liorzilberg / fs-agent Goto Github PK
View Code? Open in Web Editor NEWThis project forked from whitesource/fs-agent
File system agent for integration with WhiteSource service
License: Apache License 2.0
This project forked from whitesource/fs-agent
File system agent for integration with WhiteSource service
License: Apache License 2.0
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.
Publish Date: 2018-06-04
URL: CVE-2016-1000343
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@50a5306#diff-5578e61500abb2b87b300d3114bdfd7d
Release Date: 2016-11-02
Fix Resolution: Replace or update the following files: KeyPairGeneratorSpi.java, DSATest.java
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-04
URL: CVE-2016-1000342
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@843c2e6#diff-25c3c78db788365f36839b3f2d3016b9
Release Date: 2016-10-14
Fix Resolution: Replace or update the following files: DSASigner.java, SignatureSpi.java, ASN1Enumerated.java, ECDSA5Test.java, MiscTest.java, DSATest.java, ASN1Integer.java
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7.
path: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
Library home page: http://www.bouncycastle.org/java.html
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Publish Date: 2015-11-09
URL: CVE-2015-7940
Type: Change files
Origin: bcgit/bc-java@e25e94a
Release Date: 2014-07-25
Fix Resolution: Replace or update the following files: ECPoint.java, ECCurve.java
Step up your Open Source Security Game with WhiteSource here
A comprehensive library for mime-type mapping
path: C:\Users\lior.zilberg\AppData\Local\Temp\git\fs-agent\test_input\ksa\ksa-web-root\ksa-web\src\main\webapp\rs\bootstrap\node_modules\mime\package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.2.4.tgz
Dependency Hierarchy:
Affected version of mime (1.0.0 throw 1.4.0 and 2.0.0 throw 2.0.2), are vulnerable to regular expression denial of service.
Publish Date: 2017-09-26
URL: WS-2017-0330
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7.
path: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
Library home page: http://www.bouncycastle.org/java.html
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
Publish Date: 2018-06-04
URL: CVE-2016-1000339
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@413b42f#diff-54656f860db94b867ba7542430cd2ef0
Release Date: 2016-10-31
Fix Resolution: Replace or update the following files: IESCipher.java, KeyFactorySpi.java, AESEngine.java, DHTest.java, AES.java, DHUtil.java, DHPublicKeyParameters.java, BCDHPublicKey.java
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.
Publish Date: 2018-06-04
URL: CVE-2016-1000345
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@21dcb3d#diff-4439ce586bf9a13bfec05c0d113b8098
Release Date: 2016-08-26
Fix Resolution: Replace or update the following files: ECIESTest.java, IESCipher.java, BadBlockException.java, DHIESTest.java, IESEngine.java, IESCipher.java, CipherSpi.java
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."
Publish Date: 2015-11-09
URL: CVE-2015-7940
Type: Change files
Origin: bcgit/bc-java@e25e94a
Release Date: 2014-07-24
Fix Resolution: Replace or update the following files: ECPoint.java, ECCurve.java
Step up your Open Source Security Game with WhiteSource here
A comprehensive library for mime-type mapping
path: C:\Users\lior.zilberg\AppData\Local\Temp\git\fs-agent\test_input\ksa\ksa-web-root\ksa-web\src\main\webapp\rs\bootstrap\node_modules\mime\package.json
Library home page: http://registry.npmjs.org/mime/-/mime-1.2.4.tgz
Dependency Hierarchy:
The mime module is vulnerable to regular expression denial of service when a mime lookup is performed on untrusted user input.
Publish Date: 2018-06-07
URL: CVE-2017-16138
Base Score Metrics:
Type: Change files
Origin: broofa/mime@1df903f
Release Date: 2017-09-24
Fix Resolution: Replace or update the following file: Mime.js
Step up your Open Source Security Game with WhiteSource here
querystring parser
path: C:\Users\lior.zilberg\AppData\Local\Temp\git\fs-agent\test_input\ksa\ksa-web-root\ksa-web\src\main\webapp\rs\bootstrap\node_modules\qs\package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.4.2.tgz
Dependency Hierarchy:
Denial-of-Service Extended Event Loop Blocking.The qs module does not have an option or default for specifying object depth and when parsing a string representing a deeply nested object will block the event loop for long periods of time
Publish Date: 2014-08-05
URL: WS-2014-0005
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/qs_dos_extended_event_loop_blocking
Release Date: 2014-08-06
Fix Resolution: Update qs to version 1.0.0 or greater
Step up your Open Source Security Game with WhiteSource here
null
path: pringframework/spring-web/4.3.1.RELEASE/spring-web-4.3.1.RELEASE.jar
Dependency Hierarchy:
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Publish Date: 2018-06-25
URL: CVE-2018-11039
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2018-11039
Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.7 4.3.x users should upgrade to 4.3.18 Older versions should upgrade to a supported branch There are no other mitigation steps necessary. This attack applies to applications that: Use the HiddenHttpMethodFilter (it is enabled by default in Spring Boot) Allow HTTP TRACE requests to be handled by the application server This attack is not exploitable directly because an attacker would have to make a cross-domain request via HTTP POST, which is forbidden by the Same Origin Policy. This is why a pre-existing XSS (Cross Site Scripting) vulnerability in the web application itself is necessary to enable an escalation to XST.
Step up your Open Source Security Game with WhiteSource here
a glob matcher in javascript
path: C:\Users\lior.zilberg\AppData\Local\Temp\git\fs-agent\test_input\ksa\ksa-web-root\ksa-web\src\main\webapp\rs\bootstrap\node_modules\minimatch\package.json
Library home page: http://registry.npmjs.org/minimatch/-/minimatch-0.0.5.tgz
Dependency Hierarchy:
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/118
Release Date: 2016-06-20
Fix Resolution: Update to version 3.0.2 or later.
Step up your Open Source Security Game with WhiteSource here
The most popular front-end framework for developing responsive, mobile first projects on the web.
path: /fs-agent/test_input/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/js/bootstrap.js
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/2.1.0/bootstrap.js
Dependency Hierarchy:
Found in commit: 39df22d920b9e7c5ee1161e24bf8b651acfc1bc4
XSS in data-target in bootstrap (3.3.7 and before)
Publish Date: 2017-06-27
URL: WS-2018-0021
Type: Change files
Origin: twbs/bootstrap@d9be1da
Release Date: 2017-08-25
Fix Resolution: Replace or update the following files: alert.js, carousel.js, collapse.js, dropdown.js, modal.js
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\springframework\spring-core\4.3.1.RELEASE\spring-core-4.3.1.RELEASE.jar
Dependency Hierarchy:
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Publish Date: 2018-04-06
URL: CVE-2018-1272
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2018-1272
Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.5 4.3.x users should upgrade to 4.3.15 There are no other mitigation steps necessary.
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
path: C:\Users\lior.zilberg\.m2\repository\commons-collections\commons-collections\3.2.1\commons-collections-3.2.1.jar
Library home page: http://commons.apache.org/collections/
Dependency Hierarchy:
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
path: it/fs-agent/test_input/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Dependency Hierarchy:
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@05531fc
Release Date: 2012-12-12
Fix Resolution: Replace or update the following files: selector.js, traversing.js, core.js, sizzle, core.js
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.
Publish Date: 2018-06-04
URL: CVE-2016-1000346
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@1127131#diff-d525a20b8acaed791ae2f0f770eb5937
Release Date: 2016-10-28
Fix Resolution: Replace or update the following files: DHBasicAgreement.java, DHAgreement.java, KeyAgreementSpi.java, DHPublicKeyParameters.java, IESEngine.java
Step up your Open Source Security Game with WhiteSource here
Spring Web
path: 2/repository/org/springframework/spring-web/4.3.1.RELEASE/spring-web-4.3.1.RELEASE.jar
Library home page: https://github.com/spring-projects/spring-framework
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
Spring Framework (versions 5.0.x prior to 5.0.7, versions 4.3.x prior to 4.3.18, and older unsupported versions) allow web applications to change the HTTP request method to any HTTP method (including TRACE) using the HiddenHttpMethodFilter in Spring MVC. If an application has a pre-existing XSS vulnerability, a malicious user (or attacker) can use this filter to escalate to an XST (Cross Site Tracing) attack.
Publish Date: 2018-06-25
URL: CVE-2018-11039
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2018-11039
Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.7 4.3.x users should upgrade to 4.3.18 Older versions should upgrade to a supported branch There are no other mitigation steps necessary. This attack applies to applications that: Use the HiddenHttpMethodFilter (it is enabled by default in Spring Boot) Allow HTTP TRACE requests to be handled by the application server This attack is not exploitable directly because an attacker would have to make a cross-domain request via HTTP POST, which is forbidden by the Same Origin Policy. This is why a pre-existing XSS (Cross Site Scripting) vulnerability in the web application itself is necessary to enable an escalation to XST.
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
path: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Library home page: http://commons.apache.org/collections/
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7501
Release Date: 2017-12-31
Fix Resolution: Upgrade to version apache-commons-collections 4.1, apache-commons-collections 3.2.2 or greater
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7.
path: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
Library home page: http://www.bouncycastle.org/java.html
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
Publish Date: 2018-06-04
URL: CVE-2016-1000341
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@acaac81#diff-e75226a9ca49217a7276b29242ec59ce
Release Date: 2016-10-15
Fix Resolution: Replace or update the following files: DSATest.java, DSASigner.java, DSATest.java
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000344
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@9385b0e
Release Date: 2016-08-26
Fix Resolution: Replace or update the following files: ECIESTest.java, IESUtil.java, AlgorithmParametersSpi.java, EC.java, IESCipher.java, ECIESVectorTest.java, IESParameterSpec.java, DHIESTest.java, DH.java, IESCipher.java
Step up your Open Source Security Game with WhiteSource here
The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
path: /root/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
Library home page: http://commons.apache.org/proper/commons-codec/
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability
Publish Date: 2007-10-07
URL: WS-2009-0001
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.
Publish Date: 2018-06-04
URL: CVE-2016-1000339
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@413b42f#diff-54656f860db94b867ba7542430cd2ef0
Release Date: 2016-10-30
Fix Resolution: Replace or update the following files: IESCipher.java, KeyFactorySpi.java, AESEngine.java, DHTest.java, AES.java, DHUtil.java, DHPublicKeyParameters.java, BCDHPublicKey.java
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\commons-codec\commons-codec\1.10\commons-codec-1.10.jar
Dependency Hierarchy:
Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.
Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability
Publish Date: 2007-10-06
URL: WS-2009-0001
Step up your Open Source Security Game with WhiteSource here
Spring Core
path: /root/.m2/repository/org/springframework/spring-core/4.3.1.RELEASE/spring-core-4.3.1.RELEASE.jar
Library home page: https://github.com/spring-projects/spring-framework
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Publish Date: 2018-04-06
URL: CVE-2018-1272
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2018-1272
Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.5 4.3.x users should upgrade to 4.3.15 There are no other mitigation steps necessary.
Step up your Open Source Security Game with WhiteSource here
High performance middleware framework
path: it/fs-agent/test_input/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Library home page: http://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Dependency Hierarchy:
The "methodOverride" middleware in Connect before 2.8.1 allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override". Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.
Publish Date: 2014-04-20
URL: CVE-2013-7371
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/3
Release Date: 2013-06-30
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-01
URL: CVE-2016-1000338
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@b0c3ce9#diff-3679f5a9d2b939d0d3ee1601a7774fb0
Release Date: 2016-10-13
Fix Resolution: Replace or update the following files: DSASigner.java, DSATest.java
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.
Publish Date: 2018-06-04
URL: CVE-2016-1000341
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@acaac81#diff-e75226a9ca49217a7276b29242ec59ce
Release Date: 2016-10-14
Fix Resolution: Replace or update the following files: DSATest.java, DSASigner.java, DSATest.java
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7.
path: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
Library home page: http://www.bouncycastle.org/java.html
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-04
URL: CVE-2016-1000342
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@843c2e6#diff-25c3c78db788365f36839b3f2d3016b9
Release Date: 2016-10-15
Fix Resolution: Replace or update the following files: DSASigner.java, SignatureSpi.java, ASN1Enumerated.java, ECDSA5Test.java, MiscTest.java, DSATest.java, ASN1Integer.java
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7.
path: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
Library home page: http://www.bouncycastle.org/java.html
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.
Publish Date: 2018-06-01
URL: CVE-2016-1000338
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@b0c3ce9#diff-3679f5a9d2b939d0d3ee1601a7774fb0
Release Date: 2016-10-14
Fix Resolution: Replace or update the following files: DSASigner.java, DSATest.java
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
path: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Library home page: http://commons.apache.org/collections/
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
Step up your Open Source Security Game with WhiteSource here
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
path: C:\Users\lior.zilberg\.m2\repository\com\google\guava\guava\20.0\guava-20.0.jar
Library home page: https://github.com/google/guava/guava
Dependency Hierarchy:
Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.
Publish Date: 2018-04-26
URL: CVE-2018-10237
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
null
path: odehaus/plexus/plexus-archiver/3.4/plexus-archiver-3.4.jar
Dependency Hierarchy:
plexus-archiver prior to version 3.6.0 is vulnerable to path traversal issue in archive extraction.
Publish Date: 2018-06-26
URL: WS-2018-0137
Type: Change files
Origin: codehaus-plexus/plexus-archiver@f8f4233
Release Date: 2018-05-05
Fix Resolution: Replace or update the following files: AbstractUnArchiver.java, ZipUnArchiverTest.java, zip-slip.zip
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
path: C:\Users\lior.zilberg\.m2\repository\commons-collections\commons-collections\3.2.1\commons-collections-3.2.1.jar
Library home page: http://commons.apache.org/collections/
Dependency Hierarchy:
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2015-7501
Release Date: 2017-12-31
Fix Resolution: Upgrade to version apache-commons-collections 4.1, apache-commons-collections 3.2.2 or greater
Step up your Open Source Security Game with WhiteSource here
null
path: ingala/zip4j/zip4j/1.3.2/zip4j-1.3.2.jar
Dependency Hierarchy:
zip4j before 1.3.3 is vulnerable to directory traversal, allowing attackers to write to arbitrary files via a ../ (dot dot slash) in a Zip archive entry that is mishandled during extraction. This vulnerability is also known as 'Zip-Slip'.
Publish Date: 2018-07-25
URL: CVE-2018-1002202
Base Score Metrics:
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
path: C:\Users\lior.zilberg\.m2\repository\commons-collections\commons-collections\3.2.1\commons-collections-3.2.1.jar
Library home page: http://commons.apache.org/collections/
Dependency Hierarchy:
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
Step up your Open Source Security Game with WhiteSource here
High performance middleware framework
path: it/fs-agent/test_input/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Library home page: http://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Dependency Hierarchy:
The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override".
Publish Date: 2013-06-30
URL: WS-2013-0004
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-06-30
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
Step up your Open Source Security Game with WhiteSource here
querystring parser
path: C:\Users\lior.zilberg\AppData\Local\Temp\git\fs-agent\test_input\ksa\ksa-web-root\ksa-web\src\main\webapp\rs\bootstrap\node_modules\qs\package.json
Library home page: http://registry.npmjs.org/qs/-/qs-0.4.2.tgz
Dependency Hierarchy:
The qs module before 1.0.0 in Node.js does not call the compact function for array data, which allows remote attackers to cause a denial of service (memory consumption) by using a large index value to create a sparse array.
Publish Date: 2014-10-19
URL: CVE-2014-7191
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/qs_dos_memory_exhaustion
Release Date: 2014-08-06
Fix Resolution: Update qs to version 1.0.0 or greater
Step up your Open Source Security Game with WhiteSource here
null
path: es-2/files-2.1/io.netty/netty-all/4.0.33.Final/119a52dd0818028dfe9ac92471ecebf3038f5cca/netty-all-4.0.33.Final.jar
Dependency Hierarchy:
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
Publish Date: 2017-04-13
URL: CVE-2016-4970
Base Score Metrics:
Type: Change files
Origin: netty/netty@bc8291c
Release Date: 2018-09-26
Fix Resolution: Replace or update the following file: OpenSslEngine.java
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
Publish Date: 2018-06-04
URL: CVE-2016-1000340
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@7906420#diff-e5934feac8203ca0104ab291a3560a31
Release Date: 2016-11-28
Fix Resolution: Replace or update the following files: Nat160.java, Nat256.java, Nat192.java, SecP256R1FieldTest.java, Nat128.java, Nat224.java, SecP384R1FieldTest.java
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
path: it/fs-agent/test_input/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Dependency Hierarchy:
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Change files
Origin: jquery/jquery@f60729f
Release Date: 2015-10-11
Fix Resolution: Replace or update the following files: script.js, ajax.js
Step up your Open Source Security Game with WhiteSource here
High performance middleware framework
path: it/fs-agent/test_input/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Library home page: http://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Dependency Hierarchy:
Because the user post input was not checked, req.method could contain any kind of value. Because the req.method did not match any common method VERB, connect answered with a 404 page containing the "Cannot [method] [url]" content. The method was not properly encoded for output in the browser.
Publish Date: 2013-06-30
URL: WS-2013-0003
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-06-30
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
Step up your Open Source Security Game with WhiteSource here
The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.7.
path: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.50/bcprov-jdk15on-1.50.jar
Library home page: http://www.bouncycastle.org/java.html
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.
Publish Date: 2018-06-04
URL: CVE-2016-1000340
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@7906420#diff-e5934feac8203ca0104ab291a3560a31
Release Date: 2016-11-29
Fix Resolution: Replace or update the following files: Nat160.java, Nat256.java, Nat192.java, SecP256R1FieldTest.java, Nat128.java, Nat224.java, SecP384R1FieldTest.java
Step up your Open Source Security Game with WhiteSource here
Spring Web
path: 2/repository/org/springframework/spring-web/4.3.1.RELEASE/spring-web-4.3.1.RELEASE.jar
Library home page: https://github.com/spring-projects/spring-framework
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Publish Date: 2018-06-25
URL: CVE-2018-11040
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2018-11040
Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.7. 4.3.x users should upgrade to 4.3.18. Older versions should upgrade to a supported branch, or otherwise set MappingJacksonJsonView’s jsonpParameterNames property to an empty set. Applications that do require JSONP support will need to explicitly configure the jsonpParameterNames property of MappingJacksonJsonView following the upgrade. It is recommended that applications switch to using CORS instead of JSONP to enable cross-domain requests. JSONP support in the Spring Framework is deprecated as of 5.0.7 and 4.3.18 and will be removed in 5.1.
Step up your Open Source Security Game with WhiteSource here
null
path: pringframework/spring-web/4.3.1.RELEASE/spring-web-4.3.1.RELEASE.jar
Dependency Hierarchy:
Spring Framework, versions 5.0.x prior to 5.0.7 and 4.3.x prior to 4.3.18 and older unsupported versions, allows web applications to enable cross-domain requests via JSONP (JSON with Padding) through AbstractJsonpResponseBodyAdvice for REST controllers and MappingJackson2JsonView for browser requests. Both are not enabled by default in Spring Framework nor Spring Boot, however, when MappingJackson2JsonView is configured in an application, JSONP support is automatically ready to use through the "jsonp" and "callback" JSONP parameters, enabling cross-domain requests.
Publish Date: 2018-06-25
URL: CVE-2018-11040
Base Score Metrics:
Type: Upgrade version
Origin: https://pivotal.io/security/cve-2018-11040
Fix Resolution: Users of affected versions should apply the following mitigation: 5.0.x users should upgrade to 5.0.7. 4.3.x users should upgrade to 4.3.18. Older versions should upgrade to a supported branch, or otherwise set MappingJacksonJsonView’s jsonpParameterNames property to an empty set. Applications that do require JSONP support will need to explicitly configure the jsonpParameterNames property of MappingJacksonJsonView following the upgrade. It is recommended that applications switch to using CORS instead of JSONP to enable cross-domain requests. JSONP support in the Spring Framework is deprecated as of 5.0.7 and 4.3.18 and will be removed in 5.1.
Step up your Open Source Security Game with WhiteSource here
JavaScript library for DOM operations
path: it/fs-agent/test_input/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/jquery/jquery-1.7.2.min.js
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.7.2/jquery.min.js
Dependency Hierarchy:
In v2.2.4 and previous, a lowercasing logic was used on the attribute names and was removed in v3.0.0.
Because of this, boolean attributes whose names were not all lowercase cause infinite recursion, and will exceed the stack call limit.
Publish Date: 2017-04-14
URL: WS-2017-0195
Type: Change files
Origin: jquery/jquery@d12e13d
Release Date: 2016-05-28
Fix Resolution: Replace or update the following files: attr.js, attributes.js
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.
Publish Date: 2018-06-04
URL: CVE-2016-1000352
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@9385b0e
Release Date: 2016-08-26
Fix Resolution: Replace or update the following files: ECIESTest.java, IESUtil.java, AlgorithmParametersSpi.java, EC.java, IESCipher.java, ECIESVectorTest.java, IESParameterSpec.java, DHIESTest.java, DH.java, IESCipher.java
Step up your Open Source Security Game with WhiteSource here
null
path: C:\Users\lior.zilberg\.m2\repository\org\bouncycastle\bcprov-jdk15on\1.50\bcprov-jdk15on-1.50.jar
Dependency Hierarchy:
Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs version prior to version 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code.. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application.. This vulnerability appears to have been fixed in 1.60 and later.
Publish Date: 2018-07-09
URL: CVE-2018-1000613
Base Score Metrics:
Type: Change files
Origin: bcgit/bc-java@4092ede#diff-2c06e2edef41db889ee14899e12bd574
Release Date: 2018-03-02
Fix Resolution: Replace or update the following files: XMSSMTPrivateKeyParameters.java, XMSSPrivateKeyParameters.java, BCXMSSMTPrivateKey.java, XMSSUtil.java, RainbowParameters.java, GF2nField.java, GMSSKeyPairGenerator.java, BCXMSSPrivateKey.java, XMSSMTPrivateKeyTest.java
Step up your Open Source Security Game with WhiteSource here
The Apache Log4j Implementation
path: es-2/files-2.1/org.apache.logging.log4j/log4j-core/2.6.1/2b557bf1023c3a3a0f7f200fafcd7641b89cbb83/log4j-core-2.6.1.jar
Library home page: http://logging.apache.org/log4j/2.x/log4j-core/
Dependency Hierarchy:
In Apache Log4j 2.x before 2.8.2, when using the TCP socket server or UDP socket server to receive serialized log events from another application, a specially crafted binary payload can be sent that, when deserialized, can execute arbitrary code.
Publish Date: 2017-04-17
URL: CVE-2017-5645
Base Score Metrics:
Type: Change files
Origin: jitsi/jitsi@7d66da6
Release Date: 2017-01-25
Fix Resolution: Replace or update the following file: OperationSetBasicInstantMessagingJabberImpl.java
Step up your Open Source Security Game with WhiteSource here
Types that extend and augment the Java Collections Framework.
path: /root/.m2/repository/commons-collections/commons-collections/3.2.1/commons-collections-3.2.1.jar
Library home page: http://commons.apache.org/collections/
Dependency Hierarchy:
Found in commit: 6e1c595a1d6fa46b27692f3c8aa708deb1bc3585
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
Step up your Open Source Security Game with WhiteSource here
High performance middleware framework
path: it/fs-agent/test_input/ksa/ksa-web-root/ksa-web/src/main/webapp/rs/bootstrap/node_modules/connect/package.json
Library home page: http://registry.npmjs.org/connect/-/connect-2.1.3.tgz
Dependency Hierarchy:
Connect is a stack of middleware that is executed in order in each request.
The "methodOverride" middleware allows the http post to override the method of the request with the value of the "_method" post key or with the header "x-http-method-override".
Publish Date: 2013-06-30
URL: CVE-2013-7370
Type: Upgrade version
Origin: https://nodesecurity.io/advisories/methodOverride_Middleware_Reflected_Cross-Site_Scripting
Release Date: 2013-06-30
Fix Resolution: Update to the newest version of Connect or disable methodOverride. It is not possible to avoid the vulnerability if you have enabled this middleware in the top of your stack.
Step up your Open Source Security Game with WhiteSource here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.