sonatype-nexus-community / struts2-rce Goto Github PK

Vulnerabilities

DepShield reports that this application's usage of org.apache.struts:struts2-core:2.5.10 results in the following vulnerability(s):

• (CVSS 10.0) [CVE-2017-5638] Improper Input Validation
• (CVSS 9.8) [CVE-2018-11776] Apache Struts versions 2.3 to 2.3.34 and 2.5 to 2.5.16 suffer from possible Remo...
• (CVSS 9.8) [CVE-2017-12611] In Apache Struts 2.0.1 through 2.3.33 and 2.5 through 2.5.10, using an unintenti...
• (CVSS 7.5) [CVE-2017-9787] Improper Access Control
• (CVSS 7.5) [CVE-2017-9793] The REST Plugin in Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12 is ...
• (CVSS 7.5) [CVE-2017-9804] In Apache Struts 2.3.7 through 2.3.33 and 2.5 through 2.5.12, if an application ...
• (CVSS 5.9) [CVE-2017-7672] Improper Input Validation

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of commons-collections:commons-collections:3.2.1 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2017-15708] In Apache Synapse, by default no authentication is required for Java Remote Meth...
• (CVSS 7.5) [CVE-2015-6420] Serialized-object interfaces in certain Cisco Collaboration and Social Media; En...

Occurrences

commons-collections:commons-collections:3.2.1 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.struts:struts2-rest-plugin:2.5.10
        └─ net.sf.json-lib:json-lib:2.3
              └─ commons-collections:commons-collections:3.2.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of org.apache.logging.log4j:log4j-core:2.7 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2017-5645] Deserialization of Untrusted Data

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of com.thoughtworks.xstream:xstream:1.4.8 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2017-7957] Improper Input Validation
• (CVSS 7.5) [CVE-2016-3674] Information Exposure

Occurrences

com.thoughtworks.xstream:xstream:1.4.8 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.struts:struts2-rest-plugin:2.5.10
        └─ com.thoughtworks.xstream:xstream:1.4.8

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of com.fasterxml.jackson.core:jackson-databind:2.6.1 results in the following vulnerability(s):

• (CVSS 10.0) [CVE-2018-14721] FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to cond...
• (CVSS 9.8) [CVE-2018-7489] Incomplete Blacklist, Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-19361] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2017-17485] Improper Control of Generation of Code ("Code Injection")
• (CVSS 9.8) [CVE-2018-14719] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-14718] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2017-7525] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2017-15095] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-19360] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-19362] Deserialization of Untrusted Data
• (CVSS 9.8) [CVE-2018-14720] Improper Restriction of XML External Entity Reference ("XXE")
• (CVSS 8.1) [CVE-2018-5968] Incomplete Blacklist, Deserialization of Untrusted Data
• (CVSS 5.4) CWE-611: Improper Restriction of XML External Entity Reference ('XXE')

Occurrences

com.fasterxml.jackson.core:jackson-databind:2.6.1 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.struts:struts2-rest-plugin:2.5.10
        └─ com.fasterxml.jackson.core:jackson-databind:2.6.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of commons-fileupload:commons-fileupload:1.3.2 results in the following vulnerability(s):

• (CVSS 9.8) [CVE-2016-1000031] Improper Access Control

Occurrences

commons-fileupload:commons-fileupload:1.3.2 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.struts:struts2-core:2.5.10
        └─ commons-fileupload:commons-fileupload:1.3.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

The project could not be analyzed because of build errors. Please review the error messages here. Another build will be scheduled within 24 hours. If the build is successful this issue will be closed, otherwise the error message will be updated.

_{This is an automated GitHub Issue created by Sonatype DepShield. GitHub Apps, including DepShield, can be managed from the Developer settings of the repository administrators.}

Vulnerabilities

DepShield reports that this application's usage of com.google.guava:guava:19.0 results in the following vulnerability(s):

• (CVSS 5.9) [CVE-2018-10237] Deserialization of Untrusted Data

Occurrences

com.google.guava:guava:19.0 is a transitive dependency introduced by the following direct dependency(s):

• org.richfaces:richfaces-core:4.5.17.Final
        └─ com.google.guava:guava:19.0

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of org.springframework:spring-core:4.1.6.RELEASE results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2018-1272] Permissions, Privileges, and Access Controls

Occurrences

org.springframework:spring-core:4.1.6.RELEASE is a transitive dependency introduced by the following direct dependency(s):

• org.springframework:spring-test:4.1.6.RELEASE
        └─ org.springframework:spring-core:4.1.6.RELEASE

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

DepShield was enabled in #3, which is great when you look at home page with README

DepShield should have created GitHub issues, but it did not: it would be useful to see the security issues found by DepShield, like it happened on original repository https://github.com/CMYanko/struts2-rce/issues
(perhaps finding the issue then getting it back would trigger the creation, I don't know)

Vulnerabilities

DepShield reports that this application's usage of commons-beanutils:commons-beanutils:1.9.2 results in the following vulnerability(s):

• (CVSS 7.3) [CVE-2019-10086] In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added wh...

Occurrences

commons-beanutils:commons-beanutils:1.9.2 is a transitive dependency introduced by the following direct dependency(s):

• org.apache.struts:struts2-rest-plugin:2.5.10
        └─ net.sf.json-lib:json-lib:2.3
              └─ commons-beanutils:commons-beanutils:1.9.2

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

DepShield is not currently activated on sonatype-nexus-community organization, then the badge fails with Access Denied:
https://depshield.sonatype.org/badges/sonatype-nexus-community/struts2-rce/depshield.svg

(works on Curtis original repo https://depshield.sonatype.org/badges/CMYanko/struts2-rce/depshield.svg )

Vulnerabilities

DepShield reports that this application's usage of dom4j:dom4j:1.6.1 results in the following vulnerability(s):

• (CVSS 7.5) [CVE-2018-1000632] XML Injection (aka Blind XPath Injection)

Occurrences

dom4j:dom4j:1.6.1 is a transitive dependency introduced by the following direct dependency(s):

• net.sourceforge.jwebunit:jwebunit-htmlunit-plugin:1.4.1
        └─ htmlunit:htmlunit:1.11
              └─ jaxen:jaxen:1.1
                    └─ dom4j:dom4j:1.6.1

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}

Vulnerabilities

DepShield reports that this application's usage of commons-httpclient:commons-httpclient:3.1 results in the following vulnerability(s):

• (CVSS 5.8) [CVE-2014-3577] org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient be...
• (CVSS 4.3) [CVE-2015-5262] Resource Management Errors

_{This is an automated GitHub Issue created by Sonatype DepShield. Details on managing GitHub Apps, including DepShield, are available for personal and organization accounts. Please submit questions or feedback about DepShield to the Sonatype DepShield Community.}