This project forked from blackduckcopilot/example-maven-travis
Example project for setting up a Maven Project Built using Travis CI
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19360
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
CVSS 3 Score Details (10.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Vulnerable Library - bcprov-ext-jdk15on-1.49.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
Publish Date: 2018-06-04
URL: CVE-2016-1000343
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Change files
Origin: bcgit/bc-java@50a5306#diff-5578e61500abb2b87b300d3114bdfd7d
Release Date: 2016-11-03
Fix Resolution: Replace or update the following files: KeyPairGeneratorSpi.java, DSATest.java
Vulnerable Library - httpclient-4.3.5.jarHttpComponents Client
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/org/apache/httpcomponents/httpclient/4.3.5/httpclient-4.3.5.jar
Dependency Hierarchy:
Found in HEAD commit: 9984bad49f1022014f87559d8d9a60d634eb3698
Vulnerability Details
Apache httpclient before 4.5.3 are vulnerable to Directory Traversal. The user-provided path was able to override the specified host, resulting in giving network access to a sensitive environment.
Publish Date: 2017-01-21
URL: WS-2017-3734
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/HTTPCLIENT-1803
Release Date: 2017-01-21
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.3
Vulnerable Library - bcprov-ext-jdk14-1.46.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.4. Note: this package includes the IDEA encryption algorithm.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk14/1.46/bcprov-ext-jdk14-1.46.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
Bouncy Castle BKS version 1 keystore (BKS-V1) files use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS-V1 keystore. All BKS-V1 keystores are vulnerable. Bouncy Castle release 1.47 introduces BKS version 2, which uses a 160-bit MAC.
Publish Date: 2018-04-16
URL: CVE-2018-5382
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://vulners.com/cert/VU:306792
Release Date: 2018-04-16
Fix Resolution: bcprov-ext-jdk14 - 1.47;bcprov-ext-jdk15on - 1.47;bcprov-jdk14 - 1.47
Vulnerable Library - commons-collections-1.0.jarnull
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-collections/commons-collections/1.0/commons-collections-1.0.jar
Dependency Hierarchy:
Found in HEAD commit: 9984bad49f1022014f87559d8d9a60d634eb3698
Vulnerability Details
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19
Release Date: 2015-11-18
Fix Resolution: commons-collections:commons-collections:3.2.2
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
FasterXML jackson-databind through 2.8.10 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 deserialization flaw. This is exploitable by sending maliciously crafted JSON input to the readValue method of the ObjectMapper, bypassing a blacklist that is ineffective if the Spring libraries are available in the classpath.
Publish Date: 2018-01-10
URL: CVE-2017-17485
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-17485
Release Date: 2018-01-10
Fix Resolution: 2.9.4
Vulnerable Library - quartz-2.1.5.jarQuartz is a full-featured, open source job scheduling system that can be integrated with, or used along side virtually any J2EE or J2SE application
Library home page: http://quartz-scheduler.org/quartz/
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/quartz-scheduler/quartz/2.1.5/quartz-2.1.5.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
initDocumentParser in xml/XMLSchedulingDataProcessor.java in Terracotta Quartz Scheduler through 2.3.0 allows XXE attacks via a job description.
Publish Date: 2019-07-26
URL: CVE-2019-13990
CVSS 3 Score Details (9.8)
Base Score Metrics:
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19361
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Vulnerable Library - commons-httpclient-3.1.jarThe HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Library home page: http://jakarta.apache.org/httpcomponents/httpclient-3.x/
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
Publish Date: 2014-09-04
URL: CVE-2012-6153
CVSS 2 Score Details (4.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6153
Release Date: 2014-09-04
Fix Resolution: 4.2.3
Vulnerable Library - commons-fileupload-1.2.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-fileupload/commons-fileupload/1.2.1/commons-fileupload-1.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: apache/commons-fileupload@5b4881d
Release Date: 2019-09-26
Fix Resolution: 1.4
Vulnerable Library - commons-fileupload-1.2.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-fileupload/commons-fileupload/1.2.1/commons-fileupload-1.2.1.jar
Dependency Hierarchy:
Vulnerability Details
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M8,8.5.3,8.0.36,7.0.70,org.apache.tomcat:tomcat-coyote:9.0.0.M8,8.5.3,8.0.36,7.0.70,commons-fileupload:commons-fileupload:1.3.2
Vulnerable Library - netty-3.2.1.Final.jarThe Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol servers and clients. In other words, Netty is a NIO client server framework which enables quick and easy development of network applications such as protocol servers and clients. It greatly simplifies and streamlines network programming such as TCP and UDP socket server.
Library home page: http://www.jboss.org/netty/
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/jboss/netty/netty/3.2.1.Final/netty-3.2.1.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
Publish Date: 2014-07-31
URL: CVE-2014-3488
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3488
Release Date: 2014-07-31
Fix Resolution: 3.9.2
Vulnerable Library - bcprov-ext-jdk15on-1.49.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
Publish Date: 2018-06-04
URL: CVE-2016-1000345
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345
Release Date: 2018-06-04
Fix Resolution: bcprov-debug-jdk14 - 1.59;bcprov-debug-jdk15on - 1.56;bcprov-ext-debug-jdk15on - 1.56;bcprov-ext-jdk15on - 1.56;bcprov-jdk14 - 1.56;bcprov-jdk15on - 1.56
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
FasterXML jackson-databind through 2.8.11 and 2.9.x through 2.9.3 allows unauthenticated remote code execution because of an incomplete fix for the CVE-2017-7525 and CVE-2017-17485 deserialization flaws. This is exploitable via two different gadgets that bypass a blacklist.
Publish Date: 2018-01-22
URL: CVE-2018-5968
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-5968
Release Date: 2018-01-22
Fix Resolution: 2.8.11.1, 2.9.4
Vulnerable Library - commons-fileupload-1.2.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-fileupload/commons-fileupload/1.2.1/commons-fileupload-1.2.1.jar
Dependency Hierarchy:
Vulnerability Details
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
Publish Date: 2013-10-28
URL: CVE-2013-2186
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-2186
Release Date: 2019-04-08
Fix Resolution: 1.3.1
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Publish Date: 2019-07-09
URL: CVE-2018-11307
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: FasterXML/jackson-databind#2032
Release Date: 2019-03-17
Fix Resolution: jackson-databind-2.9.6
Vulnerable Library - bcprov-ext-jdk15on-1.49.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-01
URL: CVE-2016-1000338
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Change files
Origin: bcgit/bc-java@b0c3ce9#diff-3679f5a9d2b939d0d3ee1601a7774fb0
Release Date: 2016-10-14
Fix Resolution: Replace or update the following files: DSASigner.java, DSATest.java
Vulnerable Library - spring-core-4.2.5.RELEASE.jarSpring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.2.5.RELEASE/spring-core-4.2.5.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 9984bad49f1022014f87559d8d9a60d634eb3698
Vulnerability Details
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Publish Date: 2018-04-06
URL: CVE-2018-1272
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2018-1272
Release Date: 2018-04-06
Fix Resolution: org.springframework:spring-core:4.3.15.RELEASE,5.0.5.RELEASE;org.springframework:spring-web:4.3.15.RELEASE,5.0.5.RELEASE
Vulnerable Library - poi-3.6.jarApache POI - Java API To Access Microsoft Format Files
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/org/apache/poi/poi/3.6/poi-3.6.jar
Dependency Hierarchy:
Found in HEAD commit: 9984bad49f1022014f87559d8d9a60d634eb3698
Vulnerability Details
Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).
Publish Date: 2018-01-29
URL: CVE-2017-12626
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2018-01-29
Fix Resolution: org.apache.poi:poi-scratchpad:3.17,org.apache.poi:poi:3.17
Vulnerable Libraries - bcprov-ext-jdk15on-1.49.jar, bcprov-ext-jdk14-1.46.jar
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.4. Note: this package includes the IDEA encryption algorithm.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk14/1.46/bcprov-ext-jdk14-1.46.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.
Publish Date: 2018-07-09
URL: CVE-2018-1000613
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000613
Release Date: 2018-07-09
Fix Resolution: 1.60
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19362
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
Release Date: 2019-01-02
Fix Resolution: 2.9.8
Vulnerable Library - commons-collections-1.0.jarnull
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-collections/commons-collections/1.0/commons-collections-1.0.jar
Dependency Hierarchy:
Found in HEAD commit: 9984bad49f1022014f87559d8d9a60d634eb3698
Vulnerability Details
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-11
Fix Resolution: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Jodd-db jar (for database access for the Jodd framework) in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12022
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-21
Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6
Vulnerable Library - httpclient-4.3.5.jarHttpComponents Client
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/org/apache/httpcomponents/httpclient/4.3.5/httpclient-4.3.5.jar
Dependency Hierarchy:
Vulnerability Details
http/conn/ssl/SSLConnectionSocketFactory.java in Apache HttpComponents HttpClient before 4.3.6 ignores the http.socket.timeout configuration setting during an SSL handshake, which allows remote attackers to cause a denial of service (HTTPS call hang) via unspecified vectors.
Publish Date: 2015-10-27
URL: CVE-2015-5262
CVSS 2 Score Details (4.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-5262
Release Date: 2015-10-27
Fix Resolution: org.apache.httpcomponents:httpclient:4.3.6
Vulnerable Library - commons-beanutils-1.9.0.jarApache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-beanutils/commons-beanutils/1.9.0/commons-beanutils-1.9.0.jar
Dependency Hierarchy:
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
Vulnerable Library - poi-3.6.jarApache POI - Java API To Access Microsoft Format Files
Library home page: http://poi.apache.org/
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/org/apache/poi/poi/3.6/poi-3.6.jar
Dependency Hierarchy:
Vulnerability Details
The UnhandledDataStructure function in hwpf/model/UnhandledDataStructure.java in Apache POI 3.8 and earlier allows remote attackers to cause a denial of service (OutOfMemoryError exception and possibly JVM destabilization) via a crafted length value in a Channel Definition Format (CDF) or Compound File Binary Format (CFBF) document.
Publish Date: 2012-08-07
URL: CVE-2012-0213
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0213
Release Date: 2012-08-07
Fix Resolution: org.apache.poi:poi-scratchpad:3.9,org.apache.poi:poi:3.9
Vulnerable Library - commons-codec-1.6.jarThe codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
path: 2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar
Library home page: http://commons.apache.org/codec/
Dependency Hierarchy:
Vulnerability Details
Base64 encode() method is no longer thread-safe in Apache Commons Codec before version 1.7, which might disclose the wrong data or allow an attacker to change non-private fields.
Publish Date: 2010-02-26
URL: WS-2010-0001
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/CODEC-96
Release Date: 2017-01-31
Fix Resolution: 1.7
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the blaze-ds-opt and blaze-ds-core classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14719
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14719
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Vulnerable Library - bcprov-ext-jdk15on-1.49.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000352
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352
Release Date: 2018-06-04
Fix Resolution: 1.56
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to execute arbitrary code by leveraging failure to block the slf4j-ext class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14718
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14718
Release Date: 2019-01-02
Fix Resolution: 2.9.7
Vulnerable Library - commons-codec-1.6.jarThe codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
path: 2/repository/commons-codec/commons-codec/1.6/commons-codec-1.6.jar
Library home page: http://commons.apache.org/codec/
Dependency Hierarchy:
Vulnerability Details
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability
Publish Date: 2007-10-07
URL: WS-2009-0001
CVSS 2 Score Details (0.0)
Base Score Metrics not available
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - itextpdf-5.1.3.jariText, a free Java-PDF library
Library home page: http://www.itextpdf.com/
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/com/itextpdf/itextpdf/5.1.3/itextpdf-5.1.3.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
The XML parsers in iText before 5.5.12 and 7.x before 7.0.3 do not disable external entities, which might allow remote attackers to conduct XML external entity (XXE) attacks via a crafted PDF.
Publish Date: 2017-11-08
URL: CVE-2017-9096
CVSS 3 Score Details (8.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-9096
Release Date: 2017-11-08
Fix Resolution: 5.5.12,7.0.3
Vulnerable Library - bcprov-ext-jdk15on-1.49.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
Bouncy Castle in Android before 5.1.1 LMY49F and 6.0 before 2016-01-01 allows attackers to obtain sensitive information via a crafted application, aka internal bug 24106146.
Publish Date: 2016-01-06
URL: CVE-2015-6644
CVSS 3 Score Details (3.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6644
Release Date: 2016-01-06
Fix Resolution: Bouncy Castle in Android - 5.1.1, 2016-01-01
Vulnerable Library - commons-fileupload-1.2.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-fileupload/commons-fileupload/1.2.1/commons-fileupload-1.2.1.jar
Dependency Hierarchy:
Vulnerability Details
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Publish Date: 2013-03-15
URL: CVE-2013-0248
CVSS 2 Score Details (3.3)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248
Release Date: 2013-03-15
Fix Resolution: 1.3
Vulnerable Library - commons-collections-1.0.jarnull
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-collections/commons-collections/1.0/commons-collections-1.0.jar
Dependency Hierarchy:
Found in HEAD commit: 9984bad49f1022014f87559d8d9a60d634eb3698
Vulnerability Details
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Release Date: 2015-12-15
Fix Resolution: commons-collections:commons-collections3.2.2,org.apache.commons:commons-collections4:4.1
Vulnerable Library - poi-3.6.jarApache POI - Java API To Access Microsoft Format Files
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/org/apache/poi/poi/3.6/poi-3.6.jar
Dependency Hierarchy:
Found in HEAD commit: 4157967a6fb857719ac710e8f2755a42096a0000
Vulnerability Details
Apache POI before 3.16-beta1 is vulnerable to bufferoverflow attack due to lack of length sanity check for length of embedded OLE10Native.
Publish Date: 2016-10-14
URL: WS-2016-7061
CVSS 3 Score Details (4.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: apache/poi@7f9f8e9
Release Date: 2019-09-26
Fix Resolution: 3.16-beta1
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
An issue was discovered in FasterXML jackson-databind prior to 2.7.9.4, 2.8.11.2, and 2.9.6. When Default Typing is enabled (either globally or for a specific property), the service has the Oracle JDBC jar in the classpath, and an attacker can provide an LDAP service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-03-21
URL: CVE-2018-12023
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-12022
Release Date: 2019-03-21
Fix Resolution: 2.7.9.4, 2.8.11.2, 2.9.6
Vulnerable Library - bcprov-ext-jdk15on-1.49.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
Publish Date: 2018-06-04
URL: CVE-2016-1000346
CVSS 3 Score Details (3.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346
Release Date: 2018-06-04
Fix Resolution: bcprov-debug-jdk14 - 1.59;bcprov-debug-jdk15on - 1.56;bcprov-ext-debug-jdk15on - 1.56;bcprov-ext-jdk15on - 1.56;bcprov-jdk14 - 1.56;bcprov-jdk15on - 1.56
Vulnerable Library - commons-httpclient-3.1.jarThe HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.
Library home page: http://jakarta.apache.org/httpcomponents/httpclient-3.x/
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.
Publish Date: 2012-11-04
URL: CVE-2012-5783
CVSS 2 Score Details (5.8)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: http://xforce.iss.net/xforce/xfdb/79984
Release Date: 2017-12-31
Fix Resolution: Apply the appropriate patch for your system. See References.
Vulnerable Library - bcprov-ext-jdk15on-1.49.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000344
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344
Release Date: 2018-06-04
Fix Resolution: 1.56
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Publish Date: 2018-02-06
URL: CVE-2017-15095
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095
Release Date: 2018-02-06
Fix Resolution: 2.8.10,2.9.1
Vulnerable Library - commons-collections-1.0.jarnull
path: 2/repository/commons-collections/commons-collections/1.0/commons-collections-1.0.jar
Dependency Hierarchy:
Vulnerability Details
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7501
Release Date: 2017-12-31
Fix Resolution: Upgrade to version apache-commons-collections 4.1, apache-commons-collections 3.2.2 or greater
Step up your Open Source Security Game with WhiteSource here
Vulnerable Library - commons-fileupload-1.2.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-fileupload/commons-fileupload/1.2.1/commons-fileupload-1.2.1.jar
Dependency Hierarchy:
Vulnerability Details
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution: 1.3.3
Vulnerable Library - jackson-databind-2.3.2.jarGeneral data-binding functionality for Jackson: works on core streaming API
Library home page: http://wiki.fasterxml.com/JacksonHome
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.3.2/jackson-databind-2.3.2.jar
Dependency Hierarchy:
Found in HEAD commit: be5628eab7905e7b018ca188d9137c67d20dc141
Vulnerability Details
A deserialization flaw was discovered in the jackson-databind, versions before 2.6.7.1, 2.7.9.1 and 2.8.9, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper.
Publish Date: 2018-02-06
URL: CVE-2017-7525
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-7525
Release Date: 2018-02-06
Fix Resolution: 2.6.7.1,2.7.9.1,2.8.9
Vulnerable Library - dom4j-1.6.1.jardom4j: the flexible XML framework for Java
Library home page: http://dom4j.org
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/dom4j/dom4j/1.6.1/dom4j-1.6.1.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
dom4j version prior to version 2.1.1 contains a CWE-91: XML Injection vulnerability in Class: Element. Methods: addElement, addAttribute that can result in an attacker tampering with XML documents through XML injection. This attack appear to be exploitable via an attacker specifying attributes or elements in the XML document. This vulnerability appears to have been fixed in 2.1.1 or later.
Publish Date: 2018-08-20
URL: CVE-2018-1000632
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000632
Release Date: 2018-08-20
Fix Resolution: 2.1.1
Vulnerable Library - commons-fileupload-1.2.1.jarThe FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: example-maven-travis/pom.xml
Path to vulnerable library: canner/.m2/repository/commons-fileupload/commons-fileupload/1.2.1/commons-fileupload-1.2.1.jar
Dependency Hierarchy:
Vulnerability Details
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Publish Date: 2014-04-01
URL: CVE-2014-0050
CVSS 2 Score Details (7.5)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
Release Date: 2014-04-01
Fix Resolution: 1.3.2
Vulnerable Library - bcprov-ext-jdk15on-1.49.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Publish Date: 2015-11-09
URL: CVE-2015-7940
CVSS 2 Score Details (5.0)
Base Score Metrics not available
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-7940
Release Date: 2015-11-09
Fix Resolution: bcprov-ext-jdk15on - 1.51;bcprov-jdk14 - 1.51;bcprov-jdk15on - 1.51
Vulnerable Library - bcprov-ext-jdk15on-1.49.jarThe Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7. Note: this package includes the IDEA and NTRU encryption algorithms.
Library home page: http://www.bouncycastle.org/java.html
Path to dependency file: /tmp/ws-scm/example-maven-travis/pom.xml
Path to vulnerable library: epository/org/bouncycastle/bcprov-ext-jdk15on/1.49/bcprov-ext-jdk15on-1.49.jar
Dependency Hierarchy:
Found in HEAD commit: 48c9533d746c2e0017ea5f7739a8c4b5eadc874a
Vulnerability Details
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
Publish Date: 2018-06-04
URL: CVE-2016-1000341
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341
Release Date: 2018-06-04
Fix Resolution: bcprov-debug-jdk14 - 1.59;bcprov-debug-jdk15on - 1.56;bcprov-ext-debug-jdk15on - 1.56;bcprov-ext-jdk15on - 1.56;bcprov-jdk14 - 1.56;bcprov-jdk15on - 1.56
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google ❤️ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.
