The TIBCO Streaming Maven Plugin Provides the ability to build, launch, and manage Streaming applications through the open source tool Maven.
This repository contains the Maven plugin for Spotfire® Streaming.
See the generated Maven Site for complete documentation.
Vulnerable Library - dom4j-1.1.jarnull
Path to vulnerable library: /root/.m2/repository/dom4j/dom4j/1.1/dom4j-1.1.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Publish Date: 2018-08-20
URL: CVE-2018-1000632
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
Release Date: 2018-08-20
Fix Resolution: 2.1.1
Vulnerable Library - maven-shared-utils-3.2.1.jarShared utils without any further dependencies
Path to vulnerable library: /ep-maven/target/local-repo/org/apache/maven/shared/maven-shared-utils/3.2.1/maven-shared-utils-3.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 78d804f7b793ced7ae6b51307775d0475badbca8
Found in base branch: main
Vulnerability Details
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
Publish Date: 2022-05-23
URL: CVE-2022-29599
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-rhgr-952r-6p8q
Release Date: 2022-05-23
Fix Resolution: 3.3.3
Vulnerable Library - junit-4.12.jarJUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Library home page: http://junit.org
Path to vulnerable library: tibco-streaming-maven-plugin/ep-maven/target/local-repo/junit/junit/4.12/junit-4.12.jar
Dependency Hierarchy:
Vulnerability Details
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-07-21
Fix Resolution: junit:junit:r4.13.1
Vulnerable Library - jquery-3.4.1.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.js
Path to vulnerable library: /2.0.0-M1/ep-maven-plugin/testapidocs/jquery/external/jquery/jquery.js,/2.1.0-SNAPSHOT/ep-maven-plugin/apidocs/jquery/external/jquery/jquery.js,/1.6.0/ep-maven-plugin/apidocs/jquery/external/jquery/jquery.js,/2.0.0-M1/ep-maven-plugin/apidocs/jquery/external/jquery/jquery.js,/2.1.0-SNAPSHOT/ep-maven-plugin/testapidocs/jquery/external/jquery/jquery.js,/1.6.0/ep-maven-plugin/testapidocs/jquery/external/jquery/jquery.js
Dependency Hierarchy:
Found in HEAD commit: ff3f7111123c79ec2d15f6c6120e3e7e58997509
Vulnerability Details
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-04-29
Fix Resolution: jquery - 3.5.0;jquery-rails - 4.4.0
Vulnerable Library - httpclient-4.0.2.jarHttpComponents Client (base module)
Library home page: http://hc.apache.org/httpcomponents-client
Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.
Publish Date: 2019-05-30
URL: WS-2017-3734
CVSS 2 Score Details (5.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803
Release Date: 2019-05-30
Fix Resolution: httpcore-5.0-alpha3-RC1
Vulnerable Library - httpclient-4.0.2.jarHttpComponents Client (base module)
Library home page: http://hc.apache.org/httpcomponents-client
Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
Publish Date: 2014-08-21
URL: CVE-2014-3577
CVSS 2 Score Details (5.8)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3577
Release Date: 2014-08-21
Fix Resolution: 4.3.5,4.0.2
Vulnerable Library - commons-compress-1.19.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /ep-maven/pom.xml
Path to vulnerable library: /ep-maven/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 78d804f7b793ced7ae6b51307775d0475badbca8
Found in base branch: main
Vulnerability Details
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35515
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: 1.21
Vulnerable Library - commons-compress-1.19.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /ep-maven/pom.xml
Path to vulnerable library: /ep-maven/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 78d804f7b793ced7ae6b51307775d0475badbca8
Found in base branch: main
Vulnerability Details
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2021-07-13
URL: CVE-2021-36090
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: 1.21
Vulnerable Library - guava-25.1-android.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /ep-maven/pom.xml
Path to vulnerable library: /ep-maven/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 78d804f7b793ced7ae6b51307775d0475badbca8
Found in base branch: main
Vulnerability Details
Use of Java's default temporary directory for file creation in FileBackedOutputStream in Google Guava versions 1.0 to 31.1 on Unix systems and Android Ice Cream Sandwich allows other users and apps on the machine with access to the default Java temporary directory to be able to access the files created by the class.
Even though the security vulnerability is fixed in version 32.0.0, we recommend using version 32.0.1 as version 32.0.0 breaks some functionality under Windows.
Publish Date: 2023-06-14
URL: CVE-2023-2976
CVSS 3 Score Details (7.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-7g45-4rm6-3mm3
Release Date: 2023-06-14
Fix Resolution (com.google.guava:guava): 32.0.1-android
Direct dependency fix Resolution (org.apache.maven:maven-core): 3.8.2
Vulnerable Library - struts-core-1.3.8.jarApache Struts
Library home page: http://struts.apache.org
Path to vulnerable library: /root/.m2/repository/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 does not properly restrict the Validator configuration, which allows remote attackers to conduct cross-site scripting (XSS) attacks or cause a denial of service via crafted input, a related issue to CVE-2015-0899.
Publish Date: 2016-07-04
URL: CVE-2016-1182
CVSS 3 Score Details (8.2)
Base Score Metrics:
Suggested Fix
Type: Change files
Origin: kawasima/struts1-forever@eda3a79
Release Date: 2016-06-08
Fix Resolution: Replace or update the following file: ActionServlet.java
Vulnerable Library - commons-io-2.6.jarThe Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Library home page: http://commons.apache.org/proper/commons-io/
Path to vulnerable library: /ep-maven/target/local-repo/commons-io/commons-io/2.6/commons-io-2.6.jar
Dependency Hierarchy:
Found in base branch: main
Vulnerability Details
In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like "//../foo", or "\..\foo", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus "limited" path traversal), if the calling code would use the result to construct a path value.
Publish Date: 2021-04-13
URL: CVE-2021-29425
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-29425
Release Date: 2021-04-13
Fix Resolution: 2.7
Vulnerable Library - plexus-archiver-4.1.0.jarThe Plexus project provides a full software stack for creating and executing software projects.
Library home page: http://codehaus-plexus.github.io/
Path to dependency file: /ep-maven/pom.xml
Path to vulnerable library: /ep-maven/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 78d804f7b793ced7ae6b51307775d0475badbca8
Found in base branch: main
Vulnerability Details
Plexis Archiver is a collection of Plexus components to create archives or extract archives to a directory with a unified Archiver/UnArchiver API. Prior to version 4.8.0, using AbstractUnArchiver for extracting an archive might lead to an arbitrary file creation and possibly remote code execution. When extracting an archive with an entry that already exists in the destination directory as a symbolic link whose target does not exist - the resolveFile() function will return the symlink's source instead of its target, which will pass the verification that ensures the file will not be extracted outside of the destination directory. Later Files.newOutputStream(), that follows symlinks by default, will actually write the entry's content to the symlink's target. Whoever uses plexus archiver to extract an untrusted archive is vulnerable to an arbitrary file creation and possibly remote code execution. Version 4.8.0 contains a patch for this issue.
Publish Date: 2023-07-25
URL: CVE-2023-37460
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-wh3p-fphp-9h2m
Release Date: 2023-07-25
Fix Resolution (org.codehaus.plexus:plexus-archiver): 4.8.0
Direct dependency fix Resolution (org.apache.maven.plugins:maven-assembly-plugin): 3.7.0
Vulnerable Library - jquery-3.4.1.jsJavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.js
Path to vulnerable library: /2.0.0-M1/ep-maven-plugin/testapidocs/jquery/external/jquery/jquery.js,/2.1.0-SNAPSHOT/ep-maven-plugin/apidocs/jquery/external/jquery/jquery.js,/1.6.0/ep-maven-plugin/apidocs/jquery/external/jquery/jquery.js,/2.0.0-M1/ep-maven-plugin/apidocs/jquery/external/jquery/jquery.js,/2.1.0-SNAPSHOT/ep-maven-plugin/testapidocs/jquery/external/jquery/jquery.js,/1.6.0/ep-maven-plugin/testapidocs/jquery/external/jquery/jquery.js
Dependency Hierarchy:
Found in HEAD commit: ff3f7111123c79ec2d15f6c6120e3e7e58997509
Vulnerability Details
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Vulnerable Library - commons-compress-1.19.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /ep-maven/pom.xml
Path to vulnerable library: /ep-maven/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 78d804f7b793ced7ae6b51307775d0475badbca8
Found in base branch: main
Vulnerability Details
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Publish Date: 2021-07-13
URL: CVE-2021-35517
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: 1.21
Vulnerable Library - httpclient-4.0.2.jarHttpComponents Client (base module)
Library home page: http://hc.apache.org/httpcomponents-client
Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Publish Date: 2014-09-04
URL: CVE-2012-6153
CVSS 2 Score Details (4.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6153
Release Date: 2014-09-04
Fix Resolution: 4.2.3
Vulnerable Library - struts-core-1.3.8.jarApache Struts
Library home page: http://struts.apache.org
Path to vulnerable library: /root/.m2/repository/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
The MultiPageValidator implementation in Apache Struts 1 1.1 through 1.3.10 allows remote attackers to bypass intended access restrictions via a modified page parameter.
Publish Date: 2016-07-04
URL: CVE-2015-0899
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-0899
Fix Resolution: Upgrade to version Apache Struts 1.2.9 SP2 or greater
Vulnerable Library - guava-25.1-android.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /ep-maven/pom.xml
Path to vulnerable library: /ep-maven/pom.xml
Dependency Hierarchy:
Found in HEAD commit: af97744fa730053d9b40d6799fcdfe778a294a65
Found in base branch: main
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
CVSS 3 Score Details (3.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution (com.google.guava:guava): 30.0-android
Direct dependency fix Resolution (org.apache.maven:maven-core): 3.6.2
Vulnerable Library - httpclient-4.0.2.jarHttpComponents Client (base module)
Library home page: http://hc.apache.org/httpcomponents-client
Path to vulnerable library: /root/.m2/repository/org/apache/httpcomponents/httpclient/4.0.2/httpclient-4.0.2.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
Apache HttpClient 4.x before 4.1.1 in Apache HttpComponents, when used with an authenticating proxy server, sends the Proxy-Authorization header to the origin server, which allows remote web servers to obtain sensitive information by logging this header.
Publish Date: 2011-07-07
URL: CVE-2011-1498
CVSS 2 Score Details (4.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2011-1498
Release Date: 2011-07-07
Fix Resolution: 4.1.1
Vulnerable Library - commons-codec-1.6.jarThe codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/codec/
Path to dependency file: /tibco-streaming-maven-plugin/ep-maven/pom.xml
Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability
Publish Date: 2007-10-07
URL: WS-2009-0001
CVSS 2 Score Details (0.0)
Base Score Metrics not available
Vulnerable Libraries - struts-core-1.3.8.jar, commons-beanutils-1.7.0.jar
Apache Struts
Library home page: http://struts.apache.org
Path to vulnerable library: /root/.m2/repository/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar
Dependency Hierarchy:
null
Path to vulnerable library: /root/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://security.gentoo.org/glsa/201607-09
Release Date: 2016-07-20
Fix Resolution: All Commons BeanUtils users should upgrade to the latest version >= commons-beanutils-1.9.2
Vulnerable Library - commons-compress-1.18.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Library home page: https://commons.apache.org/proper/commons-compress/
Path to dependency file: /tibco-streaming-maven-plugin/ep-maven/pom.xml
Path to vulnerable library: /root/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
Dependency Hierarchy:
Vulnerability Details
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
Publish Date: 2019-08-30
URL: CVE-2019-12402
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402
Release Date: 2019-08-30
Fix Resolution: 1.19
Vulnerable Library - commons-compress-1.19.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /ep-maven/pom.xml
Path to vulnerable library: /ep-maven/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 78d804f7b793ced7ae6b51307775d0475badbca8
Found in base branch: main
Vulnerability Details
Loop with Unreachable Exit Condition ('Infinite Loop') vulnerability in Apache Commons Compress.This issue affects Apache Commons Compress: from 1.3 through 1.25.0.
Users are recommended to upgrade to version 1.26.0 which fixes the issue.
Publish Date: 2024-02-19
URL: CVE-2024-25710
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2024-25710
Release Date: 2024-02-19
Fix Resolution: 1.26.0
Vulnerable Library - struts-core-1.3.8.jarApache Struts
Library home page: http://struts.apache.org
Path to vulnerable library: /root/.m2/repository/org/apache/struts/struts-core/1.3.8/struts-core-1.3.8.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
ActionServlet.java in Apache Struts 1 1.x through 1.3.10 mishandles multithreaded access to an ActionForm instance, which allows remote attackers to execute arbitrary code or cause a denial of service (unexpected memory access) via a multipart request, a related issue to CVE-2015-0899.
Publish Date: 2016-07-04
URL: CVE-2016-1181
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Change files
Origin: kawasima/struts1-forever@eda3a79
Release Date: 2016-06-08
Fix Resolution: Replace or update the following file: ActionServlet.java
Vulnerable Library - commons-codec-1.6.jarThe codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/codec/
Path to dependency file: /tibco-streaming-maven-plugin/ep-maven/pom.xml
Path to vulnerable library: /root/.m2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar
Dependency Hierarchy:
Found in HEAD commit: 1c0c1fb657845073b28de98c18338a5a470b0586
Vulnerability Details
Base64 encode() method is no longer thread-safe in Apache Commons Codec before version 1.7, which might disclose the wrong data or allow an attacker to change non-private fields.
Publish Date: 2010-02-26
URL: WS-2010-0001
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/CODEC-96
Release Date: 2017-01-31
Fix Resolution: 1.7
Vulnerable Library - commons-compress-1.19.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /ep-maven/pom.xml
Path to vulnerable library: /ep-maven/pom.xml
Dependency Hierarchy:
Found in HEAD commit: 78d804f7b793ced7ae6b51307775d0475badbca8
Found in base branch: main
Vulnerability Details
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35516
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: 1.21
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
