Giter Club home page Giter Club logo

example-java-maven's Introduction

GitHub stats

example-java-maven's People

Contributors

codelion avatar dariusf avatar gmdavef avatar hendychua avatar jsyeo avatar sirfixabot avatar

example-java-maven's Issues

CVE: 0000-0000 found in Keycloak SAML Core - Version: 1.8.1.Final [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Keycloak SAML Core
Description Keycloak SSO
Language JAVA
Vulnerability SAML Assertion Insertion
Vulnerability description Keycloak saml-core is vulnerable to malicious SAML assertion insertion. This vulnerability is due to the fact that the assertions are not verified as signed before being accepted.
CVE null
CVSS score 6.4
Vulnerability present in version/s 1.1.0.Beta1-1.9.0.CR1
Found library version/s 1.8.1.Final
Vulnerability fixed in version 1.9.0.Final
Library latest version 20.0.1
Fix

Links:

CVE: 2018-8012 found in Apache ZooKeeper - Server - Version: 3.4.6 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache ZooKeeper - Server
Description ZooKeeper server
Language JAVA
Vulnerability Authentication Bypass
Vulnerability description Apache Zookeeper is vulnerable to authentication bypasses. The application does not have authentication or authorization when a server joins a QuarumPeer, allowing a malicious user to connect to an arbitrary endpoint to pass malicious changes to the quorum.
CVE 2018-8012
CVSS score 5
Vulnerability present in version/s 3.3.0-3.4.9
Found library version/s 3.4.6
Vulnerability fixed in version 3.4.10
Library latest version 3.8.0
Fix

Links:

CVE: 2015-0886 found in jBCrypt - Version: 0.3m [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library jBCrypt
Description OpenBSD-style Blowfish password hashing for Java
Language JAVA
Vulnerability Information Disclosure Of Password Hashes Through Crypt_raw
Vulnerability description Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent.
CVE 2015-0886
CVSS score 5
Vulnerability present in version/s 0.3m-0.3m
Found library version/s 0.3m
Vulnerability fixed in version 0.4
Library latest version 0.4
Fix

Links:

CVE: 2017-5637 found in Apache ZooKeeper - Server - Version: 3.4.6 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache ZooKeeper - Server
Description ZooKeeper server
Language JAVA
Vulnerability Denial Of Service (DoS)
Vulnerability description zookeeper is vulnerable to denial of service (DoS) attacks. The vulnerability is possible because it does not properly handle four letter zookeeper commands (such as wchp /wchc/wchc ). Therefore, when non-trusted clients get access to the client port (i.e., if the zookeeper service is not protected using firewall), an attacker can launch DoS attack.
CVE 2017-5637
CVSS score 5
Vulnerability present in version/s 3.4.0-3.4.9
Found library version/s 3.4.6
Vulnerability fixed in version 3.4.10
Library latest version 3.8.0
Fix

Links:

CVE: 2017-2582 found in Keycloak SAML Core - Version: 1.8.1.Final [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Keycloak SAML Core
Description Keycloak SSO
Language JAVA
Vulnerability Information Disclosure
Vulnerability description keycloak-saml-core is vulnerable to sensitive information disclosure. The attack exists because SAML messages are being parsed by replacing the string to obtain the attribute values with the system property in StaxParserUtil class. Therefore, attacker can just parse the chosen system property name through the SAML request ID field and can get the response with system property value in InResponseTo filed .
CVE 2017-2582
CVSS score 4
Vulnerability present in version/s 1.2.0.CR1-2.5.0.Final
Found library version/s 1.8.1.Final
Vulnerability fixed in version 2.5.1.Final
Library latest version 20.0.1
Fix

Links:

CVE: 2017-2646 found in Keycloak SAML Core - Version: 1.8.1.Final [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Keycloak SAML Core
Description Keycloak SSO
Language JAVA
Vulnerability Denial Of Service (DoS)
Vulnerability description keycloak-saml-core is vulnerable to denial of service (DoS) attacks. The vulnerability exists due to the mishandling of a Logout request with an Extensions in the middle of the request.
CVE 2017-2646
CVSS score 5
Vulnerability present in version/s 1.2.0.CR1-2.5.4.Final
Found library version/s 1.8.1.Final
Vulnerability fixed in version 2.5.5.Final
Library latest version 20.0.1
Fix

Links:

H2 DB Engine 1.3.176 has a vulnerability

Arbitrary Code Execution in gmdavef/example-java-maven (master)

Issue Details

  • Vulnerability: Arbitrary Code Execution
  • Severity: Medium
  • Project: gmdavef/example-java-maven
  • Branch: master
  • Scan Date: Unknown

Issue Description

H2 Database Engine is vulnerable to arbitrary code execution.It allows an authorized user to inject arbitrary java code using H2 SQL ALIAS command CREATE ALIAS.

View more details

CVE: 2013-4517 found in Apache XML Security for Java - Version: 1.5.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache XML Security for Java
Description Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver
Language JAVA
Vulnerability Denial Of Service (DoS) Memory Consumption
Vulnerability description Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
CVE 2013-4517
CVSS score 4.3
Vulnerability present in version/s 1.0-1.5.5
Found library version/s 1.5.1
Vulnerability fixed in version 1.5.6
Library latest version 3.0.1
Fix

Links:

CVE: 2022-23302 found in Apache Log4j - Version: 1.2.15 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Log4j
Description Apache Log4j 1.2
Language JAVA
Vulnerability Deserialisation Of Untrusted Object
Vulnerability description JMSSink in log4j is vulnerable to deserialization of untrusted object. The insecure use of JNDI in JMSSink allows an attacker to send malicious object in LDAP store if it is accessible by an attacker or is configured to use an untrusted site, leading to a remote code execution. Note: this vulnerability only affects the applications specifically configured to use JMSSink, which is not the default.
CVE 2022-23302
CVSS score 6
Vulnerability present in version/s 1.1.3-1.2.17
Found library version/s 1.2.15
Vulnerability fixed in version
Library latest version 1.2.17
Fix No fix is released. Users should upgrade to Log4j 2 or remove usage of the JMSSink from their configurations.

Links:

CVE: 0000-0000 found in H2 Database Engine - Version: 1.3.176 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library H2 Database Engine
Description H2 Database Engine
Language JAVA
Vulnerability POODLE Attack
Vulnerability description h2database is vulnerable to POODLE attacks. The library defaults to SSLv3 for secure anonymous connections which is vulnerable to POODLE attacks.
CVE null
CVSS score 4.3
Vulnerability present in version/s 1.3.176-1.4.182
Found library version/s 1.3.176
Vulnerability fixed in version 1.4.183
Library latest version 2.1.214
Fix

Links:

CVE: 2014-4611 found in LZ4 and xxHash - Version: 1.2.0 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library LZ4 and xxHash
Description Java ports and bindings of the LZ4 compression algorithm and the xxHash hashing algorithm
Language JAVA
Vulnerability Denial Of Service (DoS) Through Memory Corruption
Vulnerability description lz4 is vulnerable to Denial of Service (DOS) attacks. The vulnerability exists due to an integer overflow bug in the LZ4 algorithm implementation, used in the native lz4 library which allows context-dependent attackers to corrupt the memory and crash the system.

Various ports of the native lz4 library, including net.jpountz.lz4:lz4, are affected when they are statically loading and using the affected, native, lz4 revision before r118.
CVE | 2014-4611
CVSS score | 5
Vulnerability present in version/s | 1.2.0-1.2.0
Found library version/s | 1.2.0
Vulnerability fixed in version | 1.3.0
Library latest version | 1.3.0
Fix |

Links:

CVE: 0000-0000 found in Apache Commons IO - Version: 2.4 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons IO
Description The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Language JAVA
Vulnerability Remote Code Execution (RCE) Via Java Object Deserialization
Vulnerability description commons-io is vulnerable to remote code execution (RCE) attacks. These attacks are possible because the library doesn't restrict the classes which can be accepted when deserializing a binary.
CVE null
CVSS score 5.1
Vulnerability present in version/s 1.0-2.4
Found library version/s 2.4
Vulnerability fixed in version 2.5
Library latest version 2.11.0
Fix

Links:

CVE: 0000-0000 found in Apache ZooKeeper - Server - Version: 3.4.6 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache ZooKeeper - Server
Description ZooKeeper server
Language JAVA
Vulnerability Denial Of Service (DoS)
Vulnerability description Zookeeper is vulnerable to denial of service (DoS) attacks. The application doesn't properly check string length before allocating memory, allowing a malicious user to pass a long string to cause memory exhaustion.
CVE null
CVSS score 5
Vulnerability present in version/s 3.3.0-3.4.6
Found library version/s 3.4.6
Vulnerability fixed in version 3.4.7
Library latest version 3.8.0
Fix

Links:

CVE: 2015-6420 found in Apache Commons Collections - Version: 3.2.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons Collections
Description Types that extend and augment the Java Collections Framework.
Language JAVA
Vulnerability Arbitrary Code Execution
Vulnerability description commons-collections is vulnerable to arbitrary code execution. A remote attacker is able to execute arbitrary commands via a malicious serialized Java object.
CVE 2015-6420
CVSS score 7.5
Vulnerability present in version/s 3.0-3.2.1
Found library version/s 3.2.1
Vulnerability fixed in version 3.2.2
Library latest version 3.2.2
Fix Apply the fix below.

Links:

CVE: 2019-17571 found in Apache Log4j - Version: 1.2.15 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Log4j
Description Apache Log4j 1.2
Language JAVA
Vulnerability Arbitrary Code Execution
Vulnerability description log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in TcpSocketServer and UdpSocketServer when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.
CVE 2019-17571
CVSS score 7.5
Vulnerability present in version/s 1.1.3-1.2.17
Found library version/s 1.2.15
Vulnerability fixed in version
Library latest version 1.2.17
Fix log4j:log4j 1.x is out of life. We recommend users to upgrade to the latest version of org.apache.logging.log4j:log4j-core

Links:

CVE: 2018-11776 found in Struts 2 Core - Version: 2.5.12 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Struts 2 Core
Description Apache Struts 2
Language JAVA
Vulnerability Remote Code Execution (RCE)
Vulnerability description struts2-core is vulnerable to remote code execution (RCE) attacks. These attacks are possible when using a namespace or url tag which doesn't have a value and action set and where its upper action configuration is using a wildcard namespace or has no namespace.
CVE 2018-11776
CVSS score 9.3
Vulnerability present in version/s 2.5-BETA1-2.5.16
Found library version/s 2.5.12
Vulnerability fixed in version 2.5.17
Library latest version 6.0.3
Fix

Links:

CVE: 0000-0000 found in H2 Database Engine - Version: 1.3.176 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library H2 Database Engine
Description H2 Database Engine
Language JAVA
Vulnerability Man-in-the-Middle (MitM)
Vulnerability description The h2 database engine is vulnerable to man-in-the-middle (MitM) attacks. The vulnerability exists because an existing system property for the h2 console and server mode is configured using an anonymous SSL connection as default.
CVE null
CVSS score 6.4
Vulnerability present in version/s 1.3.176-1.4.182
Found library version/s 1.3.176
Vulnerability fixed in version 1.4.183
Library latest version 2.1.214
Fix

Links:

CVE: 0000-0000 found in OrientDB Core - Version: 2.1.9 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library OrientDB Core
Description OrientDB NoSQL document graph dbms
Language JAVA
Vulnerability Timing Attack Via Comparison Function
Vulnerability description orientdb-core is vulnerable to timing attacks. The vulnerablitliy is due to the use of a regular string comparison funciton to compare the user-supplied and expected passwords.
CVE null
CVSS score 5
Vulnerability present in version/s 1.0rc9-2.1.10
Found library version/s 2.1.9
Vulnerability fixed in version 2.1.11
Library latest version 3.2.12
Fix

Links:

CVE: 2014-3488 found in Netty - Version: 3.7.0.Final [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Netty
Description The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol serv
Language JAVA
Vulnerability Denial Of Service (DoS) CPU Consumption
Vulnerability description The SslHandler in Netty before 3.9.2 allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted SSLv2Hello message.
CVE 2014-3488
CVSS score 5
Vulnerability present in version/s 3.3.0.Final-3.9.0.Final
Found library version/s 3.7.0.Final
Vulnerability fixed in version 3.9.2.Final
Library latest version 4.0.0.Alpha8
Fix

Links:

CVE: 0000-0000 found in Apache Sling Engine - Version: 2.0.4-incubator [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Sling Engine
Description Bundle implementing the core of Apache Sling.
Language JAVA
Vulnerability UI Redress Attacks
Vulnerability description Apache Sling Engines may be vulnerable to UI Redress attacks when using the default headers. The reason it may be vulnerable is because the X-Frame-Options header was not present by default.
CVE null
CVSS score 6.4
Vulnerability present in version/s 2.0.4-incubator-2.4.4
Found library version/s 2.0.4-incubator
Vulnerability fixed in version 2.4.6
Library latest version 2.12.2
Fix

Links:

CVE: 2022-23307 found in Apache Log4j - Version: 1.2.15 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Log4j
Description Apache Log4j 1.2
Language JAVA
Vulnerability Remote Code Execution (RCE)
Vulnerability description Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system.
CVE 2022-23307
CVSS score 9
Vulnerability present in version/s 1.1.3-1.2.17
Found library version/s 1.2.15
Vulnerability fixed in version
Library latest version 1.2.17
Fix There is currently no fix version for this package. Upgrade to log4j 2, use other utility to view logs or remove the Chainsaw component if possible

Links:

CVE: 2019-0201 found in Apache ZooKeeper - Server - Version: 3.4.6 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache ZooKeeper - Server
Description ZooKeeper server
Language JAVA
Vulnerability Information Disclosure
Vulnerability description Apache ZooKeeper is affected by unauthorized information disclosure. getACL() command does not check permissions when retrieving the ACLs of the requested node. Consequently, plaintext information contained in the ACL Id field is returned. This allows an attacker to retrieve users' Id and authentication digests, and gain access to the application on behalf of the user.
CVE 2019-0201
CVSS score 4.3
Vulnerability present in version/s 3.3.0-3.4.13
Found library version/s 3.4.6
Vulnerability fixed in version 3.5.5
Library latest version 3.8.0
Fix

Links:

CVE: 0000-0000 found in Apache Kafka - Version: 0.9.0.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Kafka
Description org.apache.kafka:kafka-clients
Language JAVA
Vulnerability Information Disclosure
Vulnerability description kafka-clients is vulnerable to the leakage of sensitive information. The vulnerability exists because it logs the values of sensitive configuration information.
CVE null
CVSS score 4.9
Vulnerability present in version/s 0.8.2-beta-0.10.0.1
Found library version/s 0.9.0.1
Vulnerability fixed in version 0.10.1.0
Library latest version 3.3.1
Fix

Links:

CVE: 0000-0000 found in Apache FreeMarker - Version: 2.3.23 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache FreeMarker
Description FreeMarker is a "template engine"; a generic tool to generate text output based on templates.
Language JAVA
Vulnerability Server-Side Template Injection (SSTI)
Vulnerability description freemarker is vulnerable to server-side template injection (SSTI). By using java.security.ProtectionDomain.getClassLoader templates, an attacker is able to gain access to the classloader and subsequently the filesystem or execute arbitrary code on the host OS.
CVE null
CVSS score 7.5
Vulnerability present in version/s 2.3.9-2.3.29
Found library version/s 2.3.23
Vulnerability fixed in version 2.3.30
Library latest version 2.3.31
Fix

Links:

CVE: 0000-0000 found in Apache Kafka - Version: 0.9.0.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Kafka
Description null
Language JAVA
Vulnerability Unauthorized Modification Of Nodes
Vulnerability description Kafka is vulnerable to unauthorized modification of nodes. The library does not secure important nodes such as kafka-acls when migrating information. This can allow a malicious user to delete and recreate nodes before the Access Control Lists get set.
CVE null
CVSS score 3.5
Vulnerability present in version/s 0.9.0.0-0.10.2.0
Found library version/s 0.9.0.1
Vulnerability fixed in version 0.10.2.1
Library latest version 2.4.1.7.2.0.2-2
Fix

Links:

CVE: 2022-23307 found in Apache Log4j - Version: 1.2.15 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Log4j
Description Apache Log4j 1.2
Language JAVA
Vulnerability Remote Code Execution (RCE)
Vulnerability description Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system.
CVE 2022-23307
CVSS score 9
Vulnerability present in version/s 1.1.3-1.2.17
Found library version/s 1.2.15
Vulnerability fixed in version
Library latest version 1.2.17
Fix There is currently no fix version for this package. Upgrade to log4j 2, use other utility to view logs or remove the Chainsaw component if possible

Links:

CVE: 0000-0000 found in Apache Kafka - Version: 0.9.0.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Kafka
Description org.apache.kafka:kafka-clients
Language JAVA
Vulnerability Man-in-the-Middle (MitM)
Vulnerability description kafka-clients is vulnerable to man-in-the-middle (MitM) attacks. The vulnerability exists because it uses InetAddress.getHostName() to perform hostname verification by using the hostname obtained through a reverse DNS lookup. Therefore, the authentication relies on the secure DNS. The attack is only possible when the client connects server using IP address and DNS is forged or insecure.
CVE null
CVSS score 4
Vulnerability present in version/s 0.9.0.0-0.10.2.0
Found library version/s 0.9.0.1
Vulnerability fixed in version 0.10.2.1
Library latest version 3.3.1
Fix

Links:

CVE: 2018-14335 found in H2 Database Engine - Version: 1.3.176 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library H2 Database Engine
Description H2 Database Engine
Language JAVA
Vulnerability Information Disclosure
Vulnerability description h2 is vulnerable to information disclosures. The library doesn't check if the filename parameter in the backup command points to a symlinked directory, allowing a malicious user to gain access to sensitive information on the database.
CVE 2018-14335
CVSS score 4
Vulnerability present in version/s 1.0.20070304-2.0.204
Found library version/s 1.3.176
Vulnerability fixed in version
Library latest version 2.1.214
Fix There is no non vulnerable version of this component/package. We recommend to use alternative components or a potential mitigating control.

Links:

CVE: 0000-0000 found in Neo4j - JMX support - Version: 1.3 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Neo4j - JMX support
Description Management support using JMX.
Language JAVA
Vulnerability File System Information Disclosure
Vulnerability description Neo4J is vulnerable to information disclosure. The StoreDirectory JMX property stores the servers file system path and may be disclosed.
CVE null
CVSS score 5
Vulnerability present in version/s 1.3-3.0.0-M04
Found library version/s 1.3
Vulnerability fixed in version 3.0.0-M05
Library latest version 3.5.35
Fix

Links:

CVE: 2021-42392 found in H2 Database Engine - Version: 1.3.176 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library H2 Database Engine
Description H2 Database Engine
Language JAVA
Vulnerability Remote Code Execution (RCE)
Vulnerability description h2 is vulnerable to remote code execution. The vulnerability exists due to the use of javax.naming.Context.lookup method which performs JNDI lookup,as a dangerous function/sink, allowing an attacker to load custom class/ remote LDAP/RMI queries and execute malicious code in a process with H2 Console exposed to the LAN or WAN. (Note: H2 Console connection isnt always used with the H2 database and listens only localhost by default.)
CVE 2021-42392
CVSS score 10
Vulnerability present in version/s 1.0.57-2.0.204
Found library version/s 1.3.176
Vulnerability fixed in version 2.0.206
Library latest version 2.1.214
Fix We recommend all users of the H2 database to upgrade to version 2.0.206, even if you are not directly using the H2 console. This is due to the fact that other attack vectors exist, and their exploitability may be difficult to ascertain.

Links:

CVE: 2014-0193 found in Netty - Version: 3.7.0.Final [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Netty
Description The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol serv
Language JAVA
Vulnerability Denial Of Service (DoS) Memory Consumption
Vulnerability description Netty is vulnerable to denial of service. The vulnerability exists due to lack of an upper limit on the size of this StringBuffer provided the memory consumption vector which allows a remote attacker to completely exhaust the memory available to the Java Virtual Machine causing the DoS condition.
CVE 2014-0193
CVSS score 5
Vulnerability present in version/s 3.7.0-3.7.0.Final
Found library version/s 3.7.0.Final
Vulnerability fixed in version 3.7.1.Final
Library latest version 4.0.0.Alpha8
Fix

Links:

CVE: 0000-0000 found in Apache ZooKeeper - Server - Version: 3.4.6 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache ZooKeeper - Server
Description ZooKeeper server
Language JAVA
Vulnerability Denial Of Service (DoS)
Vulnerability description zookeeper is vulnerable to denial of service (DoS) attacks. The vulnerability is possible because the pRequest() method in PrepRequestProcessor.java allows an attacker to generate a proposal from a request that is larger than the maxbuffer . This is possible because it does not check the size of the proposal before creation and leads to the server being unavailable.
CVE null
CVSS score 5
Vulnerability present in version/s 3.3.0-3.4.10
Found library version/s 3.4.6
Vulnerability fixed in version 3.4.11
Library latest version 3.8.0
Fix Apply the following fix

Links:

CVE: 2020-9493 found in Apache Log4j - Version: 1.2.15 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Log4j
Description Apache Log4j 1.2
Language JAVA
Vulnerability Remote Code Execution (RCE)
Vulnerability description Apache Chainsaw in log4j is vulnerable to remote code execution. The vulnerability exists due to a deserialization of untrusted object vulnerability allowing an attacker to execute maliciously scripted code via the system.
CVE 2020-9493
CVSS score 6.8
Vulnerability present in version/s 1.1.3-1.2.17
Found library version/s 1.2.15
Vulnerability fixed in version
Library latest version 1.2.17
Fix There is currently no fix version for this package. Upgrade to log4j 2, use other utility to view logs or remove the Chainsaw component if possible

Links:

CVE: 2015-2944 found in Apache Sling API - Version: 2.0.4-incubator [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Sling API
Description The Apache Sling API defines an extension to the Servlet API 2.4 to provide access to content and unified access to request parameters hiding the differences between the different methods of transferr
Language JAVA
Vulnerability Multiple Cross-site Scripting (XSS) Vulnerabilities
Vulnerability description Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
CVE 2015-2944
CVSS score 4.3
Vulnerability present in version/s 0.0-2.2.1
Found library version/s 2.0.4-incubator
Vulnerability fixed in version 2.2.2
Library latest version 2.27.0
Fix

Links:

CVE: 2018-10054 found in H2 Database Engine - Version: 1.3.176 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library H2 Database Engine
Description H2 Database Engine
Language JAVA
Vulnerability Arbitrary Code Execution
Vulnerability description H2 Database Engine is vulnerable to arbitrary code execution.It allows an authorized user to inject arbitrary java code using H2 SQL ALIAS command CREATE ALIAS.
CVE 2018-10054
CVSS score 6.5
Vulnerability present in version/s 1.2.129-2.1.214
Found library version/s 1.3.176
Vulnerability fixed in version
Library latest version 2.1.214
Fix We recommed the customer to use H2 Database Engine with explicit security setting as below: h2 web console should be restricted to secure environment and localhost, therefore if someone wants access more open, he must configure that explicitly ("security by default"). Setting of password to H2 console login.

Links:

CVE: 2021-42392 found in H2 Database Engine - Version: 1.3.176 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library H2 Database Engine
Description H2 Database Engine
Language JAVA
Vulnerability Remote Code Execution (RCE)
Vulnerability description h2 is vulnerable to remote code execution. The vulnerability exists due to the use of javax.naming.Context.lookup method which performs JNDI lookup,as a dangerous function/sink, allowing an attacker to load custom class/ remote LDAP/RMI queries and execute malicious code in a process with H2 Console exposed to the LAN or WAN. (Note: H2 Console connection isnt always used with the H2 database and listens only localhost by default.)
CVE 2021-42392
CVSS score 10
Vulnerability present in version/s 1.0.57-2.0.204
Found library version/s 1.3.176
Vulnerability fixed in version 2.0.206
Library latest version 2.1.214
Fix We recommend all users of the H2 database to upgrade to version 2.0.206, even if you are not directly using the H2 console. This is due to the fact that other attack vectors exist, and their exploitability may be difficult to ascertain.

Links:

CVE: 0000-0000 found in Apache Kafka - Version: 0.9.0.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Kafka
Description null
Language JAVA
Vulnerability Leakage Of Unauthorized Topic Information
Vulnerability description Apache kafka is vulnerable to leakage of unauthorized topic information. The vulnerability exists because it does not prevent sending error messages with topic information even though the end user should not have access to it.
CVE null
CVSS score 5
Vulnerability present in version/s 0.9.0.0-0.10.0.1
Found library version/s 0.9.0.1
Vulnerability fixed in version 0.10.1.0
Library latest version 2.4.1.7.2.0.2-2
Fix

Links:

CVE: 2013-2172 found in Apache XML Security for Java - Version: 1.5.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache XML Security for Java
Description Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver
Language JAVA
Vulnerability Spoofable XML Signature
Vulnerability description jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak canonicalization algorithm to apply to the SignedInfo part of the Signature.
CVE 2013-2172
CVSS score 4.3
Vulnerability present in version/s 1.5.0-1.5.4
Found library version/s 1.5.1
Vulnerability fixed in version 1.5.5
Library latest version 3.0.1
Fix

Links:

CVE: 2014-0085 found in Apache ZooKeeper - Server - Version: 3.4.6 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache ZooKeeper - Server
Description ZooKeeper server
Language JAVA
Vulnerability Cleartext Admin Passwords
Vulnerability description Apache Zookeeper is vulnerable to information disclosure. The data for zookeeper is not stored encrypted, so measures need to be taken when storing sensitive information as the information might be printed in the logs. Note: This vulnerability was not actually fixed, there was just adequate documentation added.
CVE 2014-0085
CVSS score 2.1
Vulnerability present in version/s 3.3.0-3.4.6
Found library version/s 3.4.6
Vulnerability fixed in version 3.4.7
Library latest version 3.8.0
Fix

Links:

CVE: 2022-23305 found in Apache Log4j - Version: 1.2.15 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Log4j
Description Apache Log4j 1.2
Language JAVA
Vulnerability SQL Injection
Vulnerability description JDBCAppender in Log4j is vulnerable to SQL injection attacks. An attacker is able to execute arbitrary SQL commands via entering crafted strings into input fields and headers where the values to be inserted are converters from PatternLayout
CVE 2022-23305
CVSS score 6.8
Vulnerability present in version/s 1.1.3-1.2.17
Found library version/s 1.2.15
Vulnerability fixed in version
Library latest version 1.2.17
Fix No fix is released. Users should upgrade to Log4j 2 or remove usage of the JDBCAppender from their configurations

Links:

CVE: 2018-1288 found in Apache Kafka - Version: 0.9.0.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Kafka
Description null
Language JAVA
Vulnerability Data Loss
Vulnerability description Apache Kafka is vulnerable to data loss. An authenticated malicious user can send a fetch request during data replication to perform Broker reserved actions, causing data to be lost.
CVE 2018-1288
CVSS score 5.5
Vulnerability present in version/s 0.9.0.0-0.10.2.1
Found library version/s 0.9.0.1
Vulnerability fixed in version 0.10.2.2
Library latest version 2.4.1.7.2.0.2-2
Fix

Links:

CVE: 0000-0000 found in Apache Kafka - Version: 0.9.0.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Kafka
Description org.apache.kafka:kafka-clients
Language JAVA
Vulnerability Man-in-the-Middle (MitM) Attack Due To Insecure Defaults
Vulnerability description kafka-clients is vulnerable to man-in-the-middle attacks. The vulnerability is present because "ssl.endpoint.identification.algorithm" is set to null by default, not performing hostname verification.
CVE null
CVSS score 6.4
Vulnerability present in version/s 0.9.0.0-1.1.1
Found library version/s 0.9.0.1
Vulnerability fixed in version 2.0.0
Library latest version 3.3.1
Fix

Links:

CVE: 2021-29425 found in Apache Commons IO - Version: 2.4 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons IO
Description The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Language JAVA
Vulnerability Directory Traversal
Vulnerability description commons-io is vulnerable to directory traversal. Invoking the method FileNameUtils.normalize with a malicious input string would potentially allow access to files within the parent directory.
CVE 2021-29425
CVSS score 5.8
Vulnerability present in version/s 2.2-2.6
Found library version/s 2.4
Vulnerability fixed in version 2.7
Library latest version 2.11.0
Fix

Links:

CVE: 2015-4852 found in Apache Commons Collections - Version: 3.2.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons Collections
Description Types that extend and augment the Java Collections Framework.
Language JAVA
Vulnerability Potential Remote Code Execution Via Java Object Deserialization
Vulnerability description Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It's not necessary to actually use InvokerTransfomer to be vulnerable. With these two criteria satisfied, an attacker may construct a gadget chain using classes in the component to execute arbitrary code. The chain relies on the class InvokerTransformer in the org.apache.commons.collections.functors package to invoke methods during the deserialization process.

The fix prevents deserialization of InvokerTransformer by default unless it's specifically enabled.

CVE-2015-4852, CVE-2015-6420, CVE-2015-7501, and CVE-2015-7450 are all related to this artifact.
CVE | 2015-4852
CVSS score | 7.5
Vulnerability present in version/s | 3.0.0-3.2.1
Found library version/s | 3.2.1
Vulnerability fixed in version | 3.2.2
Library latest version | 3.2.2
Fix |

Links:

CVE: 2014-4715 found in LZ4 and xxHash - Version: 1.2.0 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library LZ4 and xxHash
Description Java ports and bindings of the LZ4 compression algorithm and the xxHash hashing algorithm
Language JAVA
Vulnerability Denial Of Service (DoS) Through Memory Corruption
Vulnerability description lz4 is vulnerable to Denial of Service (DOS) attacks. The vulnerability exists due to the failure of detecting integer overflows that allows context-dependent attackers to corrupt the memory.

Various ports of the native lz4 library, including net.jpountz.lz4:lz4, are affected when they are statically loading and using the affected, native, lz4 revision before r119.
CVE | 2014-4715
CVSS score | 5
Vulnerability present in version/s | 1.2.0-1.2.0
Found library version/s | 1.2.0
Vulnerability fixed in version | 1.3.0
Library latest version | 1.3.0
Fix |

Links:

CVE: 0000-0000 found in OrientDB Core - Version: 2.1.9 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library OrientDB Core
Description OrientDB NoSQL document graph dbms
Language JAVA
Vulnerability Arbitrary File Write
Vulnerability description orientdb is vulnerable to arbitrary file write. The application does not properly validate the destination filepath during compressed file extraction, allowing a malicious user to overwrite files in the target directory.
CVE null
CVSS score 5
Vulnerability present in version/s 1.7-rc1-3.0.0RC2
Found library version/s 2.1.9
Vulnerability fixed in version 3.0.2
Library latest version 3.2.12
Fix

Links:

CVE: 2015-2156 found in Netty - Version: 3.7.0.Final [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Netty
Description The Netty project is an effort to provide an asynchronous event-driven network application framework and tools for rapid development of maintainable high performance and high scalability protocol serv
Language JAVA
Vulnerability Information Disclosure By Bypassing HttpOnly Flag On Cookies
Vulnerability description Netty before 3.9.8.Final does not validate cookie names and value characters. This allows attackers to bypass the httpOnly flag on cookies, thus permitting access to sensitive cookie data.
CVE 2015-2156
CVSS score 4.3
Vulnerability present in version/s 3.3.0.Final-3.9.7.Final
Found library version/s 3.7.0.Final
Vulnerability fixed in version 3.9.8.Final
Library latest version 4.0.0.Alpha8
Fix

Links:

CVE: 2021-4104 found in Apache Log4j - Version: 1.2.15 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Log4j
Description Apache Log4j 1.2
Language JAVA
Vulnerability Deserialisation Of Untrusted Object
Vulnerability description JMSAppender in log4j is vulnerable to deserialization of untrusted object. When an application is configured to use JMSAppender with the setting TopicBindingName or TopicConnectionFactoryBindingName to something that JNDI can handle - for example "ldap://host:port/a", an attacker is able to execute code on the server as in Log4j 2.x CVE-2021-44228. However, this vulnerability is only depending on configuration. Note: This CVE is for Log4j 1.x and its corresponding flaw information for Log4j 2.x is in CVE-2021-44228.
CVE 2021-4104
CVSS score 6
Vulnerability present in version/s 1.1.3-1.2.17
Found library version/s 1.2.15
Vulnerability fixed in version
Library latest version 1.2.17
Fix log4j 1.x is End of Life. Its security vulnerabilities will not be fixed. Recommended to upgrade to the latest fix version of Log4j 2.

Links:

CVE: 2015-6420 found in Apache Commons Collections - Version: 3.2.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons Collections
Description Types that extend and augment the Java Collections Framework.
Language JAVA
Vulnerability Arbitrary Code Execution
Vulnerability description Apache Commons Collections (ACC) library is vulnerable to arbitrary code execution. The vulnerability is possible because it directly uses ACC, or contains ACC, in the classpath, allowing a malicious user to inject and execute arbitrary code upon deserialization.
CVE 2015-6420
CVSS score 7.5
Vulnerability present in version/s 3.2-3.2.1
Found library version/s 3.2.1
Vulnerability fixed in version 3.2.2
Library latest version 3.2.2
Fix

Links:

CVE: 2021-40690 found in Apache XML Security for Java - Version: 1.5.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache XML Security for Java
Description Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver
Language JAVA
Vulnerability Bypass Of Secure Validation
Vulnerability description Apache Santuario is vulnerable to bypass of secure validation. Lack of secure handling of secureValidation property allows an attacker to abuse an XPath Transform and to extract any local .xml files in a RetrievalMethod element during the creation of a KeyInfo from a KeyInfoReference element.
CVE 2021-40690
CVSS score 5
Vulnerability present in version/s 1.4.5-2.1.6
Found library version/s 1.5.1
Vulnerability fixed in version 2.1.7
Library latest version 3.0.1
Fix

Links:

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.