thomasleplus / cafebab Goto Github PK
View Code? Open in Web Editor NEWArduino project to detect usage of a table football.
License: Apache License 2.0
Arduino project to detect usage of a table football.
License: Apache License 2.0
Apache Log4j 1.2
Path to dependency file: /babduino/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: ba93135ea66939caa5667e6f6d987f588407ed37
Found in base branch: master
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Step up your Open Source Security Game with Mend here
Path to vulnerable library: /babduino/lib/xbee-api-0.9/lib/log4j.jar
Dependency Hierarchy:
Found in base branch: master
Log4j versions prior to 2.15.0 are subject to a remote code execution vulnerability via the ldap JNDI parser.
Publish Date: 2021-11-27
URL: CVE-2021-44228
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jfh8-c2jp-5v3q
Release Date: 2021-12-10
Fix Resolution: org.apache.logging.log4j:log4j-core:2.15.0
Step up your Open Source Security Game with WhiteSource here
Apache Log4j 1.2
Path to dependency file: /babduino/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: ba93135ea66939caa5667e6f6d987f588407ed37
Found in base branch: master
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Step up your Open Source Security Game with Mend here
Apache Log4j 1.2
Path to dependency file: /babduino/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: ba93135ea66939caa5667e6f6d987f588407ed37
Found in base branch: master
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
Step up your Open Source Security Game with Mend here
This issue was automatically created by Allstar.
Security Policy Violation
Project is out of compliance with Binary Artifacts policy: binaries present in source code
Rule Description
Binary Artifacts are an increased security risk in your repository. Binary artifacts cannot be reviewed, allowing the introduction of possibly obsolete or maliciously subverted executables. For more information see the Security Scorecards Documentation for Binary Artifacts.
Remediation Steps
To remediate, remove the generated executable artifacts from the repository.
Artifacts Found
Additional Information
This policy is drawn from Security Scorecards, which is a tool that scores a project's adherence to security best practices. You may wish to run a Scorecards scan directly on this repository for more details.
This issue will auto resolve when the policy is in compliance.
Issue created by Allstar. See https://github.com/ossf/allstar/ for more information. For questions specific to the repository, please contact the owner or maintainer.
Apache Log4j 1.2
Path to dependency file: /babduino/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: ba93135ea66939caa5667e6f6d987f588407ed37
Found in base branch: master
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3
Step up your Open Source Security Game with Mend here
Apache Log4j 1.2
Path to dependency file: /babduino/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: ba93135ea66939caa5667e6f6d987f588407ed37
Found in base branch: master
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
Step up your Open Source Security Game with Mend here
Apache Log4j 1.2
Path to dependency file: /babduino/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: ba93135ea66939caa5667e6f6d987f588407ed37
Found in base branch: master
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Step up your Open Source Security Game with Mend here
Apache Log4j 1.2
Path to dependency file: /babduino/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar
Dependency Hierarchy:
Found in HEAD commit: ba93135ea66939caa5667e6f6d987f588407ed37
Found in base branch: master
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.