killy85 / lepsisbot Goto Github PK

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

Xstream API versions up to 1.4.6 and version 1.4.10, if the security framework has not been initialized, may allow a remote attacker to run arbitrary shell commands by manipulating the processed input stream when unmarshaling XML or any supported format. e.g. JSON.

Publish Date: 2019-05-15

URL: CVE-2013-7285

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-7285

Release Date: 2019-05-15

Fix Resolution: 1.4.7,1.4.11

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker who has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21345

CVSS 3 Score Details (9.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hwpc-8xqv-jvj4

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream before version 1.4.14 is vulnerable to Remote Code Execution.The vulnerability may allow a remote attacker to run arbitrary shell commands only by manipulating the processed input stream. Only users who rely on blocklists are affected. Anyone using XStream's Security Framework allowlist is not affected. The linked advisory provides code workarounds for users who cannot upgrade. The issue is fixed in version 1.4.14.

Publish Date: 2020-11-16

URL: CVE-2020-26217

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-mw36-7c6c-q4q2

Release Date: 2020-11-16

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.14

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream through 1.4.9, when a certain denyTypes workaround is not used, mishandles attempts to create an instance of the primitive type 'void' during unmarshalling, leading to a remote application crash, as demonstrated by an xstream.fromXML("") call.

Publish Date: 2017-04-29

URL: CVE-2017-7957

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://x-stream.github.io/CVE-2017-7957.html

Release Date: 2017-04-29

Fix Resolution: 1.4.10

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21346

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-4hrm-m67v-5cxr

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21347

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-qpfq-ph7r-qv6f

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21349

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-f6hm-88x3-mfjv

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in a server-side forgery request. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21342

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-hvv8-336g-rx3m

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to occupy a thread that consumes maximum CPU time and will never return. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21348

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-56p8-3fh9-4cvq

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is vulnerable to a Remote Command Execution attack before version 1.4.17. The vulnerability may allow a remote attacker has sufficient rights to execute commands of the host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types.

Publish Date: 2021-03-31

URL: CVE-2021-29505

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-7chv-rrw6-w6fc

Release Date: 2021-03-31

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.17

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, a Server-Side Forgery Request vulnerability can be activated when unmarshalling. The vulnerability may allow a remote attacker to request data from internal resources that are not publicly available only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist if running Java 15 or higher. No user is affected who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Publish Date: 2020-12-16

URL: CVE-2020-26258

CVSS 3 Score Details (7.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-4cch-wxpw-8p28

Release Date: 2020-12-16

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.15

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21344

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-59jw-jqf4-3wq3

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.15, is vulnerable to an Arbitrary File Deletion on the local host when unmarshalling. The vulnerability may allow a remote attacker to delete arbitrary know files on the host as log as the executing process has sufficient rights only by manipulating the processed input stream. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.15. The reported vulnerability does not exist running Java 15 or higher. No user is affected, who followed the recommendation to setup XStream's Security Framework with a whitelist! Anyone relying on XStream's default blacklist can immediately switch to a whilelist for the allowed types to avoid the vulnerability. Users of XStream 1.4.14 or below who still want to use XStream default blacklist can use a workaround described in more detailed in the referenced advisories.

Publish Date: 2020-12-16

URL: CVE-2020-26259

CVSS 3 Score Details (6.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-jfvx-7wrx-43fh

Release Date: 2020-12-16

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.15

Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • pogamut-base-3.7.0.jar
    • amis-utils-3.7.0.jar
      • ❌ commons-beanutils-1.8.3.jar (Vulnerable Library)

Vulnerability Details

Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.

Publish Date: 2014-04-30

URL: CVE-2014-0114

CVSS 2 Score Details (7.5)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114

Release Date: 2014-04-30

Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

Multiple XML external entity (XXE) vulnerabilities in the (1) Dom4JDriver, (2) DomDriver, (3) JDomDriver, (4) JDom2Driver, (5) SjsxpDriver, (6) StandardStaxDriver, and (7) WstxDriver drivers in XStream before 1.4.9 allow remote attackers to read arbitrary files via a crafted XML document.

Publish Date: 2016-05-17

URL: CVE-2016-3674

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3674

Release Date: 2016-05-17

Fix Resolution: 1.4.9

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability where the processed stream at unmarshalling time contains type information to recreate the formerly written objects. XStream creates therefore new instances based on these type information. An attacker can manipulate the processed input stream and replace or inject objects, that result in the deletion of a file on the local host. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-74cv-f58x-f9wf

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability which may allow a remote attacker to execute arbitrary code only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21350

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-43gc-mjxg-gvrq

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is vulnerability which may allow a remote attacker to allocate 100% CPU time on the target system depending on CPU type or parallel execution of such a payload resulting in a denial of service only by manipulating the processed input stream. No user is affected who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21341

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2p3x-qw9c-25hh

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16

Vulnerable Library - commons-beanutils-1.8.3.jar

BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/commons-beanutils/commons-beanutils/1.8.3/commons-beanutils-1.8.3.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • pogamut-base-3.7.0.jar
    • amis-utils-3.7.0.jar
      • ❌ commons-beanutils-1.8.3.jar (Vulnerable Library)

Vulnerability Details

In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.

Publish Date: 2019-08-20

URL: CVE-2019-10086

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: victims/victims-cve-db@16a669c

Release Date: 2019-08-20

Fix Resolution: commons-beanutils:commons-beanutils:1.9.4

Vulnerable Library - xstream-1.3.1.jar

Path to dependency file: /LepsisBot/UT2004AFIA/pom.xml

Path to vulnerable library: /root/.m2/repository/com/thoughtworks/xstream/xstream/1.3.1/xstream-1.3.1.jar

Dependency Hierarchy:

• pogamut-ut2004-3.7.0.jar (Root Library)
  • ❌ xstream-1.3.1.jar (Vulnerable Library)

Vulnerability Details

XStream is a Java library to serialize objects to XML and back again. In XStream before version 1.4.16, there is a vulnerability may allow a remote attacker to load and execute arbitrary code from a remote host only by manipulating the processed input stream. No user is affected, who followed the recommendation to setup XStream's security framework with a whitelist limited to the minimal required types. If you rely on XStream's default blacklist of the Security Framework, you will have to use at least version 1.4.16.

Publish Date: 2021-03-23

URL: CVE-2021-21351

CVSS 3 Score Details (9.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-hrcp-8f3q-4w2c

Release Date: 2021-03-23

Fix Resolution: com.thoughtworks.xstream:xstream:1.4.16