tibcosoftware / jaspersoft-studio-ce Goto Github PK

Jaspersoft Studio (Community Edition)

License: Other

Shell 0.09% HTML 3.71% Java 71.22% CSS 0.13% JavaScript 4.31% GAP 2.01% Makefile 0.01% XSLT 18.39% Ruby 0.03% Python 0.02% Perl 0.02% NewLisp 0.01% SystemVerilog 0.01% NSIS 0.03% C 0.02% Batchfile 0.01%

jaspersoft-studio-ce's Introduction

Jaspersoft Studio (Community Edition)

Jaspersoft® Studio is editing software for JasperReports®. It will help you design and run report templates; build report queries; write complex expressions; layout components like 50+ types of charts, maps, tables, crosstabs, custom visualisations. It integrates JasperReports® Server to create powerful report workflows.

You can build documents of any complexity from your data. Print-ready PDFs to interactive dynamic HTML with navigation inside or outside the report. High quality PowerPoint, RTF, Word, spreadsheet documents or raw CSV, JSON, or XML. It's not difficult to build custom exporter to suit any need.

Different types of data sources are accessible, big data, CSV, Hibernate, Jaspersoft Domain, JavaBeans, JDBC, JSON, NoSQL, XML, or custom data source.

Available as an Eclipse plug-in or a standalone application, it comes in two editions: Community and Professional. The Professional edition includes additional features, maps, advanced HTML5 charts and professional support.

jaspersoft-studio-ce's People

Contributors

Stargazers

Watchers

jaspersoft-studio-ce's Issues

JS on MacOS Big Sur - Is it possible to solve this issue?

https://community.jaspersoft.com/jaspersoft-studio/issues/13296/mVBIODBSCBcjBS0kNLA_-jmfJGhuPHAEVVMstOjxo28

Jaspersoft Studio doesn't work on macOS Big Sur.
Probably eclipse or Apple issue?

CVE-2021-23463 (High) detected in h2-1.3.171.jar

CVE-2021-23463 - High Severity Vulnerability

Vulnerable Library - h2-1.3.171.jar

H2 Database Engine

Library home page: http://www.h2database.com

Path to vulnerable library: /com.jaspersoft.studio.data.drivers/lib/h2-1.3.171.jar

Dependency Hierarchy:

❌ h2-1.3.171.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The package com.h2database:h2 from 1.4.198 and before 2.0.202 are vulnerable to XML External Entity (XXE) Injection via the org.h2.jdbc.JdbcSQLXML class object, when it receives parsed string data from org.h2.jdbc.JdbcResultSet.getSQLXML() method. If it executes the getSource() method when the parameter is DOMSource.class it will trigger the vulnerability.

Publish Date: 2021-12-10

URL: CVE-2021-23463

CVSS 3 Score Details (9.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-23463

Release Date: 2021-12-10

Fix Resolution: com.h2database:h2:2.0.202

Check this box to open an automated fix PR

CVE-2015-9251 (Medium) detected in jquery-1.11.0.min.js

CVE-2015-9251 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.min.js

Path to vulnerable library: /jaspersoft-studio-ce/com.jaspersoft.studio.rcp/content/scripts/jquery.min.js

Dependency Hierarchy:

❌ jquery-1.11.0.min.js (Vulnerable Library)

Found in HEAD commit: 9c02d1fee6914fb2bd5cb30e8b4622f89da19cc2

Vulnerability Details

jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.

Publish Date: 2018-01-18

URL: CVE-2015-9251

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251

Release Date: 2018-01-18

Fix Resolution: 3.0.0

Step up your Open Source Security Game with WhiteSource here

WAR files not supported for classpath dependencies

Currently only JAR files can serve as library dependencies. It would be very useful to be able to reference WAR files also.

CVE-2016-10735 (Medium) detected in bootstrap-3.2.0.min.js

CVE-2016-10735 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.2.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js

Path to dependency file: jaspersoft-studio-ce/com.jaspersoft.studio.feature/licenses/TIB_js-studiocomm_eclipse_notices/eclipse_notices/org.hamcrest.core_1.3.0.v20180420-1519.jar__about_files_NEW_BSD_LICENSE.html

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.feature/licenses/TIB_js-studiocomm_eclipse_notices/eclipse_notices/org.hamcrest.core_1.3.0.v20180420-1519.jar__about_files_NEW_BSD_LICENSE.html

Dependency Hierarchy:

❌ bootstrap-3.2.0.min.js (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Bootstrap 3.x before 3.4.0 and 4.x-beta before 4.0.0-beta.2, XSS is possible in the data-target attribute, a different vulnerability than CVE-2018-14041.

Publish Date: 2019-01-09

URL: CVE-2016-10735

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#20184

Release Date: 2019-01-09

Fix Resolution: 3.4.0

Multiple axis chart - null pointer exception editing chart

I got a null pointer exception trying to edit a multiple axis chart when click on Chart Plot of a Line Plot, this only happens in this redease.

How to reproduce.
We can use a MultipleAxisChartReport.jrxml from charts example, on the outline tab, click on > PageHeader > Multi Axis > Line Plot, so in Properties click on Chart Plot tab.

This is the exception message: Problems occurred when invoking code from plug-in: "com.jaspersoft.studio.properties".
And the exception stacktrace:

  java.lang.NullPointerException
	at com.jaspersoft.studio.property.section.widgets.SPFont.<init>(SPFont.java:162)
	at com.jaspersoft.studio.property.descriptor.text.FontPropertyDescriptor.createWidget(FontPropertyDescriptor.java:44)
	at com.jaspersoft.studio.property.section.widgets.SPWidgetFactory.createWidget(SPWidgetFactory.java:15)
	at com.jaspersoft.studio.property.section.AbstractSection.createWidget4Property(AbstractSection.java:105)
	at com.jaspersoft.studio.property.section.AbstractSection.createWidget4Property(AbstractSection.java:83)
	at com.jaspersoft.studio.components.chart.property.section.plot.LinePlot.createCategory(LinePlot.java:43)
	at com.jaspersoft.studio.components.chart.property.section.plot.LinePlot.createControls(LinePlot.java:23)
	at com.jaspersoft.studio.components.chart.property.section.ChartPlotSection.getSubplotContainer(ChartPlotSection.java:193)
	at com.jaspersoft.studio.components.chart.property.section.ChartPlotSection.aboutToBeShown(ChartPlotSection.java:205)
	at com.jaspersoft.studio.properties.view.TabContents$4.run(TabContents.java:156)
	at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
	at org.eclipse.ui.internal.JFaceUtil.lambda$0(JFaceUtil.java:47)
	at org.eclipse.jface.util.SafeRunnable.run(SafeRunnable.java:174)
	at com.jaspersoft.studio.properties.view.TabContents.aboutToBeShown(TabContents.java:159)
	at com.jaspersoft.studio.properties.view.TabbedPropertySheetPage$SelectionChangedListener.selectionChanged(TabbedPropertySheetPage.java:239)
	at org.eclipse.jface.viewers.Viewer$1.run(Viewer.java:151)
	at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
	at org.eclipse.ui.internal.JFaceUtil.lambda$0(JFaceUtil.java:47)
	at org.eclipse.jface.util.SafeRunnable.run(SafeRunnable.java:174)
	at org.eclipse.jface.viewers.Viewer.fireSelectionChanged(Viewer.java:148)
	at org.eclipse.jface.viewers.StructuredViewer.updateSelection(StructuredViewer.java:2123)
	at com.jaspersoft.studio.properties.internal.TabbedPropertyViewer.access$0(TabbedPropertyViewer.java:1)
	at com.jaspersoft.studio.properties.internal.TabbedPropertyViewer.updateSelection(TabbedPropertyViewer.java:201)
	at org.eclipse.jface.viewers.StructuredViewer.handleSelect(StructuredViewer.java:1170)
	at org.eclipse.jface.viewers.StructuredViewer$4.widgetSelected(StructuredViewer.java:1199)
	at org.eclipse.jface.util.OpenStrategy.fireSelectionEvent(OpenStrategy.java:242)
	at org.eclipse.jface.util.OpenStrategy.access$4(OpenStrategy.java:237)
	at org.eclipse.jface.util.OpenStrategy$1.handleEvent(OpenStrategy.java:402)
	at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:89)
	at org.eclipse.swt.widgets.Display.sendEvent(Display.java:5676)
	at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1423)
	at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1449)
	at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1432)
	at org.eclipse.swt.widgets.Widget.notifyListeners(Widget.java:1221)
	at com.jaspersoft.studio.properties.internal.TabbedPropertyList.select(TabbedPropertyList.java:206)
	at com.jaspersoft.studio.properties.internal.TabbedPropertyViewer.setSelectionToWidget(TabbedPropertyViewer.java:132)
	at com.jaspersoft.studio.properties.view.TabbedPropertySheetPage.setInput(TabbedPropertySheetPage.java:611)
	at com.jaspersoft.studio.properties.view.TabbedPropertySheetPage.selectionChanged(TabbedPropertySheetPage.java:560)
	at org.eclipse.ui.views.properties.PropertySheet.showSelectionAndDescription(PropertySheet.java:569)
	at org.eclipse.ui.views.properties.PropertySheet.selectionChanged(PropertySheet.java:549)
	at org.eclipse.ui.internal.e4.compatibility.SelectionService.notifyListeners(SelectionService.java:240)
	at org.eclipse.ui.internal.e4.compatibility.SelectionService.handlePostSelectionChanged(SelectionService.java:119)
	at org.eclipse.ui.internal.e4.compatibility.SelectionService.lambda$2(SelectionService.java:74)
	at org.eclipse.e4.ui.internal.workbench.SelectionAggregator$3.run(SelectionAggregator.java:163)
	at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
	at org.eclipse.e4.ui.internal.workbench.SelectionAggregator.notifyPostListeners(SelectionAggregator.java:160)
	at org.eclipse.e4.ui.internal.workbench.SelectionAggregator.access$7(SelectionAggregator.java:158)
	at org.eclipse.e4.ui.internal.workbench.SelectionAggregator$6.lambda$0(SelectionAggregator.java:250)
	at org.eclipse.e4.core.contexts.RunAndTrack.runExternalCode(RunAndTrack.java:59)
	at org.eclipse.e4.ui.internal.workbench.SelectionAggregator$6.changed(SelectionAggregator.java:250)
	at org.eclipse.e4.core.internal.contexts.TrackableComputationExt.update(TrackableComputationExt.java:108)
	at org.eclipse.e4.core.internal.contexts.EclipseContext.processScheduled(EclipseContext.java:364)
	at org.eclipse.e4.core.internal.contexts.EclipseContext.set(EclipseContext.java:379)
	at org.eclipse.e4.ui.internal.workbench.SelectionServiceImpl.setPostSelection(SelectionServiceImpl.java:39)
	at org.eclipse.ui.internal.e4.compatibility.CompatibilityPart.lambda$2(CompatibilityPart.java:128)
	at org.eclipse.ui.part.PageBookView$SelectionManager$1.run(PageBookView.java:241)
	at org.eclipse.core.runtime.SafeRunner.run(SafeRunner.java:45)
	at org.eclipse.ui.part.PageBookView$SelectionManager.selectionChanged(PageBookView.java:238)
	at org.eclipse.ui.part.PageBookView$SelectionProvider.postSelectionChanged(PageBookView.java:305)
	at org.eclipse.ui.part.PageBookView.postSelectionChanged(PageBookView.java:860)
	at org.eclipse.ui.part.PageBookView.lambda$2(PageBookView.java:165)
	at com.jaspersoft.studio.editor.outline.page.MultiOutlineView.setSelection(MultiOutlineView.java:219)
	at com.jaspersoft.studio.editor.outline.page.MultiOutlineView.selectionChanged(MultiOutlineView.java:121)
	at org.eclipse.gef.ui.parts.AbstractEditPartViewer.fireSelectionChanged(AbstractEditPartViewer.java:247)
	at org.eclipse.gef.ui.parts.TreeViewer.fireSelectionChanged(TreeViewer.java:171)
	at org.eclipse.gef.ui.parts.AbstractEditPartViewer$1.run(AbstractEditPartViewer.java:131)
	at org.eclipse.gef.SelectionManager.fireSelectionChanged(SelectionManager.java:156)
	at org.eclipse.gef.SelectionManager.setSelection(SelectionManager.java:314)
	at org.eclipse.gef.ui.parts.AbstractEditPartViewer.setSelection(AbstractEditPartViewer.java:751)
	at org.eclipse.gef.ui.parts.TreeViewer$1.widgetSelected(TreeViewer.java:196)
	at org.eclipse.swt.widgets.TypedListener.handleEvent(TypedListener.java:252)
	at org.eclipse.swt.widgets.EventTable.sendEvent(EventTable.java:89)
	at org.eclipse.swt.widgets.Display.sendEvent(Display.java:5676)
	at org.eclipse.swt.widgets.Widget.sendEvent(Widget.java:1423)
	at org.eclipse.swt.widgets.Display.runDeferredEvents(Display.java:4935)
	at org.eclipse.swt.widgets.Display.readAndDispatch(Display.java:4429)
	at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine$5.run(PartRenderingEngine.java:1160)
	at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
	at org.eclipse.e4.ui.internal.workbench.swt.PartRenderingEngine.run(PartRenderingEngine.java:1049)
	at org.eclipse.e4.ui.internal.workbench.E4Workbench.createAndRunUI(E4Workbench.java:155)
	at org.eclipse.ui.internal.Workbench.lambda$3(Workbench.java:660)
	at org.eclipse.core.databinding.observable.Realm.runWithDefault(Realm.java:338)
	at org.eclipse.ui.internal.Workbench.createAndRunWorkbench(Workbench.java:559)
	at org.eclipse.ui.PlatformUI.createAndRunWorkbench(PlatformUI.java:154)
	at com.jaspersoft.studio.rcp.intro.Application.start(Application.java:94)
	at org.eclipse.equinox.internal.app.EclipseAppHandle.run(EclipseAppHandle.java:203)
	at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.runApplication(EclipseAppLauncher.java:137)
	at org.eclipse.core.runtime.internal.adaptor.EclipseAppLauncher.start(EclipseAppLauncher.java:107)
	at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:401)
	at org.eclipse.core.runtime.adaptor.EclipseStarter.run(EclipseStarter.java:255)
	at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
	at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
	at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
	at java.lang.reflect.Method.invoke(Method.java:498)
	at org.eclipse.equinox.launcher.Main.invokeFramework(Main.java:657)
	at org.eclipse.equinox.launcher.Main.basicRun(Main.java:594)
	at org.eclipse.equinox.launcher.Main.run(Main.java:1465)
	at org.eclipse.equinox.launcher.Main.main(Main.java:1438)

I'm using version JSS 6.14.0 on ubuntu 20

WS-2018-0021 (Medium) detected in bootstrap-3.2.0.min.js

WS-2018-0021 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.2.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_d5f8acb6-4206-40ce-adba-6ff7760859f9/20191212233319_70740/ws-scm_depth_0/jaspersoft-studio-ce/com.jaspersoft.studio.feature/licenses/TIB_js-studiocomm_eclipse_notices/eclipse_notices/org.hamcrest.core.source_1.3.0.v20180420-1519.jar__about_files_NEW_BSD_LICENSE.html

Path to vulnerable library: _depth_0/jaspersoft-studio-ce/com.jaspersoft.studio.feature/licenses/TIB_js-studiocomm_eclipse_notices/eclipse_notices/org.hamcrest.core.source_1.3.0.v20180420-1519.jar__about_files_NEW_BSD_LICENSE.html

Dependency Hierarchy:

❌ bootstrap-3.2.0.min.js (Vulnerable Library)

Vulnerability Details

XSS in data-target in bootstrap (3.3.7 and before)

Publish Date: 2017-06-27

URL: WS-2018-0021

CVSS 2 Score Details (6.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#20184

Release Date: 2019-06-12

Fix Resolution: 3.4.0

CVE-2013-4002 (High) detected in xercesImpl-2.9.0.jar

CVE-2013-4002 - High Severity Vulnerability

Vulnerable Library - xercesImpl-2.9.0.jar

Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.doc/lib/xercesImpl-2.9.0.jar

Dependency Hierarchy:

❌ xercesImpl-2.9.0.jar (Vulnerable Library)

Found in HEAD commit: 9c02d1fee6914fb2bd5cb30e8b4622f89da19cc2

Found in base branch: master

Vulnerability Details

XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.

Publish Date: 2013-07-23

URL: CVE-2013-4002

CVSS 2 Score Details (7.1)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4002

Release Date: 2013-07-23

Fix Resolution: xerces:xercesImpl:Xerces-J_2_12_0

Check this box to open an automated fix PR

Can it fully support JasperReports Library 6.19.1

JasperReports Library fix the CVE-2022-22965 in 6.19.1,Can jaspersoft-studio-ce 6.19.0 fully support JasperReports Library 6.19.1? Will jaspersoft-studio upgrade the spring version in time to fix this vulnerability?

Cannot switch List view and Report view

When I go into a List view, I can no longer go to the report view. While the outline does udate, the "Design" view is stuck on the List view.

See: https://cl.ly/0d39d397e40a

CVE-2018-14042 (Medium) detected in bootstrap-3.2.0.min.js

CVE-2018-14042 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.2.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js

Dependency Hierarchy:

❌ bootstrap-3.2.0.min.js (Vulnerable Library)

Found in HEAD commit: 6f5237a1153a6e288f260cfa24a1ffd6877617af

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-container property of tooltip.

Publish Date: 2018-07-13

URL: CVE-2018-14042

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2.org.webjars:bootstrap:3.4.0

WS-2022-0080 (High) detected in postgresql-42.3.2.jar

WS-2022-0080 - High Severity Vulnerability

Vulnerable Library - postgresql-42.3.2.jar

PostgreSQL JDBC Driver Postgresql

Library home page: https://jdbc.postgresql.org

Path to vulnerable library: /com.jaspersoft.studio.data.drivers/lib/postgresql-42.3.2.jar

Dependency Hierarchy:

❌ postgresql-42.3.2.jar (Vulnerable Library)

Found in HEAD commit: d6f8055328f8ffc8144e2a0d2a70484c9c0ec9ce

Found in base branch: master

Vulnerability Details

In org.postgresql:postgresql before 42.3.3 the connection properties for configuring a pgjdbc connection are not meant to be exposed to an unauthenticated attacker. While allowing an attacker to specify arbitrary connection properties could lead to a compromise of a system, that's a defect of an application that allows unauthenticated attackers that level of control.

Publish Date: 2022-02-16

URL: WS-2022-0080

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-673j-qm5f-xpv8

Release Date: 2022-02-16

Fix Resolution: org.postgresql:postgresql:42.3.3

CVE-2014-0107 (High) detected in xalan-2.7.1-NODEP.jar

CVE-2014-0107 - High Severity Vulnerability

Vulnerable Library - xalan-2.7.1-NODEP.jar

Xalan-Java is an XSLT processor for transforming XML documents into HTML, text, or other XML document types. It implements XSL Transformations (XSLT) Version 1.0 and XML Path Language (XPath) Version 1.0 and can be used from the command line, in an applet or a servlet, or as a module in other program.

Library home page: http://xml.apache.org/xalan-j/

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.doc/lib/xalan-2.7.1.jar

Dependency Hierarchy:

❌ xalan-2.7.1.jar (Vulnerable Library)

Found in HEAD commit: 9c02d1fee6914fb2bd5cb30e8b4622f89da19cc2

Found in base branch: master

Vulnerability Details

The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.

Publish Date: 2014-04-15

URL: CVE-2014-0107

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0107

Release Date: 2014-04-15

Fix Resolution: 2.7.2

Check this box to open an automated fix PR

CVE-2021-42392 (High) detected in h2-1.3.171.jar

CVE-2021-42392 - High Severity Vulnerability

Vulnerable Library - h2-1.3.171.jar

H2 Database Engine

Library home page: http://www.h2database.com

Path to vulnerable library: /com.jaspersoft.studio.data.drivers/lib/h2-1.3.171.jar

Dependency Hierarchy:

❌ h2-1.3.171.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

The org.h2.util.JdbcUtils.getConnection method of the H2 database takes as parameters the class name of the driver and URL of the database. An attacker may pass a JNDI driver name and a URL leading to a LDAP or RMI servers, causing remote code execution. This can be exploited through various attack vectors, most notably through the H2 Console which leads to unauthenticated remote code execution.

Publish Date: 2022-01-10

URL: CVE-2021-42392

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h376-j262-vhq6

Release Date: 2022-01-10

Fix Resolution: com.h2database:h2:2.0.206

Check this box to open an automated fix PR

JusperStudio SWT base report viewer

Hi,

I noticed that, JusperStudio implemented the report viewer in SWT which nicer than Swing base.
but I cannot find this control in the source code.
and also, I notice it rendered the report nicer than Swing.

Thanks

CVE-2022-26520 (High) detected in postgresql-42.3.2.jar

CVE-2022-26520 - High Severity Vulnerability

Vulnerable Library - postgresql-42.3.2.jar

PostgreSQL JDBC Driver Postgresql

Library home page: https://jdbc.postgresql.org

Path to vulnerable library: /com.jaspersoft.studio.data.drivers/lib/postgresql-42.3.2.jar

Dependency Hierarchy:

❌ postgresql-42.3.2.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

** DISPUTED ** In pgjdbc before 42.3.3, an attacker (who controls the jdbc URL or properties) can call java.util.logging.FileHandler to write to arbitrary files through the loggerFile and loggerLevel connection properties. An example situation is that an attacker could create an executable JSP file under a Tomcat web root. NOTE: the vendor's position is that there is no pgjdbc vulnerability; instead, it is a vulnerability for any application to use the pgjdbc driver with untrusted connection properties.

Publish Date: 2022-03-10

URL: CVE-2022-26520

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://security-tracker.debian.org/tracker/CVE-2022-26520

Release Date: 2022-03-10

Fix Resolution: org.postgresql:postgresql:42.3.3

WS-2017-3805 (Medium) detected in json-20131018.jar - autoclosed

WS-2017-3805 - Medium Severity Vulnerability

Vulnerable Library - json-20131018.jar

JSON is a light-weight, language independent, data interchange format. See http://www.JSON.org/

	The files in this package implement JSON encoders/decoders in Java.
	It also includes the capability to convert between JSON and XML, HTTP
	headers, Cookies, and CDL.

	This is a reference implementation. There is a large number of JSON packages
	in Java. Perhaps someday the Java community will standardize on one. Until
	then, choose carefully.

	The license includes this restriction: "The software shall be used for good,
	not evil." If your conscience cannot live with that, then choose a different
	package.

	The package compiles on Java 1.2 thru Java 1.4.</p>

Library home page: https://github.com/douglascrockford/JSON-java

Path to vulnerable library: /com.jaspersoft.studio.server/lib/jersey/json-20131018.jar

Dependency Hierarchy:

❌ json-20131018.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

Affected versions of JSON In Java are vulnerable to Denial of Service (DoS) when trying to initialize a JSONArray object and the input is [. This will cause the jvm to crash with StackOverflowError due to non-cyclical stack overflow.

Publish Date: 2017-10-30

URL: WS-2017-3805

CVSS 3 Score Details (5.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Local
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Release Date: 2017-10-30

Fix Resolution: 20180130

How to generate datamatrix with PNC1 symbol in start?

Hello!

How to generate datamatrix with PNC1 symbol in start?

Thanks!

checksum for releases

are the checksums available for the releases? where can we find them?

CVE-2018-14040 (Medium) detected in bootstrap-3.2.0.min.js

CVE-2018-14040 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.2.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js

Dependency Hierarchy:

❌ bootstrap-3.2.0.min.js (Vulnerable Library)

Found in HEAD commit: 6f5237a1153a6e288f260cfa24a1ffd6877617af

Found in base branch: master

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the collapse data-parent attribute.

Publish Date: 2018-07-13

URL: CVE-2018-14040

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#26630

Release Date: 2018-07-13

Fix Resolution: org.webjars.npm:bootstrap:4.1.2,org.webjars:bootstrap:3.4.0

CVE-2020-11022 (Medium) detected in jquery-3.4.1.min.js

CVE-2020-11022 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to dependency file: jaspersoft-studio-ce/com.jaspersoft.studio.rcp/content/index.xhtml

Path to vulnerable library: com.jaspersoft.studio.rcp/content/scripts/jquery-3.4.1.min.js,jaspersoft-studio-ce/com.jaspersoft.studio.rcp/content/scripts/jquery-3.4.1.min.js

Dependency Hierarchy:

❌ jquery-3.4.1.min.js (Vulnerable Library)

Found in HEAD commit: 1160eb61eed1947e2b864b626b04eb2deab55f78

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11022

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/

Release Date: 2020-04-29

Fix Resolution: jQuery - 3.5.0

Java 11 support

Please support Java 11.

CVE-2018-20677 (Medium) detected in bootstrap-3.2.0.min.js

CVE-2018-20677 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.2.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js

Dependency Hierarchy:

❌ bootstrap-3.2.0.min.js (Vulnerable Library)

Found in HEAD commit: 6f5237a1153a6e288f260cfa24a1ffd6877617af

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.

Publish Date: 2019-01-09

URL: CVE-2018-20677

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677

Release Date: 2019-01-09

Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0

CVE-2019-11358 (Medium) detected in jquery-1.11.0.min.js

CVE-2019-11358 - Medium Severity Vulnerability

Vulnerable Library - jquery-1.11.0.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.11.0/jquery.min.js

Path to vulnerable library: /jaspersoft-studio-ce/com.jaspersoft.studio.rcp/content/scripts/jquery.min.js

Dependency Hierarchy:

❌ jquery-1.11.0.min.js (Vulnerable Library)

Found in HEAD commit: 9c02d1fee6914fb2bd5cb30e8b4622f89da19cc2

Vulnerability Details

jQuery before 3.4.0, as used in Drupal, Backdrop CMS, and other products, mishandles jQuery.extend(true, {}, ...) because of Object.prototype pollution. If an unsanitized source object contained an enumerable proto property, it could extend the native Object.prototype.

Publish Date: 2019-04-20

URL: CVE-2019-11358

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-11358

Release Date: 2019-04-20

Fix Resolution: 3.4.0

Step up your Open Source Security Game with WhiteSource here

Support for layers

The latest release note says "Full support for JasperReports Library 6.16.0"
However, it is nearly impossible to work with layers. IReport had functionality to toggle between them. I don't see that in Studio.

CVE-2020-25638 (High) detected in hibernate-core-5.4.1.Final.jar

CVE-2020-25638 - High Severity Vulnerability

Vulnerable Library - hibernate-core-5.4.1.Final.jar

Hibernate's core ORM functionality

Library home page: http://hibernate.org/orm

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.hibernate/lib/hibernate-core-5.4.1.Final.jar

Dependency Hierarchy:

❌ hibernate-core-5.4.1.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A flaw was found in hibernate-core in versions prior to and including 5.4.23.Final. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SQL comments of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks. The highest threat from this vulnerability is to data confidentiality and integrity.

Publish Date: 2020-12-02

URL: CVE-2020-25638

CVSS 3 Score Details (7.4)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://in.relation.to/2020/11/19/hibernate-orm-5424-final-release/

Release Date: 2020-12-02

Fix Resolution: org.hibernate:hibernate-core:5.3.20.Final,5.4.24.Final

Check this box to open an automated fix PR

CVE-2018-1313 (Medium) detected in derbynet-10.10.1.1.jar

CVE-2018-1313 - Medium Severity Vulnerability

Vulnerable Library - derbynet-10.10.1.1.jar

Contains the Apache Derby network server, which allows remote clients to connect to Derby databases over a network connection using the Derby client JDBC driver.

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.data.drivers/lib/derbynet.jar

Dependency Hierarchy:

❌ derbynet-10.10.1.1.jar (Vulnerable Library)

Found in HEAD commit: 1160eb61eed1947e2b864b626b04eb2deab55f78

Found in base branch: master

Vulnerability Details

In Apache Derby 10.3.1.4 to 10.14.1.0, a specially-crafted network packet can be used to request the Derby Network Server to boot a database whose location and contents are under the user's control. If the Derby Network Server is not running with a Java Security Manager policy file, the attack is successful. If the server is using a policy file, the policy file must permit the database location to be read for the attack to work. The default Derby Network Server policy file distributed with the affected releases includes a permissive policy as the default Network Server policy, which allows the attack to work.

Publish Date: 2018-05-07

URL: CVE-2018-1313

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1313

Release Date: 2018-05-07

Fix Resolution: org.apache.derby:derbynet:10.14.2.0

Check this box to open an automated fix PR

Generate EAN13+5

Hello!

I didn't find any information how to generate EAN13+5. Maybe I missed something. I have two question.

How I could create EAN13+5 if it real?
OR
How I could help to release it in the code? Now I'm researching sources.

Thanks!

CVE-2022-23437 (Medium) detected in xercesImpl-2.12.1.jar

CVE-2022-23437 - Medium Severity Vulnerability

Vulnerable Library - xercesImpl-2.12.1.jar

The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.

Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.

Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.

Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>

Library home page: https://xerces.apache.org/xerces2-j/

Path to vulnerable library: /com.jaspersoft.studio.doc/lib/xercesImpl-2.12.1.jar

Dependency Hierarchy:

❌ xercesImpl-2.12.1.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.

Publish Date: 2022-01-24

URL: CVE-2022-23437

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-h65f-jvqw-m9fj

Release Date: 2022-01-24

Fix Resolution: xerces:xercesImpl:2.12.2

Check this box to open an automated fix PR

CVE-2022-23221 (High) detected in h2-1.3.171.jar

CVE-2022-23221 - High Severity Vulnerability

Vulnerable Library - h2-1.3.171.jar

H2 Database Engine

Library home page: http://www.h2database.com

Path to vulnerable library: /com.jaspersoft.studio.data.drivers/lib/h2-1.3.171.jar

Dependency Hierarchy:

❌ h2-1.3.171.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

H2 Console before 2.1.210 allows remote attackers to execute arbitrary code via a jdbc:h2:mem JDBC URL containing the IGNORE_UNKNOWN_SETTINGS=TRUE;FORBID_CREATION=FALSE;INIT=RUNSCRIPT substring, a different vulnerability than CVE-2021-42392.

Publish Date: 2022-01-19

URL: CVE-2022-23221

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/h2database/h2database/releases/tag/version-2.1.210

Release Date: 2022-01-19

Fix Resolution: com.h2database:h2:2.1.210

Check this box to open an automated fix PR

CVE-2021-20328 (Medium) detected in mongo-java-driver-3.10.2.jar - autoclosed

CVE-2021-20328 - Medium Severity Vulnerability

Vulnerable Library - mongo-java-driver-3.10.2.jar

The MongoDB Java Driver uber-artifact, containing the legacy driver, the mongodb-driver, mongodb-driver-core, and bson

Library home page: http://www.mongodb.org

Path to vulnerable library: /com.jaspersoft.studio.data.mongodb/lib/mongo-java-driver-3.10.2.jar

Dependency Hierarchy:

❌ mongo-java-driver-3.10.2.jar (Vulnerable Library)

Found in HEAD commit: e15ae99e362ae0538eb24d52a17a2e0e999dbca9

Found in base branch: master

Vulnerability Details

Specific versions of the Java driver that support client-side field level encryption (CSFLE) fail to perform correct host name verification on the KMS server’s certificate. This vulnerability in combination with a privileged network position active MITM attack could result in interception of traffic between the Java driver and the KMS service rendering Field Level Encryption ineffective. This issue was discovered during internal testing and affects all versions of the Java driver that support CSFLE. The Java async, Scala, and reactive streams drivers are not impacted. This vulnerability does not impact driver traffic payloads with CSFLE-supported key services originating from applications residing inside the AWS, GCP, and Azure network fabrics due to compensating controls in these environments. This issue does not impact driver workloads that don’t use Field Level Encryption.

Publish Date: 2021-02-25

URL: CVE-2021-20328

CVSS 3 Score Details (6.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://jira.mongodb.org/browse/JAVA-4017

Release Date: 2021-02-25

Fix Resolution: 3.11.3

TIBCO Jaspersoft Studio 6.11.0 Stretch with overflow is gone？

TIBCO Jaspersoft Studio 6.11.0 ->Text Fields->Stretch with overflow is gone？

CVE-2020-14338 (Medium) detected in xercesImpl-2.9.0.jar

CVE-2020-14338 - Medium Severity Vulnerability

Vulnerable Library - xercesImpl-2.9.0.jar

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.doc/lib/xercesImpl-2.9.0.jar

Dependency Hierarchy:

❌ xercesImpl-2.9.0.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A flaw was found in Wildfly's implementation of Xerces, specifically in the way the XMLSchemaValidator class in the JAXP component of Wildfly enforced the "use-grammar-pool-only" feature. This flaw allows a specially-crafted XML file to manipulate the validation process in certain cases. This issue is the same flaw as CVE-2020-14621, which affected OpenJDK, and uses a similar code. This flaw affects all Xerces JBoss versions before 2.12.0.SP3.

Publish Date: 2020-09-17

URL: CVE-2020-14338

CVSS 3 Score Details (5.3)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1860054

Release Date: 2020-07-21

Fix Resolution: xerces:xercesImpl:2.12.0.SP3

Check this box to open an automated fix PR

CVE-2020-10683 (High) detected in dom4j-2.1.1.jar

CVE-2020-10683 - High Severity Vulnerability

Vulnerable Library - dom4j-2.1.1.jar

flexible XML framework for Java

Library home page: http://dom4j.github.io/

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.hibernate/lib/dom4j-2.1.1.jar

Dependency Hierarchy:

❌ dom4j-2.1.1.jar (Vulnerable Library)

Found in HEAD commit: 1160eb61eed1947e2b864b626b04eb2deab55f78

Found in base branch: master

Vulnerability Details

dom4j before 2.0.3 and 2.1.x before 2.1.3 allows external DTDs and External Entities by default, which might enable XXE attacks. However, there is popular external documentation from OWASP showing how to enable the safe, non-default behavior in any application that uses dom4j.

Publish Date: 2020-05-01

URL: CVE-2020-10683

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://github.com/dom4j/dom4j/tree/version-2.1.3,https://github.com/dom4j/dom4j/tree/version-2.0.3

Release Date: 2020-05-01

Fix Resolution: org.dom4j:dom4j:2.1.3,org.dom4j:dom4j:2.0.3

Check this box to open an automated fix PR

CVE-2022-21724 (High) detected in postgresql-42.2.16.jar

CVE-2022-21724 - High Severity Vulnerability

Vulnerable Library - postgresql-42.2.16.jar

PostgreSQL JDBC Driver Postgresql

Library home page: https://jdbc.postgresql.org

Path to vulnerable library: /com.jaspersoft.studio.data.drivers/lib/postgresql-42.2.16.jar

Dependency Hierarchy:

❌ postgresql-42.2.16.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

pgjdbc is the offical PostgreSQL JDBC Driver. A security hole was found in the jdbc driver for postgresql database while doing security research. The system using the postgresql library will be attacked when attacker control the jdbc url or properties. pgjdbc instantiates plugin instances based on class names provided via authenticationPluginClassName, sslhostnameverifier, socketFactory, sslfactory, sslpasswordcallback connection properties. However, the driver did not verify if the class implements the expected interface before instantiating the class. This can lead to code execution loaded via arbitrary classes. Users using plugins are advised to upgrade. There are no known workarounds for this issue.

Publish Date: 2022-02-02

URL: CVE-2022-21724

CVSS 3 Score Details (9.8)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: GHSA-v7wg-cpwc-24m4

Release Date: 2022-02-02

Fix Resolution: org.postgresql:postgresql:42.2.25,42.3.2

Check this box to open an automated fix PR

CVE-2020-13692 (High) detected in postgresql-42.2.5.jar

CVE-2020-13692 - High Severity Vulnerability

Vulnerable Library - postgresql-42.2.5.jar

Java JDBC 4.2 (JRE 8+) driver for PostgreSQL database

Library home page: https://github.com/pgjdbc/pgjdbc

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.data.drivers/lib/postgresql-42.2.5.jar

Dependency Hierarchy:

❌ postgresql-42.2.5.jar (Vulnerable Library)

Found in HEAD commit: 1160eb61eed1947e2b864b626b04eb2deab55f78

Found in base branch: master

Vulnerability Details

PostgreSQL JDBC Driver (aka PgJDBC) before 42.2.13 allows XXE.

Publish Date: 2020-06-04

URL: CVE-2020-13692

CVSS 3 Score Details (7.7)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: Low
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://jdbc.postgresql.org/documentation/changelog.html#version_42.2.13

Release Date: 2020-06-04

Fix Resolution: org.postgresql:postgresql:42.2.13

Check this box to open an automated fix PR

CVE-2019-8331 (Medium) detected in bootstrap-3.2.0.min.js

CVE-2019-8331 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.2.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js

Dependency Hierarchy:

❌ bootstrap-3.2.0.min.js (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.

Publish Date: 2019-02-20

URL: CVE-2019-8331

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: twbs/bootstrap#28236

Release Date: 2019-02-20

Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1

CVE-2015-1832 (High) detected in derby-10.10.1.1.jar

CVE-2015-1832 - High Severity Vulnerability

Vulnerable Library - derby-10.10.1.1.jar

Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.data.drivers/lib/derby.jar

Dependency Hierarchy:

❌ derby-10.10.1.1.jar (Vulnerable Library)

Found in HEAD commit: 1160eb61eed1947e2b864b626b04eb2deab55f78

Found in base branch: master

Vulnerability Details

XML external entity (XXE) vulnerability in the SqlXmlUtil code in Apache Derby before 10.12.1.1, when a Java Security Manager is not in place, allows context-dependent attackers to read arbitrary files or cause a denial of service (resource consumption) via vectors involving XmlVTI and the XML datatype.

Publish Date: 2016-10-03

URL: CVE-2015-1832

CVSS 3 Score Details (9.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1832

Release Date: 2016-10-03

Fix Resolution: 10.12.1.1

Check this box to open an automated fix PR

No codesigning on the 6.10 release

I notice you forgot to do code-signing on the 6.10 release on the Mac.

https://share.getcloudapp.com/X6u2r469

HibernateActivator is missing in Jaspersoft Studio 6.9.0

When trying to connect to a Jaspersoft Server instance from the Studio, one receives the following exception (e.g. via new server -> test connection):

java.lang.NoClassDefFoundError: com/jaspersoft/studio/server/protocol/restv2/ClientQueryMapperProvider
	at com.jaspersoft.studio.server.protocol.restv2.RestV2ConnectionJersey.connect(RestV2ConnectionJersey.java:174)
	at com.jaspersoft.studio.server.protocol.ProxyConnection.connect(ProxyConnection.java:102)
	at com.jaspersoft.studio.server.WSClientHelper.checkConnection(WSClientHelper.java:92)
	at com.jaspersoft.studio.server.wizard.ServerProfileWizard.connect(ServerProfileWizard.java:94)
	at com.jaspersoft.studio.server.wizard.ServerProfileWizard.access$1(ServerProfileWizard.java:89)
	at com.jaspersoft.studio.server.wizard.ServerProfileWizard$2.run(ServerProfileWizard.java:68)
	at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:122)
Caused by: java.lang.ClassNotFoundException: An error occurred while automatically activating bundle com.jaspersoft.studio.hibernate (33).
	at org.eclipse.osgi.internal.hooks.EclipseLazyStarter.postFindLocalClass(EclipseLazyStarter.java:126)
	at org.eclipse.osgi.internal.loader.classpath.ClasspathManager.findLocalClass(ClasspathManager.java:570)
	at org.eclipse.osgi.internal.loader.ModuleClassLoader.findLocalClass(ModuleClassLoader.java:331)
	at org.eclipse.osgi.internal.loader.BundleLoader.findLocalClass(BundleLoader.java:395)
	at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:473)
	at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:422)
	at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:414)
	at org.eclipse.osgi.internal.loader.ModuleClassLoader.loadClass(ModuleClassLoader.java:153)
	at java.lang.ClassLoader.loadClass(ClassLoader.java:357)
	... 7 more
Caused by: org.osgi.framework.BundleException: Error loading bundle activator.
	at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:760)
	at org.eclipse.osgi.internal.framework.EquinoxBundle.startWorker0(EquinoxBundle.java:1005)
	at org.eclipse.osgi.internal.framework.EquinoxBundle$EquinoxModule.startWorker(EquinoxBundle.java:357)
	at org.eclipse.osgi.container.Module.doStart(Module.java:589)
	at org.eclipse.osgi.container.Module.start(Module.java:457)
	at org.eclipse.osgi.framework.util.SecureAction.start(SecureAction.java:471)
	at org.eclipse.osgi.internal.hooks.EclipseLazyStarter.postFindLocalClass(EclipseLazyStarter.java:117)
	... 15 more
Caused by: java.lang.ClassNotFoundException: com.jaspersoft.studio.hibernate.HibernateActivator cannot be found by com.jaspersoft.studio.hibernate_5.4.1.final
	at org.eclipse.osgi.internal.loader.BundleLoader.findClassInternal(BundleLoader.java:511)
	at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:422)
	at org.eclipse.osgi.internal.loader.BundleLoader.findClass(BundleLoader.java:414)
	at org.eclipse.osgi.internal.framework.BundleContextImpl.loadBundleActivator(BundleContextImpl.java:798)
	at org.eclipse.osgi.internal.framework.BundleContextImpl.start(BundleContextImpl.java:752)
	... 21 more

The bundle in the plugins folder does not contain the activator (which is found at [1]).
(The full exception is only reported once.)

[1] https://github.com/TIBCOSoftware/jaspersoft-studio-ce/tree/master/com.jaspersoft.studio.hibernate/src/com/jaspersoft/studio/hibernate

JasperReports Server Connection not working from Jaspersoft Studio Eclipse plugin

When I run Jaspersoft Studio as an Eclipse plugin, I cannot successfully create a JasperReports Server Connection from the Repository Explorer. Oddly, from Jaspersoft Studio as standalone version, there is no problem connecting to the exact same server.

In Jaspersoft Studio, I open the "Create JasperReports Server Connection" dialog, enter my details (server & credentials) and click "Test connection". Everything works fine and it confirms "Test successful".
In the Eclipse plugin, I open the dialog and enter my details exactly the same way. When I click "Test connection", I receive the error below.

I am running:

Ubuntu 20.04.1 LTS 64 Bit
TIBCO JasperReports Server, Product Version: 7.5.0, Build: 20191206_1440
Eclipse IDE for Java Developers, Version: 2019-12 (4.14.0), Build id: 20191212-1212 with Jaspersoft Studio feature 6.13.0.final

respectively

Jaspersoft Studio 6.13.10 (with Jaspersoft Studio Designer 6.13.0.final as well)

Error message:

javax.ws.rs.InternalServerErrorException: HTTP 500 Internal Server Error
	at org.glassfish.jersey.message.internal.AbstractRootElementJaxbProvider.readFrom(AbstractRootElementJaxbProvider.java:126)
	at org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$TerminalReaderInterceptor.invokeReadFrom(ReaderInterceptorExecutor.java:264)
	at org.glassfish.jersey.message.internal.ReaderInterceptorExecutor$TerminalReaderInterceptor.aroundReadFrom(ReaderInterceptorExecutor.java:234)
	at org.glassfish.jersey.message.internal.ReaderInterceptorExecutor.proceed(ReaderInterceptorExecutor.java:154)
	at org.glassfish.jersey.message.internal.MessageBodyFactory.readFrom(MessageBodyFactory.java:1124)
	at org.glassfish.jersey.message.internal.InboundMessageContext.readEntity(InboundMessageContext.java:851)
	at org.glassfish.jersey.message.internal.InboundMessageContext.readEntity(InboundMessageContext.java:783)
	at org.glassfish.jersey.client.ClientResponse.readEntity(ClientResponse.java:326)
	at org.glassfish.jersey.client.InboundJaxrsResponse$1.call(InboundJaxrsResponse.java:111)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:315)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:297)
	at org.glassfish.jersey.internal.Errors.process(Errors.java:228)
	at org.glassfish.jersey.process.internal.RequestScope.runInScope(RequestScope.java:399)
	at org.glassfish.jersey.client.InboundJaxrsResponse.readEntity(InboundJaxrsResponse.java:108)
	at com.jaspersoft.studio.server.protocol.restv2.ARestV2ConnectionJersey.toObj(ARestV2ConnectionJersey.java:45)
	at com.jaspersoft.studio.server.protocol.restv2.RestV2ConnectionJersey.getServerInfo(RestV2ConnectionJersey.java:332)
	at com.jaspersoft.studio.server.protocol.restv2.RestV2ConnectionJersey.connect(RestV2ConnectionJersey.java:224)
	at com.jaspersoft.studio.server.protocol.ProxyConnection.connect(ProxyConnection.java:117)
	at com.jaspersoft.studio.server.WSClientHelper.checkConnection(WSClientHelper.java:91)
	at com.jaspersoft.studio.server.wizard.ServerProfileWizard.connect(ServerProfileWizard.java:94)
	at com.jaspersoft.studio.server.wizard.ServerProfileWizard.access$1(ServerProfileWizard.java:89)
	at com.jaspersoft.studio.server.wizard.ServerProfileWizard$2.run(ServerProfileWizard.java:68)
	at org.eclipse.jface.operation.ModalContext$ModalContextThread.run(ModalContext.java:122)
Caused by: javax.xml.bind.JAXBException
 - with linked exception:
[java.lang.ClassNotFoundException: com.sun.xml.internal.bind.v2.ContextFactory]
	at javax.xml.bind.ContextFinder.newInstance(ContextFinder.java:241)
	at javax.xml.bind.ContextFinder.find(ContextFinder.java:455)
	at javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:652)
	at javax.xml.bind.JAXBContext.newInstance(JAXBContext.java:599)
	at org.glassfish.jersey.message.internal.AbstractJaxbProvider.getStoredJaxbContext(AbstractJaxbProvider.java:258)
	at org.glassfish.jersey.message.internal.AbstractJaxbProvider.getJAXBContext(AbstractJaxbProvider.java:250)
	at org.glassfish.jersey.message.internal.AbstractJaxbProvider.getUnmarshaller(AbstractJaxbProvider.java:178)
	at org.glassfish.jersey.message.internal.AbstractJaxbProvider.getUnmarshaller(AbstractJaxbProvider.java:154)
	at org.glassfish.jersey.message.internal.AbstractRootElementJaxbProvider.readFrom(AbstractRootElementJaxbProvider.java:122)
	... 22 more
Caused by: java.lang.ClassNotFoundException: com.sun.xml.internal.bind.v2.ContextFactory
	at java.base/jdk.internal.loader.BuiltinClassLoader.loadClass(BuiltinClassLoader.java:581)
	at java.base/jdk.internal.loader.ClassLoaders$AppClassLoader.loadClass(ClassLoaders.java:178)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	at org.eclipse.osgi.internal.framework.ContextFinder.loadClass(ContextFinder.java:145)
	at java.base/java.lang.ClassLoader.loadClass(ClassLoader.java:522)
	at javax.xml.bind.ContextFinder.safeLoadClass(ContextFinder.java:573)
	at javax.xml.bind.ContextFinder.newInstance(ContextFinder.java:239)
	... 30 more

CVE-2020-11023 (Medium) detected in jquery-3.4.1.min.js

CVE-2020-11023 - Medium Severity Vulnerability

Vulnerable Library - jquery-3.4.1.min.js

JavaScript library for DOM operations

Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js

Path to dependency file: jaspersoft-studio-ce/com.jaspersoft.studio.rcp/content/index.xhtml

Path to vulnerable library: com.jaspersoft.studio.rcp/content/scripts/jquery-3.4.1.min.js,jaspersoft-studio-ce/com.jaspersoft.studio.rcp/content/scripts/jquery-3.4.1.min.js

Dependency Hierarchy:

❌ jquery-3.4.1.min.js (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.

Publish Date: 2020-04-29

URL: CVE-2020-11023

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-11023

Release Date: 2020-04-29

Fix Resolution: jquery - 3.5.0

CVE-2009-2625 (Medium) detected in xercesImpl-2.9.0.jar

CVE-2009-2625 - Medium Severity Vulnerability

Vulnerable Library - xercesImpl-2.9.0.jar

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.doc/lib/xercesImpl-2.9.0.jar

Dependency Hierarchy:

❌ xercesImpl-2.9.0.jar (Vulnerable Library)

Found in HEAD commit: 9c02d1fee6914fb2bd5cb30e8b4622f89da19cc2

Found in base branch: master

Vulnerability Details

XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.

Publish Date: 2009-08-06

URL: CVE-2009-2625

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id?1022680

Release Date: 2017-12-31

Fix Resolution: The vendor has issued a fix for Windows, Solaris, and Linux:

JDK and JRE 6 Update 15 or later
JDK and JRE 5.0 Update 20 or later

Java SE releases are available at:

JDK and JRE 6 Update 15:

http://java.sun.com/javase/downloads/index.jsp

JRE 6 Update 15:

http://java.com/

through the Java Update tool for Microsoft Windows users.

JDK 6 Update 15 for Solaris is available in the following patches:

Java SE 6 Update 15 (as delivered in patch 125136-16)
Java SE 6 Update 15 (as delivered in patch 125137-16 (64bit))
Java SE 6_x86 Update 15 (as delivered in patch 125138-16)
Java SE 6_x86 Update 15 (as delivered in patch 125139-16 (64bit))

JDK and JRE 5.0 Update 20:

http://java.sun.com/javase/downloads/index_jdk5.jsp

JDK 5.0 Update 20 for Solaris is available in the following patches:

J2SE 5.0 Update 18 (as delivered in patch 118666-21)
J2SE 5.0 Update 18 (as delivered in patch 118667-21 (64bit))
J2SE 5.0_x86 Update 18 (as delivered in patch 118668-21)
J2SE 5.0_x86 Update 18 (as delivered in patch 118669-21 (64bit))

Java SE for Business releases are available at:

http://www.sun.com/software/javaseforbusiness/getit_download.jsp

Note: When installing a new version of the product from a source other than a Solaris patch, it is recommended that the old affected versions be removed from your system. To remove old affected versions on the Windows platform, please see:

http://www.java.com/en/download/help/5000010800.xml

The vendor's advisory is available at:

http://sunsolve.sun.com/search/document.do?assetkey=1-66-263489-1

CVE-2012-0881 (High) detected in xercesImpl-2.9.0.jar

CVE-2012-0881 - High Severity Vulnerability

Vulnerable Library - xercesImpl-2.9.0.jar

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.doc/lib/xercesImpl-2.9.0.jar

Dependency Hierarchy:

❌ xercesImpl-2.9.0.jar (Vulnerable Library)

Found in HEAD commit: 9c02d1fee6914fb2bd5cb30e8b4622f89da19cc2

Found in base branch: master

Vulnerability Details

Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.

Publish Date: 2017-10-30

URL: CVE-2012-0881

CVSS 3 Score Details (7.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881

Release Date: 2017-10-30

Fix Resolution: 2.12.0

Check this box to open an automated fix PR

How to build ?

Hi,

Importing all projects into a brand new Eclipse "Eclipse IDE for RCP and RAP Developers" installation doesn't work.
I get a lot of compile error.

Also building via Maven don't work out of box.

Could you provide a guide to build the project from the sources ?

Regards,
Arnaud

CVE-2019-14900 (Medium) detected in hibernate-core-5.4.1.Final.jar

CVE-2019-14900 - Medium Severity Vulnerability

Vulnerable Library - hibernate-core-5.4.1.Final.jar

Hibernate's core ORM functionality

Library home page: http://hibernate.org/orm

Path to vulnerable library: jaspersoft-studio-ce/com.jaspersoft.studio.hibernate/lib/hibernate-core-5.4.1.Final.jar

Dependency Hierarchy:

❌ hibernate-core-5.4.1.Final.jar (Vulnerable Library)

Found in base branch: master

Vulnerability Details

A flaw was found in Hibernate ORM in versions before 5.3.18, 5.4.18 and 5.5.0.Beta1. A SQL injection in the implementation of the JPA Criteria API can permit unsanitized literals when a literal is used in the SELECT or GROUP BY parts of the query. This flaw could allow an attacker to access unauthorized information or possibly conduct further attacks.

Publish Date: 2020-07-06

URL: CVE-2019-14900

CVSS 3 Score Details (6.5)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14900

Release Date: 2020-07-06

Fix Resolution: org.hibernate:hibernate-core:5.4.18.Final

Check this box to open an automated fix PR

TIBCO Jaspersoft Studio 6.13.0 ---- Source code cannot be compiled

Hello, I downloaded the source code of the community edition of studio at https://github.com/TIBCOSoftware/jaspersoft-studio-ce, and then configured the targetrepo of eclipse normally, but part of the source code cannot be compiled. By analyzing the POM file in the source code, it is found that the code of the following module is missing from the community edition of the code:

../../net.sf.jasperreports
../../net.sf.jasperreports.doc
../../net.sf.jasperreports.samples

../../net.sf.jasperreports.feature
../../net.sf.jasperreports.samples.feature

Where can I download this part of the code now?
Thank you!

Java 11: Illegal reflective access by com.jaspersoft.studio.server.utils.HttpUtils

Illegal reflective access by com.jaspersoft.studio.server.utils.HttpUtils (..../plugins/com.jaspersoft.studio.server_6.16.0.final.jar) to field java.lang.reflect.Field.modifiers

CVE-2018-14041 (Medium) detected in bootstrap-3.2.0-3.3.0.min.js

CVE-2018-14041 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.2.0-3.3.0.min.js

Google-styled theme for Bootstrap.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/todc-bootstrap/3.2.0-3.3.0/js/bootstrap.min.js

Path to dependency file: /tmp/WhiteSource-ArchiveExtractor_edfee220-a103-434c-8321-d3652a754887/20191001132749_32640/ws-scm_depth_0/jaspersoft-studio-ce/com.jaspersoft.studio.feature/licenses/TIB_js-studiocomm_eclipse_notices/eclipse_notices/org.hamcrest.core.source_1.3.0.v20180420-1519.jar__about_files_NEW_BSD_LICENSE.html

Dependency Hierarchy:

❌ bootstrap-3.2.0-3.3.0.min.js (Vulnerable Library)

Found in HEAD commit: 6f5237a1153a6e288f260cfa24a1ffd6877617af

Vulnerability Details

In Bootstrap before 4.1.2, XSS is possible in the data-target property of scrollspy.

Publish Date: 2018-07-13

URL: CVE-2018-14041

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14041

Release Date: 2019-06-12

Fix Resolution: 4.1.2

CVE-2018-20676 (Medium) detected in bootstrap-3.2.0.min.js

CVE-2018-20676 - Medium Severity Vulnerability

Vulnerable Library - bootstrap-3.2.0.min.js

The most popular front-end framework for developing responsive, mobile first projects on the web.

Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.2.0/js/bootstrap.min.js

Dependency Hierarchy:

❌ bootstrap-3.2.0.min.js (Vulnerable Library)

Found in base branch: master

Vulnerability Details

In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.

Publish Date: 2019-01-09

URL: CVE-2018-20676

CVSS 3 Score Details (6.1)

Base Score Metrics:

Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: Required
- Scope: Changed
Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: None

For more information on CVSS3 Scores, click here.

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676

Release Date: 2019-01-09

Fix Resolution: bootstrap - 3.4.0

tibcosoftware / jaspersoft-studio-ce Goto Github PK

jaspersoft-studio-ce's Introduction

Jaspersoft Studio (Community Edition)

jaspersoft-studio-ce's People

Contributors

Stargazers

Watchers

Forkers

jaspersoft-studio-ce's Issues

CVE-2021-23463 - High Severity Vulnerability

CVE-2015-9251 - Medium Severity Vulnerability

CVE-2016-10735 - Medium Severity Vulnerability

WS-2018-0021 - Medium Severity Vulnerability

CVE-2013-4002 - High Severity Vulnerability

CVE-2018-14042 - Medium Severity Vulnerability

WS-2022-0080 - High Severity Vulnerability

CVE-2014-0107 - High Severity Vulnerability

CVE-2021-42392 - High Severity Vulnerability

CVE-2022-26520 - High Severity Vulnerability

WS-2017-3805 - Medium Severity Vulnerability

CVE-2018-14040 - Medium Severity Vulnerability

CVE-2020-11022 - Medium Severity Vulnerability

CVE-2018-20677 - Medium Severity Vulnerability

CVE-2019-11358 - Medium Severity Vulnerability

CVE-2020-25638 - High Severity Vulnerability

CVE-2018-1313 - Medium Severity Vulnerability

CVE-2022-23437 - Medium Severity Vulnerability

CVE-2022-23221 - High Severity Vulnerability

CVE-2021-20328 - Medium Severity Vulnerability

CVE-2020-14338 - Medium Severity Vulnerability

CVE-2020-10683 - High Severity Vulnerability

CVE-2022-21724 - High Severity Vulnerability

CVE-2020-13692 - High Severity Vulnerability

CVE-2019-8331 - Medium Severity Vulnerability

CVE-2015-1832 - High Severity Vulnerability

CVE-2020-11023 - Medium Severity Vulnerability

CVE-2009-2625 - Medium Severity Vulnerability

CVE-2012-0881 - High Severity Vulnerability

CVE-2019-14900 - Medium Severity Vulnerability

CVE-2018-14041 - Medium Severity Vulnerability

CVE-2018-20676 - Medium Severity Vulnerability

Recommend Projects

Recommend Topics

Recommend Org