darkgran1 / synopsys-detect Goto Github PK
View Code? Open in Web Editor NEWThis project forked from blackducksoftware/synopsys-detect
Scanning and analysis for Synopsys products.
License: Apache License 2.0
This project forked from blackducksoftware/synopsys-detect
Scanning and analysis for Synopsys products.
License: Apache License 2.0
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.1.7.RELEASE/14cd651e4aa3514e75710c9450c7a0c89413e63f/spring-beans-5.1.7.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.1.7.RELEASE/14cd651e4aa3514e75710c9450c7a0c89413e63f/spring-beans-5.1.7.RELEASE.jar
Dependency Hierarchy:
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.
Publish Date: 2022-04-01
URL: CVE-2022-22965
Base Score Metrics:
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-beans): 5.2.20.RELEASE
Direct dependency fix Resolution (org.springframework:spring-context): 5.2.20.RELEASE
Step up your Open Source Security Game with Mend here
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Publish Date: 2021-07-13
URL: CVE-2021-35517
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0
Step up your Open Source Security Game with Mend here
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
Base Score Metrics:
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
Dependency Hierarchy:
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /detectable/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Publish Date: 2022-11-11
URL: CVE-2022-41854
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/
Release Date: 2022-11-11
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
xmlStringLenDecodeEntities in parser.c in libxml2 2.9.10 has an infinite loop in a certain end-of-file situation.
Publish Date: 2020-01-21
URL: CVE-2020-7595
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2020-7595
Release Date: 2020-01-21
Fix Resolution: nokogiri - 1.10.8
Step up your Open Source Security Game with Mend here
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35516
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/le/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
A flaw was found in FasterXML Jackson Databind, where it did not have entity expansion secured properly. This flaw allows vulnerability to XML external entity (XXE) attacks. The highest threat from this vulnerability is data integrity.
Publish Date: 2020-12-03
URL: CVE-2020-25649
Base Score Metrics:
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
Dependency Hierarchy:
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /detectable/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri prior to version 1.13.6 does not type-check all inputs into the XML and HTML4 SAX parsers, allowing specially crafted untrusted inputs to cause illegal memory access errors (segfault) or reads from unrelated memory. Version 1.13.6 contains a patch for this issue. As a workaround, ensure the untrusted input is a String
by calling #to_s
or equivalent.
Publish Date: 2022-05-20
URL: CVE-2022-29181
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-29181
Release Date: 2022-05-20
Fix Resolution: nokogiri - 1.13.6
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Nokogiri before version 1.13.2 is vulnerable.
Publish Date: 2022-03-01
URL: WS-2022-0089
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-fq42-c5rg-92c2
Release Date: 2022-03-01
Fix Resolution: nokogiri - v1.13.2
Step up your Open Source Security Game with Mend here
Spring Boot
Library home page: https://projects.spring.io/spring-boot/#/spring-boot-parent/spring-boot
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/2.1.5.RELEASE/939061a385b4e30e115978d78a7412fb984674df/spring-boot-2.1.5.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework.boot/spring-boot/2.1.5.RELEASE/939061a385b4e30e115978d78a7412fb984674df/spring-boot-2.1.5.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.
Publish Date: 2022-03-30
URL: CVE-2022-27772
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cm59-pr5q-cw85
Release Date: 2022-03-30
Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-test): 2.2.11.RELEASE
Step up your Open Source Security Game with Mend here
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
In Apache PDFBox, a carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Publish Date: 2021-06-12
URL: CVE-2021-31812
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31812
Release Date: 2021-06-12
Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.24
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/le/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
In FasterXML jackson-databind before 2.14.0-rc1, resource exhaustion can occur because of a lack of a check in primitive value deserializers to avoid deep wrapper array nesting, when the UNWRAP_SINGLE_VALUE_ARRAYS feature is enabled. Additional fix version in 2.13.4.1 and 2.12.17.1
Publish Date: 2022-10-02
URL: CVE-2022-42003
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
The xz_head function in xzlib.c in libxml2 before 2.9.6 allows remote attackers to cause a denial of service (memory consumption) via a crafted LZMA file, because the decoder functionality does not restrict memory usage to what is required for a legitimate file.
Publish Date: 2018-04-08
URL: CVE-2017-18258
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-882p-jqgm-f45g
Release Date: 2018-04-08
Fix Resolution: nokogiri - 1.8.2
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/le/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
jackson-databind before 2.13.0 allows a Java StackOverflow exception and denial of service via a large depth of nested objects.
Mend Note: After conducting further research, Mend has determined that all versions of com.fasterxml.jackson.core:jackson-databind up to version 2.13.2 are vulnerable to CVE-2020-36518.
Publish Date: 2022-03-11
URL: CVE-2020-36518
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
nokogiri up to and including 1.13.8 is affected by several vulnerabilities (CVE-2022-40303, CVE-2022-40304 and CVE-2022-2309) in the dependency bundled libxml2 library. Version 1.13.9 of nokogiri contains a patch where the dependency is upgraded with the patches as well.
Publish Date: 2022-10-18
URL: WS-2022-0334
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2qc6-mcvw-92cw
Release Date: 2022-10-18
Fix Resolution: nokogiri - 1.13.9
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
Dependency Hierarchy:
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /detectable/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2
Step up your Open Source Security Game with Mend here
TZInfo provides daylight savings aware transformations between times in different time zones.
Library home page: https://rubygems.org/gems/tzinfo-1.2.3.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/tzinfo-1.2.3.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
TZInfo is a Ruby library that provides access to time zone data and allows times to be converted using time zone rules. Versions prior to 0.36.1, as well as those prior to 1.2.10 when used with the Ruby data source tzinfo-data, are vulnerable to relative path traversal. With the Ruby data source, time zones are defined in Ruby files. There is one file per time zone. Time zone files are loaded with require
on demand. In the affected versions, TZInfo::Timezone.get
fails to validate time zone identifiers correctly, allowing a new line character within the identifier. With Ruby version 1.9.3 and later, TZInfo::Timezone.get
can be made to load unintended files with require
, executing them within the Ruby process. Versions 0.3.61 and 1.2.10 include fixes to correctly validate time zone identifiers. Versions 2.0.0 and later are not vulnerable. Version 0.3.61 can still load arbitrary files from the Ruby load path if their name follows the rules for a valid time zone identifier and the file has a prefix of tzinfo/definition
within a directory in the load path. Applications should ensure that untrusted files are not placed in a directory on the load path. As a workaround, the time zone identifier can be validated before passing to TZInfo::Timezone.get
by ensuring it matches the regular expression \A[A-Za-z0-9+\-_]+(?:\/[A-Za-z0-9+\-_]+)*\z
.
Publish Date: 2022-07-22
URL: CVE-2022-31163
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5cm2-9h8c-rvfx
Release Date: 2022-07-22
Fix Resolution: tzinfo - 0.3.61,1.2.10
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
libxml2 20904-GITv2.9.4-16-g0741801 is vulnerable to a heap-based buffer over-read in the xmlDictAddString function in dict.c. This vulnerability causes programs that use libxml2, such as PHP, to crash. This vulnerability exists because of an incomplete fix for CVE-2016-1839.
Publish Date: 2017-05-18
URL: CVE-2017-9050
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9050
Release Date: 2017-05-18
Fix Resolution: 2.9.5
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
Dependency Hierarchy:
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /detectable/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization. We recommend upgrading to version 2.0 and beyond.
Publish Date: 2022-12-01
URL: CVE-2022-1471
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/561/cve-2022-1471-vulnerability-in#comment-64634374
Release Date: 2022-12-01
Fix Resolution (org.yaml:snakeyaml): 2.0
Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2
Step up your Open Source Security Game with Mend here
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar
Dependency Hierarchy:
A carefully crafted PDF file can trigger an infinite loop while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Publish Date: 2021-03-19
URL: CVE-2021-27807
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27807
Release Date: 2021-03-19
Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.23
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0
Step up your Open Source Security Game with Mend here
Library home page: https://rubygems.org/gems/git-1.3.0.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/git-1.3.0.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
The package git before 1.11.0 are vulnerable to Command Injection via git argument injection. When calling the fetch(remote = 'origin', opts = {}) function, the remote parameter is passed to the git fetch subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Publish Date: 2022-04-19
URL: CVE-2022-25648
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25648
Release Date: 2022-04-19
Fix Resolution: git - 1.11.0
Step up your Open Source Security Game with Mend here
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.3/864344400c3d4d92dfeb0a305dc87d953677c03c/logback-core-1.2.3.jar,/root/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-core/1.2.3/864344400c3d4d92dfeb0a305dc87d953677c03c/logback-core-1.2.3.jar
Dependency Hierarchy:
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.2.3/7c4f3c474fb2c041d8028740440937705ebb473a/logback-classic-1.2.3.jar,/root/.gradle/caches/modules-2/files-2.1/ch.qos.logback/logback-classic/1.2.3/7c4f3c474fb2c041d8028740440937705ebb473a/logback-classic-1.2.3.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Mend Note: Converted from WS-2021-0491, on 2022-11-07.
Publish Date: 2021-12-16
URL: CVE-2021-42550
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution (ch.qos.logback:logback-core): 1.2.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8
Fix Resolution (ch.qos.logback:logback-classic): 1.2.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter): 2.5.8
Step up your Open Source Security Game with Mend here
Library home page: https://rubygems.org/gems/cocoapods-downloader-1.1.3.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/cocoapods-downloader-1.1.3.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
The package cocoapods-downloader before 1.6.0, from 1.6.2 and before 1.6.3 are vulnerable to Command Injection via git argument injection. When calling the Pod::Downloader.preprocess_options function and using git, both the git and branch parameters are passed to the git ls-remote subcommand in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Publish Date: 2022-04-01
URL: CVE-2022-24440
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24440
Release Date: 2022-04-01
Fix Resolution: cocoapods-downloader - 1.6.0,1.6.3
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri before version 1.11.0.rc4 there is an XXE vulnerability. XML Schemas parsed by Nokogiri::XML::Schema are trusted by default, allowing external resources to be accessed over the network, potentially enabling XXE or SSRF attacks. This behavior is counter to the security policy followed by Nokogiri maintainers, which is to treat all input as untrusted by default whenever possible. This is fixed in Nokogiri version 1.11.0.rc4.
Publish Date: 2020-12-30
URL: CVE-2020-26247
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Spring Expression Language (SpEL)
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.1.7.RELEASE/7b47446553c83a5a7323d647f5c1793106b2948c/spring-expression-5.1.7.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-expression/5.1.7.RELEASE/7b47446553c83a5a7323d647f5c1793106b2948c/spring-expression-5.1.7.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
n Spring Framework versions 5.3.0 - 5.3.16 and older unsupported versions, it is possible for a user to provide a specially crafted SpEL expression that may cause a denial of service condition.
Publish Date: 2022-04-01
URL: CVE-2022-22950
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22950
Release Date: 2022-04-01
Fix Resolution (org.springframework:spring-expression): 5.2.20.RELEASE
Direct dependency fix Resolution (org.springframework:spring-context): 5.2.20.RELEASE
Step up your Open Source Security Game with Mend here
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Library home page: http://commons.apache.org/proper/commons-codec/
Path to dependency file: /tmp/ws-scm/synopsys-detect/detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar,/root/.gradle/caches/modules-2/files-2.1/commons-codec/commons-codec/1.11/3acb4705652e16236558f0f4f2192cc33c3bd189/commons-codec-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability.
Publish Date: 2007-10-07
URL: WS-2009-0001
Step up your Open Source Security Game with WhiteSource here
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35515
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0
Step up your Open Source Security Game with Mend here
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.7.RELEASE/280f821b9ed4dad9993f1d551d6e86557092ae58/spring-core-5.1.7.RELEASE.jar,/le/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.7.RELEASE/280f821b9ed4dad9993f1d551d6e86557092ae58/spring-core-5.1.7.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.7.RELEASE/280f821b9ed4dad9993f1d551d6e86557092ae58/spring-core-5.1.7.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution: 5.2.18.RELEASE
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
A NULL pointer dereference vulnerability exists in the xpath.c:xmlXPathCompOpEval() function of libxml2 through 2.9.8 when parsing an invalid XPath expression in the XPATH_OP_AND or XPATH_OP_OR case. Applications processing untrusted XSL format inputs with the use of the libxml2 library may be vulnerable to a denial of service attack due to a crash of the application.
Publish Date: 2018-07-19
URL: CVE-2018-14404
Base Score Metrics:
Type: Upgrade version
Release Date: 2018-07-19
Fix Resolution: nokogiri- 2.9.5, libxml2 - 2.9.9
Step up your Open Source Security Game with Mend here
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar,/root/.gradle/caches/modules-2/files-2.1/com.google.code.gson/gson/2.8.5/f645ed69d595b24d4cf8b3fbb64cc505bede8829/gson-2.8.5.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
Dependency Hierarchy:
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /detectable/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution (org.yaml:snakeyaml): 1.26
Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
A command injection vulnerability in Nokogiri v1.10.3 and earlier allows commands to be executed in a subprocess via Ruby's Kernel.open
method. Processes are vulnerable only if the undocumented method Nokogiri::CSS::Tokenizer#load_file
is being called with unsafe user input as the filename. This vulnerability appears in code generated by the Rexical gem versions v1.0.6 and earlier. Rexical is used by Nokogiri to generate lexical scanner code for parsing CSS queries. The underlying vulnerability was addressed in Rexical v1.0.7 and Nokogiri upgraded to this version of Rexical in Nokogiri v1.10.4.
Publish Date: 2019-08-16
URL: CVE-2019-5477
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-08-16
Fix Resolution: nokogiri-v1.10.4, rexical-v1.0.7
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/le/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar,/root/.gradle/caches/modules-2/files-2.1/com.fasterxml.jackson.core/jackson-databind/2.10.0/1127c9cf62f2bb3121a3a2a0a1351d251a602117/jackson-databind-2.10.0.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
In FasterXML jackson-databind before 2.13.4, resource exhaustion can occur because of a lack of a check in BeanDeserializer._deserializeFromArray to prevent use of deeply nested arrays. An application is vulnerable only with certain customized choices for deserialization.
Publish Date: 2022-10-02
URL: CVE-2022-42004
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.1.7.RELEASE/14cd651e4aa3514e75710c9450c7a0c89413e63f/spring-beans-5.1.7.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-beans/5.1.7.RELEASE/14cd651e4aa3514e75710c9450c7a0c89413e63f/spring-beans-5.1.7.RELEASE.jar
Dependency Hierarchy:
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.7.RELEASE/280f821b9ed4dad9993f1d551d6e86557092ae58/spring-core-5.1.7.RELEASE.jar,/le/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.7.RELEASE/280f821b9ed4dad9993f1d551d6e86557092ae58/spring-core-5.1.7.RELEASE.jar,/root/.gradle/caches/modules-2/files-2.1/org.springframework/spring-core/5.1.7.RELEASE/280f821b9ed4dad9993f1d551d6e86557092ae58/spring-core-5.1.7.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution (org.springframework:spring-beans): 5.2.22.RELEASE
Direct dependency fix Resolution (org.springframework:spring-context): 5.2.22.RELEASE
Step up your Open Source Security Game with Mend here
Library home page: https://rubygems.org/gems/cocoapods-downloader-1.1.3.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/cocoapods-downloader-1.1.3.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
The package cocoapods-downloader before 1.6.2 are vulnerable to Command Injection via hg argument injection. When calling the download function (when using hg), the url (and/or revision, tag, branch) is passed to the hg clone command in a way that additional flags can be set. The additional flags can be used to perform a command injection.
Publish Date: 2022-04-01
URL: CVE-2022-21223
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-21223
Release Date: 2022-04-01
Fix Resolution: cocoapods-downloader - 1.6.2
Step up your Open Source Security Game with Mend here
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
In Apache PDFBox, a carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.23 and prior 2.0.x versions.
Publish Date: 2021-06-12
URL: CVE-2021-31811
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-31811
Release Date: 2021-06-12
Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.24
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0
Step up your Open Source Security Game with Mend here
Apache HttpComponents Client
Library home page: http://hc.apache.org/
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.8/c27c9d6f15435dc2b6947112027b418b0eef32b9/httpclient-4.5.8.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.httpcomponents/httpclient/4.5.8/c27c9d6f15435dc2b6947112027b418b0eef32b9/httpclient-4.5.8.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Publish Date: 2020-12-02
URL: CVE-2020-13956
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
Release Date: 2020-12-02
Fix Resolution (org.apache.httpcomponents:httpclient): 4.5.13
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.3.3
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
Dependency Hierarchy:
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /detectable/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2
Step up your Open Source Security Game with Mend here
kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.13.2.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/kramdown-1.13.2.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
The kramdown gem before 2.3.0 for Ruby processes the template option inside Kramdown documents by default, which allows unintended read access (such as template="/etc/passwd") or unintended embedded Ruby code execution (such as a string that begins with template="string://<%= `). NOTE: kramdown is used in Jekyll, GitLab Pages, GitHub Pages, and Thredded Forum.
Publish Date: 2020-07-17
URL: CVE-2020-14001
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14001
Release Date: 2020-07-17
Fix Resolution: kramdown - 2.3.0
Step up your Open Source Security Game with Mend here
Kotlin Standard Library for JVM
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.31/11289d20fd95ae219333f3456072be9f081c30cc/kotlin-stdlib-1.3.31.jar,/root/.gradle/caches/modules-2/files-2.1/org.jetbrains.kotlin/kotlin-stdlib/1.3.31/11289d20fd95ae219333f3456072be9f081c30cc/kotlin-stdlib-1.3.31.jar
Dependency Hierarchy:
In JetBrains Kotlin before 1.6.0, it was not possible to lock dependencies for Multiplatform Gradle Projects.
Publish Date: 2022-02-25
URL: CVE-2022-24329
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2qp4-g3q3-f92w
Release Date: 2022-02-25
Fix Resolution (org.jetbrains.kotlin:kotlin-stdlib): 1.6.0-M1
Direct dependency fix Resolution (org.jetbrains.kotlin:kotlin-stdlib-jdk8): 1.6.0
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
Dependency Hierarchy:
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /detectable/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38750
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2
Step up your Open Source Security Game with Mend here
Groovy: A powerful, dynamic language for the JVM
Library home page: http://groovy-lang.org
Path to dependency file: /build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.12/760afc568cbd94c09d78f801ce51aed1326710af/groovy-all-2.4.12.jar,/le/caches/modules-2/files-2.1/org.codehaus.groovy/groovy-all/2.4.12/760afc568cbd94c09d78f801ce51aed1326710af/groovy-all-2.4.12.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Apache Groovy provides extension methods to aid with creating temporary directories. Prior to this fix, Groovy's implementation of those extension methods was using a now superseded Java JDK method call that is potentially not secure on some operating systems in some contexts. Users not using the extension methods mentioned in the advisory are not affected, but may wish to read the advisory for further details. Versions Affected: 2.0 to 2.4.20, 2.5.0 to 2.5.13, 3.0.0 to 3.0.6, and 4.0.0-alpha-1. Fixed in versions 2.4.21, 2.5.14, 3.0.7, 4.0.0-alpha-2.
Publish Date: 2020-12-07
URL: CVE-2020-17521
Base Score Metrics:
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/GROOVY-9824
Release Date: 2020-12-07
Fix Resolution: 2.4.21
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /build.gradle
Path to vulnerable library: /le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar,/le/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.24/13a9c0d6776483c3876e3ff9384f9bb55b17001b/snakeyaml-1.24.jar
Dependency Hierarchy:
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /detectable/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar,/root/.gradle/caches/modules-2/files-2.1/org.yaml/snakeyaml/1.23/ec62d74fe50689c28c0ff5b35d3aebcaa8b5be68/snakeyaml-1.23.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (com.fasterxml.jackson.dataformat:jackson-dataformat-yaml): 2.10.2
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
Nokogiri is an open source XML and HTML library for Ruby. Nokogiri < v1.13.4
contains an inefficient regular expression that is susceptible to excessive backtracking when attempting to detect encoding in HTML documents. Users are advised to upgrade to Nokogiri >= 1.13.4
. There are no known workarounds for this issue.
Publish Date: 2022-04-11
URL: CVE-2022-24836
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-crjr-9rc5-ghw8
Release Date: 2022-04-11
Fix Resolution: nokogiri - 1.13.4
Step up your Open Source Security Game with Mend here
The Apache PDFBox library is an open source Java tool for working with PDF documents.
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.pdfbox/pdfbox/2.0.12/a7311cd267c19e1ba8154b076a63d29537154784/pdfbox-2.0.12.jar
Dependency Hierarchy:
A carefully crafted PDF file can trigger an OutOfMemory-Exception while loading the file. This issue affects Apache PDFBox version 2.0.22 and prior 2.0.x versions.
Publish Date: 2021-03-19
URL: CVE-2021-27906
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-27906
Release Date: 2021-03-19
Fix Resolution (org.apache.pdfbox:pdfbox): 2.0.23
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0
Step up your Open Source Security Game with Mend here
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
Publish Date: 2019-08-30
URL: CVE-2019-12402
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402
Release Date: 2019-08-30
Fix Resolution (org.apache.commons:commons-compress): 1.19
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0
Step up your Open Source Security Game with Mend here
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /detect-configuration/build.gradle
Path to vulnerable library: /root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar,/root/.gradle/caches/modules-2/files-2.1/org.apache.commons/commons-compress/1.18/1191f9f2bc0c47a8cce69193feb1ff0a8bcb37d5/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: e020742c037c6a0432e84d1f364b642f227cfff8
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2021-07-13
URL: CVE-2021-36090
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (com.blackducksoftware.integration:blackduck-common): 44.5.0
Step up your Open Source Security Game with Mend here
Nokogiri (鋸) is an HTML, XML, SAX, and Reader parser. Among Nokogiri's many features is the ability to search documents via XPath or CSS3 selectors.
Library home page: https://rubygems.org/gems/nokogiri-1.7.1.gem
Path to dependency file: /detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/nokogiri-1.7.1.gem
Dependency Hierarchy:
Nokogiri is a Rubygem providing HTML, XML, SAX, and Reader parsers with XPath and CSS selector support. In Nokogiri v1.12.4 and earlier, on JRuby only, the SAX parser resolves external entities by default. Users of Nokogiri on JRuby who parse untrusted documents using any of these classes are affected: Nokogiri::XML::SAX::Parse, Nokogiri::HTML4::SAX::Parser or its alias Nokogiri::HTML::SAX::Parser, Nokogiri::XML::SAX::PushParser, and Nokogiri::HTML4::SAX::PushParser or its alias Nokogiri::HTML::SAX::PushParser. JRuby users should upgrade to Nokogiri v1.12.5 or later to receive a patch for this issue. There are no workarounds available for v1.12.4 or earlier. CRuby users are not affected.
Publish Date: 2021-09-27
URL: CVE-2021-41098
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41098
Release Date: 2021-09-27
Fix Resolution: nokogiri - 1.12.5
Step up your Open Source Security Game with Mend here
kramdown is yet-another-markdown-parser but fast, pure Ruby, using a strict syntax definition and supporting several common extensions.
Library home page: https://rubygems.org/gems/kramdown-1.13.2.gem
Path to dependency file: synopsys-detect/detectable/src/test/resources/detectables/functional/rubygems/Gemfile.lock
Path to vulnerable library: /var/lib/gems/2.3.0/cache/kramdown-1.13.2.gem
Dependency Hierarchy:
Kramdown before 2.3.1 does not restrict Rouge formatters to the Rouge::Formatters namespace, and thus arbitrary classes can be instantiated.
Publish Date: 2021-03-19
URL: CVE-2021-28834
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-28834
Release Date: 2021-03-19
Fix Resolution: REL_2_3_1
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.