku/nodejs-tmpl/releases/tag/v1.0.5
Release Date: 2021-09-15
Fix Resolution: tmpl - 1.0.5
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution: follow-redirects - v1.14.7
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution: follow-redirects - 1.14.8
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution: ansi-regex - 5.0.1,6.0.1
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
Apache Struts 2.3.19 to 2.3.20.2, 2.3.21 to 2.3.24.1, and 2.3.25 to 2.3.28, when Dynamic Method Invocation is enabled, allow remote attackers to execute arbitrary code via method: prefix, related to chained expressions.
Publish Date: 2016-04-26
URL: CVE-2016-3081
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/apache/struts/tree/STRUTS_2_3_28_1/
Release Date: 2016-04-26
Fix Resolution: org.apache.struts:struts2-core:2.3.20.3,org.apache.struts:struts2-core:2.3.24.3,org.apache.struts:struts2-core: 2.3.28.1
⛑️ Automatic Remediation is available for this issue
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-23646 | High | 7.5 | next-12.0.7.tgz | Transitive | N/A | ❌ |
CVE-2022-21721 | High | 7.5 | next-12.0.7.tgz | Transitive | N/A | ❌ |
CVE-2022-0235 | Medium | 6.1 | node-fetch-2.6.1.tgz | Transitive | N/A | ❌ |
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js
file must have an images.domains
array assigned and the image host assigned in images.domains
must allow user-provided SVG. If the next.config.js
file has images.loader
assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js
to use a different loader configuration
other than the default.
Publish Date: 2022-02-17
URL: CVE-2022-23646
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646
Release Date: 2022-02-17
Fix Resolution: next - 12.1.0
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, [email protected]
, that mitigates this issue. As a workaround, one may ensure /${locale}/_next/
is blocked from reaching the Next.js instance until it becomes feasible to upgrade.
Publish Date: 2022-01-28
URL: CVE-2022-21721
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wr66-vrwm-5g5x
Release Date: 2022-01-28
Fix Resolution: next - 12.0.9
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
XSLTResult in Apache Struts 2.x before 2.3.20.2, 2.3.24.x before 2.3.24.2, and 2.3.28.x before 2.3.28.1 allows remote attackers to execute arbitrary code via the stylesheet location parameter.
Publish Date: 2016-04-26
URL: CVE-2016-3082
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/apache/struts/tree/STRUTS_2_3_28_1/
Release Date: 2016-04-26
Fix Resolution: org.apache.struts:struts2-core:2.3.20.3,org.apache.struts:struts2-core:2.3.24.3,org.apache.struts:struts2-core: 2.3.28.1
⛑️ Automatic Remediation is available for this issue
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution: 2.6.1,3.0.0-beta.9
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-33587 | High | 7.5 | css-what-3.4.2.tgz | Transitive | N/A | ❌ |
CVE-2021-3807 | High | 7.5 | multiple | Transitive | N/A | ❌ |
CVE-2021-3803 | High | 7.5 | multiple | Transitive | N/A | ❌ |
WS-2022-0008 | Medium | 6.6 | node-forge-0.10.0.tgz | Transitive | N/A | ❌ |
CVE-2022-0122 | Medium | 6.1 | node-forge-0.10.0.tgz | Transitive | N/A | ❌ |
CVE-2022-23647 | Medium | 6.1 | prismjs-1.25.0.tgz | Transitive | N/A | ❌ |
CVE-2022-0235 | Medium | 6.1 | node-fetch-1.7.3.tgz | Transitive | N/A | ❌ |
CVE-2020-15168 | Medium | 5.3 | node-fetch-1.7.3.tgz | Transitive | N/A | ❌ |
a CSS selector parser
Library home page: https://registry.npmjs.org/css-what/-/css-what-3.4.2.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
The css-what package 4.0.0 through 5.0.0 for Node.js does not ensure that attribute parsing has Linear Time Complexity relative to the size of the input.
Publish Date: 2021-05-28
URL: CVE-2021-33587
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-33587
Release Date: 2021-05-28
Fix Resolution: css-what - 5.0.1
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-4.1.0.tgz
Dependency Hierarchy:
Regular expression for matching ANSI escape codes
Library home page: https://registry.npmjs.org/ansi-regex/-/ansi-regex-3.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
ansi-regex is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3807
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/5b3cf33b-ede0-4398-9974-800876dfd994/
Release Date: 2021-09-17
Fix Resolution: ansi-regex - 5.0.1,6.0.1
performant nth-check parser & compiler
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-1.0.2.tgz
Dependency Hierarchy:
Parses and compiles CSS nth-checks to highly optimized functions.
Library home page: https://registry.npmjs.org/nth-check/-/nth-check-2.0.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
nth-check is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-17
URL: CVE-2021-3803
Base Score Metrics:
Type: Upgrade version
Origin: fb55/nth-check@v2.0.0...v2.0.1
Release Date: 2021-09-17
Fix Resolution: nth-check - v2.0.1
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution: node-forge - 1.0.0
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution: node-forge - 1.0.0
Lightweight, robust, elegant syntax highlighting. A spin-off project from Dabblet.
Library home page: https://registry.npmjs.org/prismjs/-/prismjs-1.25.0.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
Prism is a syntax highlighting library. Starting with version 1.14.0 and prior to version 1.27.0, Prism's command line plugin can be used by attackers to achieve a cross-site scripting attack. The command line plugin did not properly escape its output, leading to the input text being inserted into the DOM as HTML code. Server-side usage of Prism is not impacted. Websites that do not use the Command Line plugin are also not impacted. This bug has been fixed in v1.27.0. As a workaround, do not use the command line plugin on untrusted inputs, or sanitize all code blocks (remove all HTML code text) from all code blocks that use the command line plugin.
Publish Date: 2022-02-18
URL: CVE-2022-23647
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3949-f494-cm99
Release Date: 2022-02-18
Fix Resolution: prismjs- v1.27.0
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
A light-weight module that brings window.fetch to node.js and io.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-1.7.3.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
node-fetch before versions 2.6.1 and 3.0.0-beta.9 did not honor the size option after following a redirect, which means that when a content size was over the limit, a FetchError would never get thrown and the process would end without failure. For most people, this fix will have a little or no impact. However, if you are relying on node-fetch to gate files above a size, the impact could be significant, for example: If you don't double-check the size of the data after fetch() has completed, your JS thread could get tied up doing work on a large file (DoS) and/or cost you money in computing.
Publish Date: 2020-09-10
URL: CVE-2020-15168
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-w7rc-rwvf-8q5r
Release Date: 2020-09-17
Fix Resolution: 2.6.1,3.0.0-beta.9
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
Apache Struts 2.0.0 through 2.3.4 allows remote attackers to cause a denial of service (CPU consumption) via a long parameter name, which is processed as an OGNL expression.
Publish Date: 2012-09-05
URL: CVE-2012-4387
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-4387
Release Date: 2012-09-05
Fix Resolution: org.apache.struts:struts2-core - 2.3.4.1;org.apache.struts.xwork:xwork-core - 2.3.14.3,2.3.16
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted value that contains both "${}" and "%{}" sequences, which causes the OGNL code to be evaluated twice.
Publish Date: 2013-07-16
URL: CVE-2013-2135
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2135
Release Date: 2013-07-16
Fix Resolution: 2.3.14.3
⛑️ Automatic Remediation is available for this issue
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: https://netty.io/
Path to dependency file: /build.gradle
Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/io.netty/netty-codec/4.1.39.Final/38b9d79e31f6b00bd680f88c0289a2522d30d05b/netty-codec-4.1.39.Final.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all:4.1.68.Final
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
shelljs is vulnerable to Improper Privilege Management
Publish Date: 2022-01-11
URL: CVE-2022-0144
Base Score Metrics:
Type: Upgrade version
Origin: shelljs/shelljs@d919d22
Release Date: 2022-01-11
Fix Resolution: shelljs - 0.8.5
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
forge is vulnerable to URL Redirection to Untrusted Site
Publish Date: 2022-01-06
URL: CVE-2022-0122
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gf8q-jrpm-jvxq
Release Date: 2022-01-06
Fix Resolution: node-forge - 1.0.0
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js
file must have an images.domains
array assigned and the image host assigned in images.domains
must allow user-provided SVG. If the next.config.js
file has images.loader
assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js
to use a different loader configuration
other than the default.
Publish Date: 2022-02-17
URL: CVE-2022-23646
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646
Release Date: 2022-02-17
Fix Resolution: next - 12.1.0
A tiny (130 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
Base Score Metrics:
Type: Upgrade version
Origin: ai/nanoid#328
Release Date: 2022-01-14
Fix Resolution: nanoid - 3.1.31
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
Apache Struts 2.0.0 through 2.3.15 allows remote attackers to execute arbitrary OGNL expressions via a parameter with a crafted (1) action:, (2) redirect:, or (3) redirectAction: prefix.
Publish Date: 2013-07-20
URL: CVE-2013-2251
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2251
Release Date: 2013-07-20
Fix Resolution: 2.3.16
⛑️ Automatic Remediation is available for this issue
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-3749 | High | 7.5 | axios-0.21.1.tgz | Transitive | N/A | ❌ |
CVE-2022-0144 | High | 7.1 | shelljs-0.8.4.tgz | Transitive | N/A | ❌ |
CVE-2022-0235 | Medium | 6.1 | node-fetch-2.6.6.tgz | Transitive | N/A | ❌ |
CVE-2021-23566 | Medium | 5.5 | nanoid-3.1.30.tgz | Transitive | N/A | ❌ |
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/axios/axios/releases/tag/v0.21.2
Release Date: 2021-08-31
Fix Resolution: axios - 0.21.2
Portable Unix shell commands for Node.js
Library home page: https://registry.npmjs.org/shelljs/-/shelljs-0.8.4.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
shelljs is vulnerable to Improper Privilege Management
Publish Date: 2022-01-11
URL: CVE-2022-0144
Base Score Metrics:
Type: Upgrade version
Origin: shelljs/shelljs@d919d22
Release Date: 2022-01-11
Fix Resolution: shelljs - 0.8.5
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.6.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
A tiny (130 bytes), secure URL-friendly unique string ID generator
Library home page: https://registry.npmjs.org/nanoid/-/nanoid-3.1.30.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
The package nanoid from 3.0.0 and before 3.1.31 are vulnerable to Information Exposure via the valueOf() function which allows to reproduce the last id generated.
Publish Date: 2022-01-14
URL: CVE-2021-23566
Base Score Metrics:
Type: Upgrade version
Origin: ai/nanoid#328
Release Date: 2022-01-14
Fix Resolution: nanoid - 3.1.31
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution: com.fasterxml.jackson.core:jackson-databind:2.8.11.5,2.9.10,2.10.0.pr3,2.11.0.rc1
⛑️ Automatic Remediation is available for this issue
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
Apache Struts 2 before 2.3.14.3 allows remote attackers to execute arbitrary OGNL code via a request with a crafted action name that is not properly handled during wildcard matching, a different vulnerability than CVE-2013-2135.
Publish Date: 2013-07-16
URL: CVE-2013-2134
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2134
Release Date: 2013-07-16
Fix Resolution: 2.3.14.3
⛑️ Automatic Remediation is available for this issue
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2021-23555 | High | 9.8 | vm2-3.9.5.tgz | Transitive | N/A | ❌ |
CVE-2021-3777 | High | 7.5 | tmpl-1.0.4.tgz | Transitive | N/A | ❌ |
CVE-2022-0155 | Medium | 6.5 | follow-redirects-1.14.6.tgz | Transitive | N/A | ❌ |
CVE-2022-0536 | Medium | 5.9 | follow-redirects-1.14.6.tgz | Transitive | N/A | ❌ |
vm2 is a sandbox that can run untrusted code with whitelisted Node's built-in modules. Securely!
Library home page: https://registry.npmjs.org/vm2/-/vm2-3.9.5.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
The package vm2 before 3.9.6 are vulnerable to Sandbox Bypass via direct access to host error objects generated by node internals during generation of a stacktraces, which can lead to execution of arbitrary code on the host machine.
Publish Date: 2022-02-11
URL: CVE-2021-23555
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-23555
Release Date: 2022-02-11
Fix Resolution: vm2 - 3.9.6
JavaScript micro templates.
Library home page: https://registry.npmjs.org/tmpl/-/tmpl-1.0.4.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
nodejs-tmpl is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-09-15
URL: CVE-2021-3777
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/daaku/nodejs-tmpl/releases/tag/v1.0.5
Release Date: 2021-09-15
Fix Resolution: tmpl - 1.0.5
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
follow-redirects is vulnerable to Exposure of Private Personal Information to an Unauthorized Actor
Publish Date: 2022-01-10
URL: CVE-2022-0155
Base Score Metrics:
Type: Upgrade version
Origin: https://huntr.dev/bounties/fc524e4b-ebb6-427d-ab67-a64181020406/
Release Date: 2022-01-10
Fix Resolution: follow-redirects - v1.14.7
HTTP and HTTPS modules that follow redirects.
Library home page: https://registry.npmjs.org/follow-redirects/-/follow-redirects-1.14.6.tgz
Dependency Hierarchy:
Found in HEAD commit: 956be49b0759dd39c804ba93d224fdefca8cf6d8
Found in base branch: main
Exposure of Sensitive Information to an Unauthorized Actor in NPM follow-redirects prior to 1.14.8.
Publish Date: 2022-02-09
URL: CVE-2022-0536
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-0536
Release Date: 2022-02-09
Fix Resolution: follow-redirects - 1.14.8
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.
Publish Date: 2019-05-17
URL: CVE-2019-12086
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086
Release Date: 2019-05-17
Fix Resolution: 2.9.9
⛑️ Automatic Remediation is available for this issue
Promise based HTTP client for the browser and node.js
Library home page: https://registry.npmjs.org/axios/-/axios-0.21.1.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
axios is vulnerable to Inefficient Regular Expression Complexity
Publish Date: 2021-08-31
URL: CVE-2021-3749
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/axios/axios/releases/tag/v0.21.2
Release Date: 2021-08-31
Fix Resolution: axios - 0.21.2
JavaScript implementations of network transports, cryptography, ciphers, PKI, message digests, and various utilities.
Library home page: https://registry.npmjs.org/node-forge/-/node-forge-0.10.0.tgz
Dependency Hierarchy:
Found in HEAD commit: f33fc38971ee16d2783308b8a2a7ed2d96c7ba62
Found in base branch: main
The forge.debug API had a potential prototype pollution issue if called with untrusted input. The API was only used for internal debug purposes in a safe way and never documented or advertised. It is suspected that uses of this API, if any exist, would likely not have used untrusted inputs in a vulnerable way.
Publish Date: 2022-01-08
URL: WS-2022-0008
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5rrq-pxf6-6jx5
Release Date: 2022-01-08
Fix Resolution: node-forge - 1.0.0
This issue provides visibility into Renovate updates and their statuses. Learn more
These updates are currently rate limited. Click on a checkbox below to force their creation now.
@aws-cdk/assertions
, @aws-cdk/core
, aws-cdk
)@nestjs/cli
, @nestjs/common
, @nestjs/core
, @nestjs/platform-express
, @nestjs/testing
)eslint-config-next
, next
)@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
)jest
, ts-jest
)@typescript-eslint/eslint-plugin
, @typescript-eslint/parser
)These updates have all been created already. Click a checkbox below to force a retry/rebase of any.
@skypress/nestjs-dynamodb
, @uiw/react-md-editor
, autoprefixer
, aws-sdk
, evergreen-ui
, jest
, nanoid
, postcss
, react-router-dom
, tailwindcss
, ts-jest
, ts-node
, typescript
, uuid
)@types/jest
, jest
)Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
Apache Struts 2.0.0 through 2.3.15.1 allows remote attackers to bypass access controls via a crafted action: prefix.
Publish Date: 2013-09-30
URL: CVE-2013-4310
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-4310
Release Date: 2013-09-30
Fix Resolution: org.apache.struts:struts2-core - 2.3.15.2;org.apache.struts:struts2-rest-plugin - 2.3.15.2
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
CVE | Severity | CVSS | Dependency | Type | Fixed in | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-23646 | High | 7.5 | next-12.0.7.tgz | Transitive | N/A | ❌ |
CVE-2022-21721 | High | 7.5 | next-12.0.7.tgz | Transitive | N/A | ❌ |
CVE-2022-0235 | Medium | 6.1 | node-fetch-2.6.1.tgz | Transitive | N/A | ❌ |
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
Next.js is a React framework. Starting with version 10.0.0 and prior to version 12.1.0, Next.js is vulnerable to User Interface (UI) Misrepresentation of Critical Information. In order to be affected, the next.config.js
file must have an images.domains
array assigned and the image host assigned in images.domains
must allow user-provided SVG. If the next.config.js
file has images.loader
assigned to something other than default, the instance is not affected. Version 12.1.0 contains a patch for this issue. As a workaround, change next.config.js
to use a different loader configuration
other than the default.
Publish Date: 2022-02-17
URL: CVE-2022-23646
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-23646
Release Date: 2022-02-17
Fix Resolution: next - 12.1.0
The React Framework
Library home page: https://registry.npmjs.org/next/-/next-12.0.7.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
Next.js is a React framework. Starting with version 12.0.0 and prior to version 12.0.9, vulnerable code could allow a bad actor to trigger a denial of service attack for anyone using i18n functionality. In order to be affected by this CVE, one must use next start or a custom server and the built-in i18n support. Deployments on Vercel, along with similar environments where invalid requests are filtered before reaching Next.js, are not affected. A patch has been released, [email protected]
, that mitigates this issue. As a workaround, one may ensure /${locale}/_next/
is blocked from reaching the Next.js instance until it becomes feasible to upgrade.
Publish Date: 2022-01-28
URL: CVE-2022-21721
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wr66-vrwm-5g5x
Release Date: 2022-01-28
Fix Resolution: next - 12.0.9
A light-weight module that brings window.fetch to node.js
Library home page: https://registry.npmjs.org/node-fetch/-/node-fetch-2.6.1.tgz
Dependency Hierarchy:
Found in HEAD commit: 7bab102b4b6f2202c714bb8496b7c31d379d06ea
Found in base branch: main
node-fetch is vulnerable to Exposure of Sensitive Information to an Unauthorized Actor
Publish Date: 2022-01-16
URL: CVE-2022-0235
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-r683-j2x4-v87g
Release Date: 2022-01-16
Fix Resolution: node-fetch - 2.6.7,3.1.1
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution: 2.10
⛑️ Automatic Remediation is available for this issue
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
The token check mechanism in Apache Struts 2.0.0 through 2.3.4 does not properly validate the token name configuration parameter, which allows remote attackers to perform cross-site request forgery (CSRF) attacks by setting the token name configuration parameter to a session attribute.
Publish Date: 2012-09-05
URL: CVE-2012-4386
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-4386
Release Date: 2012-09-05
Fix Resolution: org.apache.struts:struts2-core - 2.3.4.1,2.3.14.2
⛑️ Automatic Remediation is available for this issue
Apache Struts 2
Library home page: http://struts.apache.org/struts2
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/org.apache.struts/struts2-core/2.0.5/72d3b106b74c629c8764230c3931e4a7f39524d3/struts2-core-2.0.5.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
Apache Struts 2.0.0 through 2.3.15.1 enables Dynamic Method Invocation by default, which has unknown impact and attack vectors.
Publish Date: 2013-09-30
URL: CVE-2013-4316
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-4316
Release Date: 2013-09-30
Fix Resolution: org.apache.struts:struts2-core - 2.3.15.2
⛑️ Automatic Remediation is available for this issue
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.7.9/a4c0b14c7dd85bdf4d25da074e90a10fa4b9b88b/jackson-databind-2.7.9.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution: 2.9.7
⛑️ Automatic Remediation is available for this issue
The codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /build.gradle
Path to vulnerable library: /radle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.8/af3be3f74d25fc5163b54f56a0d394b462dafafd/commons-codec-1.8.jar
Dependency Hierarchy:
Found in HEAD commit: d74adcb0970dfc5e766162c760da662aada1def1
Found in base branch: main
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
⛑️ Automatic Remediation is available for this issue
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.