gmdavef / example-java-maven Goto Github PK
View Code? Open in Web Editor NEWThis project forked from veracode/example-java-maven
Example project to demonstrate srcclr scans
This project forked from veracode/example-java-maven
Example project to demonstrate srcclr scans
Attribute | Details |
---|---|
Library | Keycloak SAML Core |
Description | Keycloak SSO |
Language | JAVA |
Vulnerability | SAML Assertion Insertion |
Vulnerability description | Keycloak saml-core is vulnerable to malicious SAML assertion insertion. This vulnerability is due to the fact that the assertions are not verified as signed before being accepted. |
CVE | null |
CVSS score | 6.4 |
Vulnerability present in version/s | 1.1.0.Beta1-1.9.0.CR1 |
Found library version/s | 1.8.1.Final |
Vulnerability fixed in version | 1.9.0.Final |
Library latest version | 20.0.1 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache ZooKeeper - Server |
Description | ZooKeeper server |
Language | JAVA |
Vulnerability | Authentication Bypass |
Vulnerability description | Apache Zookeeper is vulnerable to authentication bypasses. The application does not have authentication or authorization when a server joins a QuarumPeer, allowing a malicious user to connect to an arbitrary endpoint to pass malicious changes to the quorum. |
CVE | 2018-8012 |
CVSS score | 5 |
Vulnerability present in version/s | 3.3.0-3.4.9 |
Found library version/s | 3.4.6 |
Vulnerability fixed in version | 3.4.10 |
Library latest version | 3.8.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | jBCrypt |
Description | OpenBSD-style Blowfish password hashing for Java |
Language | JAVA |
Vulnerability | Information Disclosure Of Password Hashes Through Crypt_raw |
Vulnerability description | Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent. |
CVE | 2015-0886 |
CVSS score | 5 |
Vulnerability present in version/s | 0.3m-0.3m |
Found library version/s | 0.3m |
Vulnerability fixed in version | 0.4 |
Library latest version | 0.4 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache ZooKeeper - Server |
Description | ZooKeeper server |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | zookeeper is vulnerable to denial of service (DoS) attacks. The vulnerability is possible because it does not properly handle four letter zookeeper commands (such as wchp /wchc /wchc ). Therefore, when non-trusted clients get access to the client port (i.e., if the zookeeper service is not protected using firewall), an attacker can launch DoS attack. |
CVE | 2017-5637 |
CVSS score | 5 |
Vulnerability present in version/s | 3.4.0-3.4.9 |
Found library version/s | 3.4.6 |
Vulnerability fixed in version | 3.4.10 |
Library latest version | 3.8.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Keycloak SAML Core |
Description | Keycloak SSO |
Language | JAVA |
Vulnerability | Information Disclosure |
Vulnerability description | keycloak-saml-core is vulnerable to sensitive information disclosure. The attack exists because SAML messages are being parsed by replacing the string to obtain the attribute values with the system property in StaxParserUtil class. Therefore, attacker can just parse the chosen system property name through the SAML request ID field and can get the response with system property value in InResponseTo filed . |
CVE | 2017-2582 |
CVSS score | 4 |
Vulnerability present in version/s | 1.2.0.CR1-2.5.0.Final |
Found library version/s | 1.8.1.Final |
Vulnerability fixed in version | 2.5.1.Final |
Library latest version | 20.0.1 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Keycloak SAML Core |
Description | Keycloak SSO |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | keycloak-saml-core is vulnerable to denial of service (DoS) attacks. The vulnerability exists due to the mishandling of a Logout request with an Extensions in the middle of the request. |
CVE | 2017-2646 |
CVSS score | 5 |
Vulnerability present in version/s | 1.2.0.CR1-2.5.4.Final |
Found library version/s | 1.8.1.Final |
Vulnerability fixed in version | 2.5.5.Final |
Library latest version | 20.0.1 |
Fix |
Links:
H2 Database Engine is vulnerable to arbitrary code execution.It allows an authorized user to inject arbitrary java code using H2 SQL ALIAS command CREATE ALIAS
.
Attribute | Details |
---|---|
Library | Apache XML Security for Java |
Description | Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) Memory Consumption |
Vulnerability description | Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures. |
CVE | 2013-4517 |
CVSS score | 4.3 |
Vulnerability present in version/s | 1.0-1.5.5 |
Found library version/s | 1.5.1 |
Vulnerability fixed in version | 1.5.6 |
Library latest version | 3.0.1 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Log4j |
Description | Apache Log4j 1.2 |
Language | JAVA |
Vulnerability | Deserialisation Of Untrusted Object |
Vulnerability description | JMSSink in log4j is vulnerable to deserialization of untrusted object. The insecure use of JNDI in JMSSink allows an attacker to send malicious object in LDAP store if it is accessible by an attacker or is configured to use an untrusted site, leading to a remote code execution. Note: this vulnerability only affects the applications specifically configured to use JMSSink, which is not the default. |
CVE | 2022-23302 |
CVSS score | 6 |
Vulnerability present in version/s | 1.1.3-1.2.17 |
Found library version/s | 1.2.15 |
Vulnerability fixed in version | |
Library latest version | 1.2.17 |
Fix | No fix is released. Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations. |
Links:
Attribute | Details |
---|---|
Library | H2 Database Engine |
Description | H2 Database Engine |
Language | JAVA |
Vulnerability | POODLE Attack |
Vulnerability description | h2database is vulnerable to POODLE attacks. The library defaults to SSLv3 for secure anonymous connections which is vulnerable to POODLE attacks. |
CVE | null |
CVSS score | 4.3 |
Vulnerability present in version/s | 1.3.176-1.4.182 |
Found library version/s | 1.3.176 |
Vulnerability fixed in version | 1.4.183 |
Library latest version | 2.1.214 |
Fix |
Links:
Attribute | Details |
---|---|
Library | LZ4 and xxHash |
Description | Java ports and bindings of the LZ4 compression algorithm and the xxHash hashing algorithm |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) Through Memory Corruption |
Vulnerability description | lz4 is vulnerable to Denial of Service (DOS) attacks. The vulnerability exists due to an integer overflow bug in the LZ4 algorithm implementation, used in the native lz4 library which allows context-dependent attackers to corrupt the memory and crash the system. |
Various ports of the native lz4 library, including net.jpountz.lz4:lz4, are affected when they are statically loading and using the affected, native, lz4 revision before r118.
CVE | 2014-4611
CVSS score | 5
Vulnerability present in version/s | 1.2.0-1.2.0
Found library version/s | 1.2.0
Vulnerability fixed in version | 1.3.0
Library latest version | 1.3.0
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Commons IO |
Description | The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more. |
Language | JAVA |
Vulnerability | Remote Code Execution (RCE) Via Java Object Deserialization |
Vulnerability description | commons-io is vulnerable to remote code execution (RCE) attacks. These attacks are possible because the library doesn't restrict the classes which can be accepted when deserializing a binary. |
CVE | null |
CVSS score | 5.1 |
Vulnerability present in version/s | 1.0-2.4 |
Found library version/s | 2.4 |
Vulnerability fixed in version | 2.5 |
Library latest version | 2.11.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache ZooKeeper - Server |
Description | ZooKeeper server |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | Zookeeper is vulnerable to denial of service (DoS) attacks. The application doesn't properly check string length before allocating memory, allowing a malicious user to pass a long string to cause memory exhaustion. |
CVE | null |
CVSS score | 5 |
Vulnerability present in version/s | 3.3.0-3.4.6 |
Found library version/s | 3.4.6 |
Vulnerability fixed in version | 3.4.7 |
Library latest version | 3.8.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Commons Collections |
Description | Types that extend and augment the Java Collections Framework. |
Language | JAVA |
Vulnerability | Arbitrary Code Execution |
Vulnerability description | commons-collections is vulnerable to arbitrary code execution. A remote attacker is able to execute arbitrary commands via a malicious serialized Java object. |
CVE | 2015-6420 |
CVSS score | 7.5 |
Vulnerability present in version/s | 3.0-3.2.1 |
Found library version/s | 3.2.1 |
Vulnerability fixed in version | 3.2.2 |
Library latest version | 3.2.2 |
Fix | Apply the fix below. |
Links:
Attribute | Details |
---|---|
Library | Apache Log4j |
Description | Apache Log4j 1.2 |
Language | JAVA |
Vulnerability | Arbitrary Code Execution |
Vulnerability description | log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in TcpSocketServer and UdpSocketServer when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget. |
CVE | 2019-17571 |
CVSS score | 7.5 |
Vulnerability present in version/s | 1.1.3-1.2.17 |
Found library version/s | 1.2.15 |
Vulnerability fixed in version | |
Library latest version | 1.2.17 |
Fix | log4j:log4j 1.x is out of life. We recommend users to upgrade to the latest version of org.apache.logging.log4j:log4j-core |
Links:
Attribute | Details |
---|---|
Library | Struts 2 Core |
Description | Apache Struts 2 |
Language | JAVA |
Vulnerability | Remote Code Execution (RCE) |
Vulnerability description | struts2-core is vulnerable to remote code execution (RCE) attacks. These attacks are possible when using a namespace or url tag which doesn't have a value and action set and where its upper action configuration is using a wildcard namespace or has no namespace . |
CVE | 2018-11776 |
CVSS score | 9.3 |
Vulnerability present in version/s | 2.5-BETA1-2.5.16 |
Found library version/s | 2.5.12 |
Vulnerability fixed in version | 2.5.17 |
Library latest version | 6.0.3 |
Fix |
Links:
Attribute | Details |
---|---|
Library | H2 Database Engine |
Description | H2 Database Engine |
Language | JAVA |
Vulnerability | Man-in-the-Middle (MitM) |
Vulnerability description | The h2 database engine is vulnerable to man-in-the-middle (MitM) attacks. The vulnerability exists because an existing system property for the h2 console and server mode is configured using an anonymous SSL connection as default. |
CVE | null |
CVSS score | 6.4 |
Vulnerability present in version/s | 1.3.176-1.4.182 |
Found library version/s | 1.3.176 |
Vulnerability fixed in version | 1.4.183 |
Library latest version | 2.1.214 |
Fix |
Links:
Attribute | Details |
---|---|
Library | OrientDB Core |
Description | OrientDB NoSQL document graph dbms |
Language | JAVA |
Vulnerability | Timing Attack Via Comparison Function |
Vulnerability description | orientdb-core is vulnerable to timing attacks. The vulnerablitliy is due to the use of a regular string comparison funciton to compare the user-supplied and expected passwords. |
CVE | null |
CVSS score | 5 |
Vulnerability present in version/s | 1.0rc9-2.1.10 |
Found library version/s | 2.1.9 |
Vulnerability fixed in version | 2.1.11 |
Library latest version | 3.2.12 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Netty |
Description | The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol serv |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) CPU Consumption |
Vulnerability description | The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message. |
CVE | 2014-3488 |
CVSS score | 5 |
Vulnerability present in version/s | 3.3.0.Final-3.9.0.Final |
Found library version/s | 3.7.0.Final |
Vulnerability fixed in version | 3.9.2.Final |
Library latest version | 4.0.0.Alpha8 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Sling Engine |
Description | Bundle implementing the core of Apache Sling. |
Language | JAVA |
Vulnerability | UI Redress Attacks |
Vulnerability description | Apache Sling Engines may be vulnerable to UI Redress attacks when using the default headers. The reason it may be vulnerable is because the X-Frame-Options header was not present by default. |
CVE | null |
CVSS score | 6.4 |
Vulnerability present in version/s | 2.0.4-incubator-2.4.4 |
Found library version/s | 2.0.4-incubator |
Vulnerability fixed in version | 2.4.6 |
Library latest version | 2.12.2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Log4j |
Description | Apache Log4j 1.2 |
Language | JAVA |
Vulnerability | Remote Code Execution (RCE) |
Vulnerability description | Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system. |
CVE | 2022-23307 |
CVSS score | 9 |
Vulnerability present in version/s | 1.1.3-1.2.17 |
Found library version/s | 1.2.15 |
Vulnerability fixed in version | |
Library latest version | 1.2.17 |
Fix | There is currently no fix version for this package. Upgrade to log4j 2, use other utility to view logs or remove the Chainsaw component if possible |
Links:
Attribute | Details |
---|---|
Library | Apache ZooKeeper - Server |
Description | ZooKeeper server |
Language | JAVA |
Vulnerability | Information Disclosure |
Vulnerability description | Apache ZooKeeper is affected by unauthorized information disclosure. getACL() command does not check permissions when retrieving the ACLs of the requested node. Consequently, plaintext information contained in the ACL Id field is returned. This allows an attacker to retrieve users' Id and authentication digests, and gain access to the application on behalf of the user. |
CVE | 2019-0201 |
CVSS score | 4.3 |
Vulnerability present in version/s | 3.3.0-3.4.13 |
Found library version/s | 3.4.6 |
Vulnerability fixed in version | 3.5.5 |
Library latest version | 3.8.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Kafka |
Description | org.apache.kafka:kafka-clients |
Language | JAVA |
Vulnerability | Information Disclosure |
Vulnerability description | kafka-clients is vulnerable to the leakage of sensitive information. The vulnerability exists because it logs the values of sensitive configuration information. |
CVE | null |
CVSS score | 4.9 |
Vulnerability present in version/s | 0.8.2-beta-0.10.0.1 |
Found library version/s | 0.9.0.1 |
Vulnerability fixed in version | 0.10.1.0 |
Library latest version | 3.3.1 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache FreeMarker |
Description | FreeMarker is a "template engine"; a generic tool to generate text output based on templates. |
Language | JAVA |
Vulnerability | Server-Side Template Injection (SSTI) |
Vulnerability description | freemarker is vulnerable to server-side template injection (SSTI). By using java.security.ProtectionDomain.getClassLoader templates, an attacker is able to gain access to the classloader and subsequently the filesystem or execute arbitrary code on the host OS. |
CVE | null |
CVSS score | 7.5 |
Vulnerability present in version/s | 2.3.9-2.3.29 |
Found library version/s | 2.3.23 |
Vulnerability fixed in version | 2.3.30 |
Library latest version | 2.3.31 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Kafka |
Description | null |
Language | JAVA |
Vulnerability | Unauthorized Modification Of Nodes |
Vulnerability description | Kafka is vulnerable to unauthorized modification of nodes. The library does not secure important nodes such as kafka-acls when migrating information. This can allow a malicious user to delete and recreate nodes before the Access Control Lists get set. |
CVE | null |
CVSS score | 3.5 |
Vulnerability present in version/s | 0.9.0.0-0.10.2.0 |
Found library version/s | 0.9.0.1 |
Vulnerability fixed in version | 0.10.2.1 |
Library latest version | 2.4.1.7.2.0.2-2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Log4j |
Description | Apache Log4j 1.2 |
Language | JAVA |
Vulnerability | Remote Code Execution (RCE) |
Vulnerability description | Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system. |
CVE | 2022-23307 |
CVSS score | 9 |
Vulnerability present in version/s | 1.1.3-1.2.17 |
Found library version/s | 1.2.15 |
Vulnerability fixed in version | |
Library latest version | 1.2.17 |
Fix | There is currently no fix version for this package. Upgrade to log4j 2, use other utility to view logs or remove the Chainsaw component if possible |
Links:
Attribute | Details |
---|---|
Library | Apache Kafka |
Description | org.apache.kafka:kafka-clients |
Language | JAVA |
Vulnerability | Man-in-the-Middle (MitM) |
Vulnerability description | kafka-clients is vulnerable to man-in-the-middle (MitM) attacks. The vulnerability exists because it uses InetAddress.getHostName() to perform hostname verification by using the hostname obtained through a reverse DNS lookup. Therefore, the authentication relies on the secure DNS. The attack is only possible when the client connects server using IP address and DNS is forged or insecure. |
CVE | null |
CVSS score | 4 |
Vulnerability present in version/s | 0.9.0.0-0.10.2.0 |
Found library version/s | 0.9.0.1 |
Vulnerability fixed in version | 0.10.2.1 |
Library latest version | 3.3.1 |
Fix |
Links:
Attribute | Details |
---|---|
Library | H2 Database Engine |
Description | H2 Database Engine |
Language | JAVA |
Vulnerability | Information Disclosure |
Vulnerability description | h2 is vulnerable to information disclosures. The library doesn't check if the filename parameter in the backup command points to a symlinked directory, allowing a malicious user to gain access to sensitive information on the database. |
CVE | 2018-14335 |
CVSS score | 4 |
Vulnerability present in version/s | 1.0.20070304-2.0.204 |
Found library version/s | 1.3.176 |
Vulnerability fixed in version | |
Library latest version | 2.1.214 |
Fix | There is no non vulnerable version of this component/package. We recommend to use alternative components or a potential mitigating control. |
Links:
Attribute | Details |
---|---|
Library | Neo4j - JMX support |
Description | Management support using JMX. |
Language | JAVA |
Vulnerability | File System Information Disclosure |
Vulnerability description | Neo4J is vulnerable to information disclosure. The StoreDirectory JMX property stores the servers file system path and may be disclosed. |
CVE | null |
CVSS score | 5 |
Vulnerability present in version/s | 1.3-3.0.0-M04 |
Found library version/s | 1.3 |
Vulnerability fixed in version | 3.0.0-M05 |
Library latest version | 3.5.35 |
Fix |
Links:
Attribute | Details |
---|---|
Library | H2 Database Engine |
Description | H2 Database Engine |
Language | JAVA |
Vulnerability | Remote Code Execution (RCE) |
Vulnerability description | h2 is vulnerable to remote code execution. The vulnerability exists due to the use of javax.naming.Context.lookup method which performs JNDI lookup,as a dangerous function/sink, allowing an attacker to load custom class/ remote LDAP/RMI queries and execute malicious code in a process with H2 Console exposed to the LAN or WAN. (Note: H2 Console connection isnt always used with the H2 database and listens only localhost by default.) |
CVE | 2021-42392 |
CVSS score | 10 |
Vulnerability present in version/s | 1.0.57-2.0.204 |
Found library version/s | 1.3.176 |
Vulnerability fixed in version | 2.0.206 |
Library latest version | 2.1.214 |
Fix | We recommend all users of the H2 database to upgrade to version 2.0.206, even if you are not directly using the H2 console. This is due to the fact that other attack vectors exist, and their exploitability may be difficult to ascertain. |
Links:
Attribute | Details |
---|---|
Library | Netty |
Description | The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol serv |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) Memory Consumption |
Vulnerability description | Netty is vulnerable to denial of service. The vulnerability exists due to lack of an upper limit on the size of this StringBuffer provided the memory consumption vector which allows a remote attacker to completely exhaust the memory available to the Java Virtual Machine causing the DoS condition. |
CVE | 2014-0193 |
CVSS score | 5 |
Vulnerability present in version/s | 3.7.0-3.7.0.Final |
Found library version/s | 3.7.0.Final |
Vulnerability fixed in version | 3.7.1.Final |
Library latest version | 4.0.0.Alpha8 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache ZooKeeper - Server |
Description | ZooKeeper server |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | zookeeper is vulnerable to denial of service (DoS) attacks. The vulnerability is possible because the pRequest() method in PrepRequestProcessor.java allows an attacker to generate a proposal from a request that is larger than the maxbuffer . This is possible because it does not check the size of the proposal before creation and leads to the server being unavailable. |
CVE | null |
CVSS score | 5 |
Vulnerability present in version/s | 3.3.0-3.4.10 |
Found library version/s | 3.4.6 |
Vulnerability fixed in version | 3.4.11 |
Library latest version | 3.8.0 |
Fix | Apply the following fix |
Links:
Attribute | Details |
---|---|
Library | Apache Log4j |
Description | Apache Log4j 1.2 |
Language | JAVA |
Vulnerability | Remote Code Execution (RCE) |
Vulnerability description | Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system. |
CVE | 2020-9493 |
CVSS score | 6.8 |
Vulnerability present in version/s | 1.1.3-1.2.17 |
Found library version/s | 1.2.15 |
Vulnerability fixed in version | |
Library latest version | 1.2.17 |
Fix | There is currently no fix version for this package. Upgrade to log4j 2, use other utility to view logs or remove the Chainsaw component if possible |
Links:
Attribute | Details |
---|---|
Library | Apache Sling API |
Description | The Apache Sling API defines an extension to the Servlet API 2.4 to provide access to content and unified access to request parameters hiding the differences between the different methods of transferr |
Language | JAVA |
Vulnerability | Multiple Cross-site Scripting (XSS) Vulnerabilities |
Vulnerability description | Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse. |
CVE | 2015-2944 |
CVSS score | 4.3 |
Vulnerability present in version/s | 0.0-2.2.1 |
Found library version/s | 2.0.4-incubator |
Vulnerability fixed in version | 2.2.2 |
Library latest version | 2.27.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | H2 Database Engine |
Description | H2 Database Engine |
Language | JAVA |
Vulnerability | Arbitrary Code Execution |
Vulnerability description | H2 Database Engine is vulnerable to arbitrary code execution.It allows an authorized user to inject arbitrary java code using H2 SQL ALIAS command CREATE ALIAS . |
CVE | 2018-10054 |
CVSS score | 6.5 |
Vulnerability present in version/s | 1.2.129-2.1.214 |
Found library version/s | 1.3.176 |
Vulnerability fixed in version | |
Library latest version | 2.1.214 |
Fix | We recommed the customer to use H2 Database Engine with explicit security setting as below: h2 web console should be restricted to secure environment and localhost, therefore if someone wants access more open, he must configure that explicitly ("security by default"). Setting of password to H2 console login. |
Links:
Attribute | Details |
---|---|
Library | H2 Database Engine |
Description | H2 Database Engine |
Language | JAVA |
Vulnerability | Remote Code Execution (RCE) |
Vulnerability description | h2 is vulnerable to remote code execution. The vulnerability exists due to the use of javax.naming.Context.lookup method which performs JNDI lookup,as a dangerous function/sink, allowing an attacker to load custom class/ remote LDAP/RMI queries and execute malicious code in a process with H2 Console exposed to the LAN or WAN. (Note: H2 Console connection isnt always used with the H2 database and listens only localhost by default.) |
CVE | 2021-42392 |
CVSS score | 10 |
Vulnerability present in version/s | 1.0.57-2.0.204 |
Found library version/s | 1.3.176 |
Vulnerability fixed in version | 2.0.206 |
Library latest version | 2.1.214 |
Fix | We recommend all users of the H2 database to upgrade to version 2.0.206, even if you are not directly using the H2 console. This is due to the fact that other attack vectors exist, and their exploitability may be difficult to ascertain. |
Links:
Attribute | Details |
---|---|
Library | Apache Kafka |
Description | null |
Language | JAVA |
Vulnerability | Leakage Of Unauthorized Topic Information |
Vulnerability description | Apache kafka is vulnerable to leakage of unauthorized topic information. The vulnerability exists because it does not prevent sending error messages with topic information even though the end user should not have access to it. |
CVE | null |
CVSS score | 5 |
Vulnerability present in version/s | 0.9.0.0-0.10.0.1 |
Found library version/s | 0.9.0.1 |
Vulnerability fixed in version | 0.10.1.0 |
Library latest version | 2.4.1.7.2.0.2-2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache XML Security for Java |
Description | Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver |
Language | JAVA |
Vulnerability | Spoofable XML Signature |
Vulnerability description | jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak canonicalization algorithm to apply to the SignedInfo part of the Signature. |
CVE | 2013-2172 |
CVSS score | 4.3 |
Vulnerability present in version/s | 1.5.0-1.5.4 |
Found library version/s | 1.5.1 |
Vulnerability fixed in version | 1.5.5 |
Library latest version | 3.0.1 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache ZooKeeper - Server |
Description | ZooKeeper server |
Language | JAVA |
Vulnerability | Cleartext Admin Passwords |
Vulnerability description | Apache Zookeeper is vulnerable to information disclosure. The data for zookeeper is not stored encrypted, so measures need to be taken when storing sensitive information as the information might be printed in the logs. Note: This vulnerability was not actually fixed, there was just adequate documentation added. |
CVE | 2014-0085 |
CVSS score | 2.1 |
Vulnerability present in version/s | 3.3.0-3.4.6 |
Found library version/s | 3.4.6 |
Vulnerability fixed in version | 3.4.7 |
Library latest version | 3.8.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Log4j |
Description | Apache Log4j 1.2 |
Language | JAVA |
Vulnerability | SQL Injection |
Vulnerability description | JDBCAppender in Log4j is vulnerable to SQL injection attacks. An attacker is able to execute arbitrary SQL commands via entering crafted strings into input fields and headers where the values to be inserted are converters from PatternLayout |
CVE | 2022-23305 |
CVSS score | 6.8 |
Vulnerability present in version/s | 1.1.3-1.2.17 |
Found library version/s | 1.2.15 |
Vulnerability fixed in version | |
Library latest version | 1.2.17 |
Fix | No fix is released. Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations |
Links:
Attribute | Details |
---|---|
Library | Apache Kafka |
Description | null |
Language | JAVA |
Vulnerability | Data Loss |
Vulnerability description | Apache Kafka is vulnerable to data loss. An authenticated malicious user can send a fetch request during data replication to perform Broker reserved actions, causing data to be lost. |
CVE | 2018-1288 |
CVSS score | 5.5 |
Vulnerability present in version/s | 0.9.0.0-0.10.2.1 |
Found library version/s | 0.9.0.1 |
Vulnerability fixed in version | 0.10.2.2 |
Library latest version | 2.4.1.7.2.0.2-2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Kafka |
Description | org.apache.kafka:kafka-clients |
Language | JAVA |
Vulnerability | Man-in-the-Middle (MitM) Attack Due To Insecure Defaults |
Vulnerability description | kafka-clients is vulnerable to man-in-the-middle attacks. The vulnerability is present because "ssl.endpoint.identification.algorithm" is set to null by default, not performing hostname verification. |
CVE | null |
CVSS score | 6.4 |
Vulnerability present in version/s | 0.9.0.0-1.1.1 |
Found library version/s | 0.9.0.1 |
Vulnerability fixed in version | 2.0.0 |
Library latest version | 3.3.1 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Commons IO |
Description | The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more. |
Language | JAVA |
Vulnerability | Directory Traversal |
Vulnerability description | commons-io is vulnerable to directory traversal. Invoking the method FileNameUtils.normalize with a malicious input string would potentially allow access to files within the parent directory. |
CVE | 2021-29425 |
CVSS score | 5.8 |
Vulnerability present in version/s | 2.2-2.6 |
Found library version/s | 2.4 |
Vulnerability fixed in version | 2.7 |
Library latest version | 2.11.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Commons Collections |
Description | Types that extend and augment the Java Collections Framework. |
Language | JAVA |
Vulnerability | Potential Remote Code Execution Via Java Object Deserialization |
Vulnerability description | Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It's not necessary to actually use InvokerTransfomer to be vulnerable. With these two criteria satisfied, an attacker may construct a gadget chain using classes in the component to execute arbitrary code. The chain relies on the class InvokerTransformer in the org.apache.commons.collections.functors package to invoke methods during the deserialization process. |
The fix prevents deserialization of InvokerTransformer by default unless it's specifically enabled.
CVE-2015-4852, CVE-2015-6420, CVE-2015-7501, and CVE-2015-7450 are all related to this artifact.
CVE | 2015-4852
CVSS score | 7.5
Vulnerability present in version/s | 3.0.0-3.2.1
Found library version/s | 3.2.1
Vulnerability fixed in version | 3.2.2
Library latest version | 3.2.2
Fix |
Links:
Attribute | Details |
---|---|
Library | LZ4 and xxHash |
Description | Java ports and bindings of the LZ4 compression algorithm and the xxHash hashing algorithm |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) Through Memory Corruption |
Vulnerability description | lz4 is vulnerable to Denial of Service (DOS) attacks. The vulnerability exists due to the failure of detecting integer overflows that allows context-dependent attackers to corrupt the memory. |
Various ports of the native lz4 library, including net.jpountz.lz4:lz4, are affected when they are statically loading and using the affected, native, lz4 revision before r119.
CVE | 2014-4715
CVSS score | 5
Vulnerability present in version/s | 1.2.0-1.2.0
Found library version/s | 1.2.0
Vulnerability fixed in version | 1.3.0
Library latest version | 1.3.0
Fix |
Links:
Attribute | Details |
---|---|
Library | OrientDB Core |
Description | OrientDB NoSQL document graph dbms |
Language | JAVA |
Vulnerability | Arbitrary File Write |
Vulnerability description | orientdb is vulnerable to arbitrary file write. The application does not properly validate the destination filepath during compressed file extraction, allowing a malicious user to overwrite files in the target directory. |
CVE | null |
CVSS score | 5 |
Vulnerability present in version/s | 1.7-rc1-3.0.0RC2 |
Found library version/s | 2.1.9 |
Vulnerability fixed in version | 3.0.2 |
Library latest version | 3.2.12 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Netty |
Description | The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol serv |
Language | JAVA |
Vulnerability | Information Disclosure By Bypassing HttpOnly Flag On Cookies |
Vulnerability description | Netty before 3.9.8.Final does not validate cookie names and value characters. This allows attackers to bypass the httpOnly flag on cookies, thus permitting access to sensitive cookie data. |
CVE | 2015-2156 |
CVSS score | 4.3 |
Vulnerability present in version/s | 3.3.0.Final-3.9.7.Final |
Found library version/s | 3.7.0.Final |
Vulnerability fixed in version | 3.9.8.Final |
Library latest version | 4.0.0.Alpha8 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Log4j |
Description | Apache Log4j 1.2 |
Language | JAVA |
Vulnerability | Deserialisation Of Untrusted Object |
Vulnerability description | JMSAppender in log4j is vulnerable to deserialization of untrusted object. When an application is configured to use JMSAppender with the setting TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a", an attacker is able to execute code on the server as in Log4j 2.x CVE-2021-44228. However, this vulnerability is only depending on configuration. Note: This CVE is for Log4j 1.x and its corresponding flaw information for Log4j 2.x is in CVE-2021-44228. |
CVE | 2021-4104 |
CVSS score | 6 |
Vulnerability present in version/s | 1.1.3-1.2.17 |
Found library version/s | 1.2.15 |
Vulnerability fixed in version | |
Library latest version | 1.2.17 |
Fix | log4j 1.x is End of Life. Its security vulnerabilities will not be fixed. Recommended to upgrade to the latest fix version of Log4j 2. |
Links:
Attribute | Details |
---|---|
Library | Apache Commons Collections |
Description | Types that extend and augment the Java Collections Framework. |
Language | JAVA |
Vulnerability | Arbitrary Code Execution |
Vulnerability description | Apache Commons Collections (ACC) library is vulnerable to arbitrary code execution. The vulnerability is possible because it directly uses ACC, or contains ACC, in the classpath, allowing a malicious user to inject and execute arbitrary code upon deserialization. |
CVE | 2015-6420 |
CVSS score | 7.5 |
Vulnerability present in version/s | 3.2-3.2.1 |
Found library version/s | 3.2.1 |
Vulnerability fixed in version | 3.2.2 |
Library latest version | 3.2.2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache XML Security for Java |
Description | Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver |
Language | JAVA |
Vulnerability | Bypass Of Secure Validation |
Vulnerability description | Apache Santuario is vulnerable to bypass of secure validation. Lack of secure handling of secureValidation property allows an attacker to abuse an XPath Transform and to extract any local .xml files in a RetrievalMethod element during the creation of a KeyInfo from a KeyInfoReference element. |
CVE | 2021-40690 |
CVSS score | 5 |
Vulnerability present in version/s | 1.4.5-2.1.6 |
Found library version/s | 1.5.1 |
Vulnerability fixed in version | 2.1.7 |
Library latest version | 3.0.1 |
Fix |
Links:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.