Java Test Framework is using Robot Framework and Selenium
Home Page: https://dev.azure.com/YauheniPo/WebTestFramework/_build/results?buildId=472
Welcome to my page!
I'm Yauheni, Tech Lead / SDET from Minsk, Belarus / Warsaw, Poland at 
Download my CV π
Visitor count
![dependabot[bot] avatar](https://avatars.githubusercontent.com/in/29110?v=4 "dependabot[bot]")
![mend-bolt-for-github[bot] avatar](https://avatars.githubusercontent.com/in/16809?v=4 "mend-bolt-for-github[bot]")
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Netty before 3.9.8.Final, 3.10.x before 3.10.3.Final, 4.0.x before 4.0.28.Final, and 4.1.x before 4.1.0.Beta5 and Play Framework 2.x before 2.3.9 might allow remote attackers to bypass the httpOnly flag on cookies and obtain sensitive information by leveraging improper validation of cookie name and value characters.
Publish Date: 2017-10-18
URL: CVE-2015-2156
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-2156
Release Date: 2017-10-18
Fix Resolution: io.netty:netty:3.9.8.Final,io.netty:netty:3.10.3.Final,io.netty:netty-all:4.0.28.Final,io.netty:netty-codec-http:4.0.28.Final,io.netty:netty-codec-http:4.1.0.Beta5
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-beans-5.1.0.RELEASE.jarSpring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/5.1.0.RELEASE/spring-beans-5.1.0.RELEASE.jar
Dependency Hierarchy:
Vulnerability Details
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Mend Note: Converted from WS-2022-0107, on 2022-11-07.
Publish Date: 2022-04-01
URL: CVE-2022-22965
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18
Step up your Open Source Security Game with Mend here
Vulnerable Library - jetty-io-9.4.16.v20190411.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-io/9.4.16.v20190411/jetty-io-9.4.16.v20190411.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
In Eclipse Jetty 7.2.2 to 9.4.38, 10.0.0.alpha0 to 10.0.1, and 11.0.0.alpha0 to 11.0.1, CPU usage can reach 100% upon receiving a large invalid TLS frame.
Publish Date: 2021-04-01
URL: CVE-2021-28165
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-26vr-8j45-3r4w
Release Date: 2021-04-01
Fix Resolution: org.eclipse.jetty:jetty-io:9.4.39, org.eclipse.jetty:jetty-io:10.0.2, org.eclipse.jetty:jetty-io:11.0.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - ant-1.10.3.jarmaster POM
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.3/ant-1.10.3.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Apache Ant 1.1 to 1.9.14 and 1.10.0 to 1.10.7 uses the default temporary directory identified by the Java system property java.io.tmpdir for several tasks and may thus leak sensitive information. The fixcrlf and replaceregexp tasks also copy files from the temporary directory back into the build tree allowing an attacker to inject modified source files into the build process.
Publish Date: 2020-05-14
URL: CVE-2020-1945
CVSS 3 Score Details (6.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://ant.apache.org/security.html
Release Date: 2020-05-14
Fix Resolution: org.apache.ant:ant:1.9.15,1.10.8
Step up your Open Source Security Game with Mend here
Vulnerable Library - log4j-core-2.13.2.jarThe Apache Log4j Implementation
Library home page: https://logging.apache.org/log4j/2.x/
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.13.2/log4j-core-2.13.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Apache Log4j2 versions 2.0-alpha1 through 2.16.0 (excluding 2.12.3 and 2.3.1) did not protect from uncontrolled recursion from self-referential lookups. This allows an attacker with control over Thread Context Map data to cause a denial of service when a crafted string is interpreted. This issue was fixed in Log4j 2.17.0, 2.12.3, and 2.3.1.
Publish Date: 2021-12-18
URL: CVE-2021-45105
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: 2021-12-18
Fix Resolution: 2.17.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - gson-2.8.5.jarGson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.5/gson-2.8.5.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all:4.1.68.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - jython-standalone-2.7.0.jarJython is an implementation of the high-level, dynamic, object-oriented language Python written in 100% Pure Java, and seamlessly integrated with the Java platform. It thus allows you to run Python on any Java platform.
Library home page: http://www.jython.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/python/jython-standalone/2.7.0/jython-standalone-2.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
An issue was discovered in urllib2 in Python 2.x through 2.7.16 and urllib in Python 3.x through 3.7.3. CRLF injection is possible if the attacker controls a url parameter, as demonstrated by the first argument to urllib.request.urlopen with \r\n (specifically in the query string after a ? character) followed by an HTTP header or a Redis command. This is fixed in: v2.7.17, v2.7.17rc1, v2.7.18, v2.7.18rc1; v3.5.10, v3.5.10rc1, v3.5.8, v3.5.8rc1, v3.5.8rc2, v3.5.9; v3.6.10, v3.6.10rc1, v3.6.11, v3.6.11rc1, v3.6.12, v3.6.9, v3.6.9rc1; v3.7.4, v3.7.4rc1, v3.7.4rc2, v3.7.5, v3.7.5rc1, v3.7.6, v3.7.6rc1, v3.7.7, v3.7.7rc1, v3.7.8, v3.7.8rc1, v3.7.9.
Publish Date: 2019-03-13
URL: CVE-2019-9740
CVSS 3 Score Details (6.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-9740
Release Date: 2019-03-13
Fix Resolution: 2.7.2b2
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. Netty prior to version 4.1.71.Final skips control chars when they are present at the beginning / end of the header name. It should instead fail fast as these are not allowed by the spec and could lead to HTTP request smuggling. Failing to do the validation might cause netty to "sanitize" header names before it forward these to another remote system when used as proxy. This remote system can't see the invalid usage anymore, and therefore does not do the validation itself. Users should upgrade to version 4.1.71.Final.
Mend Note: After conducting further research, Mend has determined that all versions of netty up to version 4.1.71.Final are vulnerable to CVE-2021-43797.
Publish Date: 2021-12-09
URL: CVE-2021-43797
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: CVE-2021-43797
Release Date: 2021-12-09
Fix Resolution: io.netty:netty-codec-http:4.1.71.Final,io.netty:netty-all:4.1.71.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - jetty-http-9.4.16.v20190411.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.16.v20190411/jetty-http-9.4.16.v20190411.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
In Eclipse Jetty 9.4.6.v20170531 to 9.4.36.v20210114 (inclusive), 10.0.0, and 11.0.0 when Jetty handles a request containing multiple Accept headers with a large number of βqualityβ (i.e. q) parameters, the server may enter a denial of service (DoS) state due to high CPU usage processing those quality values, resulting in minutes of CPU time exhausted processing those quality values.
Publish Date: 2021-02-26
URL: CVE-2020-27223
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-m394-8rww-3jr7
Release Date: 2021-02-26
Fix Resolution: org.eclipse.jetty:jetty-http:9.4.37.v20210219, org.eclipse.jetty:jetty-http:10.0.1, org.eclipse.jetty:jetty-http:11.0.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-compress-1.18.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
The file name encoding algorithm used internally in Apache Commons Compress 1.15 to 1.18 can get into an infinite loop when faced with specially crafted inputs. This can lead to a denial of service attack if an attacker can choose the file names inside of an archive created by Compress.
Publish Date: 2019-08-30
URL: CVE-2019-12402
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12402
Release Date: 2019-08-30
Fix Resolution (org.apache.commons:commons-compress): 1.19
Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 4.2.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
Publish Date: 2019-10-16
URL: CVE-2019-13116
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13116
Release Date: 2019-10-16
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.robotframework:javalib-core): 2.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - ant-1.10.3.jarmaster POM
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.3/ant-1.10.3.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
Publish Date: 2020-10-01
URL: CVE-2020-11979
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://ant.apache.org/security.html
Release Date: 2020-10-01
Fix Resolution: org.apache.ant:ant:1.10.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Publish Date: 2021-03-30
URL: CVE-2021-21409
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-f256-j965-7f32
Release Date: 2021-03-30
Fix Resolution: io.netty:netty-codec-http2:4.1.61.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - log4j-core-2.13.2.jarThe Apache Log4j Implementation
Library home page: https://logging.apache.org/log4j/2.x/
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.13.2/log4j-core-2.13.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Apache Log4j2 versions 2.0-beta7 through 2.17.0 (excluding security fix releases 2.3.2 and 2.12.4) are vulnerable to a remote code execution (RCE) attack when a configuration uses a JDBC Appender with a JNDI LDAP data source URI when an attacker has control of the target LDAP server. This issue is fixed by limiting JNDI data source names to the java protocol in Log4j2 versions 2.17.1, 2.12.4, and 2.3.2.
Publish Date: 2021-12-28
URL: CVE-2021-44832
CVSS 3 Score Details (6.6)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: 2021-12-28
Fix Resolution: 2.17.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - gson-2.8.5.jarGson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.8.5/gson-2.8.5.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution (com.google.code.gson:gson): 2.8.9
Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-beanutils-1.9.2.jarApache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-10
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.robotframework:javalib-core): 2.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - htmlunit-2.35.0.jarA headless browser intended for use in testing web-based applications.
Library home page: http://htmlunit.sourceforge.net
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/htmlunit/htmlunit/2.35.0/htmlunit-2.35.0.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
HtmlUnit prior to 2.37.0 contains code execution vulnerabilities. HtmlUnit initializes Rhino engine improperly, hence a malicious JavScript code can execute arbitrary Java code on the application. Moreover, when embedded in Android application, Android-specific initialization of Rhino engine is done in an improper way, hence a malicious JavaScript code can execute arbitrary Java code on the application.
Publish Date: 2020-02-11
URL: CVE-2020-5529
CVSS 3 Score Details (8.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-02-11
Fix Resolution: net.sourceforge.htmlunit:htmlunit:2.37.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2015-12-15
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.robotframework:javalib-core): 2.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest, HttpContent, etc.) via Http2StreamFrameToHttpObjectCodec and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec or Http2FrameCodec is used, Http2StreamFrameToHttpObjectCodec is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler that is put in the ChannelPipeline behind Http2StreamFrameToHttpObjectCodec.
Publish Date: 2021-03-09
URL: CVE-2021-21295
CVSS 3 Score Details (5.9)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-wm47-8v5p-wjpj
Release Date: 2021-03-09
Fix Resolution: io.netty:netty-all:4.1.60;io.netty:netty-codec-http:4.1.60;io.netty:netty-codec-http2:4.1.60
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Netty before 4.1.42.Final mishandles whitespace before the colon in HTTP headers (such as a "Transfer-Encoding : chunked" line), which leads to HTTP request smuggling.
Publish Date: 2019-09-26
URL: CVE-2019-16869
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16869
Release Date: 2019-09-26
Fix Resolution: io.netty:netty-all:4.1.42.Final,io.netty:netty-codec-http:4.1.42.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - ant-1.10.3.jarmaster POM
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.3/ant-1.10.3.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Publish Date: 2021-07-14
URL: CVE-2021-36374
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://ant.apache.org/security.html
Release Date: 2021-07-14
Fix Resolution: org.apache.ant:ant:1.9.16,1.10.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-beanutils-1.9.2.jarApache Commons BeanUtils provides an easy-to-use but flexible wrapper around reflection and introspection.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.9.2/commons-beanutils-1.9.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-compress-1.18.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35515
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - junit-4.10.jarJUnit is a regression testing framework written by Erich Gamma and Kent Beck. It is used by the developer who implements unit tests in Java.
Library home page: http://junit.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/junit/junit/4.10/junit-4.10.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: junit:junit:4.13.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - log4j-core-2.13.2.jarThe Apache Log4j Implementation
Library home page: https://logging.apache.org/log4j/2.x/
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.13.2/log4j-core-2.13.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
It was found that the fix to address CVE-2021-44228 in Apache Log4j 2.15.0 was incomplete in certain non-default configurations. This could allows attackers with control over Thread Context Map (MDC) input data when the logging configuration uses a non-default Pattern Layout with either a Context Lookup (for example, $${ctx:loginId}) or a Thread Context Map pattern (%X, %mdc, or %MDC) to craft malicious input data using a JNDI Lookup pattern resulting in an information leak and remote code execution in some environments and local code execution in all environments. Log4j 2.16.0 (Java 8) and 2.12.2 (Java 7) fix this issue by removing support for message lookup patterns and disabling JNDI functionality by default.
Publish Date: 2021-12-14
URL: CVE-2021-45046
CVSS 3 Score Details (9.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: 2021-12-14
Fix Resolution: 2.16.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
An issue was found in all versions of io.netty:netty-all. Host verification in Netty is disabled by default. This can lead to MITM attack in which an attacker can forge valid SSL/TLS certificates for a different hostname in order to intercept traffic that doesnβt intend for him. This is an issue because the certificate is not matched with the host.
Publish Date: 2020-06-22
URL: WS-2020-0408
CVSS 3 Score Details (7.4)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/WS-2020-0408
Release Date: 2020-06-22
Fix Resolution: io.netty:netty-all - 4.1.68.Final-redhat-00001,4.0.0.Final,4.1.67.Final-redhat-00002;io.netty:netty-handler - 4.1.68.Final-redhat-00001,4.1.67.Final-redhat-00001
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Netty 4.1.43.Final allows HTTP Request Smuggling because it mishandles Transfer-Encoding whitespace (such as a [space]Transfer-Encoding:chunked line) and a later Content-Length header. This issue exists because of an incomplete fix for CVE-2019-16869.
Publish Date: 2020-01-27
URL: CVE-2020-7238
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2020-01-27
Fix Resolution: io.netty:netty-all:4.1.44.Final;io.netty:netty-codec-http:4.1.44.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - ant-1.10.3.jarmaster POM
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/ant/ant/1.10.3/ant-1.10.3.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Publish Date: 2021-07-14
URL: CVE-2021-36373
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373
Release Date: 2021-07-14
Fix Resolution: org.apache.ant:ant:1.9.16,1.10.11
Step up your Open Source Security Game with Mend here
Vulnerable Library - jetty-http-9.4.16.v20190411.jarThe Eclipse Jetty Project
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.16.v20190411/jetty-http-9.4.16.v20190411.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
For Eclipse Jetty versions <= 9.4.40, <= 10.0.2, <= 11.0.2, it is possible for requests to the ConcatServlet with a doubly encoded path to access protected resources within the WEB-INF directory. For example a request to /concat?/%2557EB-INF/web.xml can retrieve the web.xml file. This can reveal sensitive information regarding the implementation of a web application.
Publish Date: 2021-06-09
URL: CVE-2021-28169
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-gwcr-j4wh-j3cq
Release Date: 2021-06-09
Fix Resolution: org.eclipse.jetty:jetty-runner:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-http:9.4.41.v20210516, 10.0.3, 11.0.3,org.eclipse.jetty:jetty-servlets:9.4.41.v20210516, 10.0.3, 11.0.3, org.eclipse.jetty:jetty-server:9.4.41.v20210516, 10.0.3, 11.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - guava-25.0-jre.jarGuava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/25.0-jre/guava-25.0-jre.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
CVSS 3 Score Details (3.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: v30.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
Publish Date: 2021-02-08
URL: CVE-2021-21290
CVSS 3 Score Details (5.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-5mcr-gq6c-3hq2
Release Date: 2021-02-08
Fix Resolution: io.netty:netty-codec-http:4.1.59.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-compress-1.18.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Publish Date: 2021-07-13
URL: CVE-2021-35517
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - snakeyaml-1.19.jarYAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.19/snakeyaml-1.19.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution: org.yaml:snakeyaml:1.26
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-compress-1.18.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35516
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite loop).
Publish Date: 2017-04-13
URL: CVE-2016-4970
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4970
Release Date: 2017-04-13
Fix Resolution: io.netty:netty-all:4.0.37.Final,4.1.1.Final,io.netty:netty-handler:4.0.37.Final,4.1.1.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-all:4.1.44.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-compress-1.18.jarApache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, DEFLATE64, LZ4, Brotli, Zstandard and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-compress/1.18/commons-compress-1.18.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2021-07-13
URL: CVE-2021-36090
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution (org.apache.commons:commons-compress): 1.21
Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 5.0.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-codec-1.10.jarThe Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-codec/commons-codec/1.10/commons-codec-1.10.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Apache commons-codec before version βcommons-codec-1.13-RC1β is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2019-05-20
Fix Resolution (commons-codec:commons-codec): 1.13
Direct dependency fix Resolution (io.github.bonigarcia:webdrivermanager): 4.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - jython-standalone-2.7.0.jar, jython-2.7.0.jar
Jython is an implementation of the high-level, dynamic, object-oriented language Python written in 100% Pure Java, and seamlessly integrated with the Java platform. It thus allows you to run Python on any Java platform.
Library home page: http://www.jython.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/python/jython-standalone/2.7.0/jython-standalone-2.7.0.jar
Dependency Hierarchy:
Jython is an implementation of the high-level, dynamic, object-oriented language Python written in 100% Pure Java, and seamlessly integrated with the Java platform. It thus allows you to run Python on any Java platform.
Library home page: http://www.jython.org/
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/python/jython/2.7.0/jython-2.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Found in base branch: develop
Vulnerability Details
Jython before 2.7.1rc1 allows attackers to execute arbitrary code via a crafted serialized PyFunction object.
Publish Date: 2017-07-06
URL: CVE-2016-4000
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-4000
Release Date: 2017-07-06
Fix Resolution: 2.7.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - xercesImpl-2.12.0.jarXerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
The Apache Xerces2 parser is the reference implementation of XNI but other parser components, configurations, and parsers can be written using the Xerces Native Interface. For complete design and implementation documents, refer to the XNI Manual.
Xerces2 is a fully conforming XML Schema 1.0 processor. A partial experimental implementation of the XML Schema 1.1 Structures and Datatypes Working Drafts (December 2009) and an experimental implementation of the XML Schema Definition Language (XSD): Component Designators (SCD) Candidate Recommendation (January 2010) are provided for evaluation. For more information, refer to the XML Schema page.
Xerces2 also provides a complete implementation of the Document Object Model Level 3 Core and Load/Save W3C Recommendations and provides a complete implementation of the XML Inclusions (XInclude) W3C Recommendation. It also provides support for OASIS XML Catalogs v1.1.
Xerces2 is able to parse documents written according to the XML 1.1 Recommendation, except that it does not yet provide an option to enable normalization checking as described in section 2.13 of this specification. It also handles namespaces according to the XML Namespaces 1.1 Recommendation, and will correctly serialize XML 1.1 documents if the DOM level 3 load/save APIs are in use.</p>
Library home page: https://xerces.apache.org/xerces2-j/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.12.0/xercesImpl-2.12.0.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.
Publish Date: 2022-01-24
URL: CVE-2022-23437
CVSS 3 Score Details (6.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-h65f-jvqw-m9fj
Release Date: 2022-01-24
Fix Resolution: xerces:xercesImpl:2.12.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
CVSS 3 Score Details (9.8)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
Release Date: 2017-11-09
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.robotframework:javalib-core): 2.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Publish Date: 2020-01-29
URL: CVE-2019-20445
CVSS 3 Score Details (9.1)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-codec-http:4.1.44
Step up your Open Source Security Game with Mend here
Vulnerable Library - netty-all-4.0.21.Final.jarNetty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/io/netty/netty-all/4.0.21.Final/netty-all-4.0.21.Final.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all::4.1.68.Final
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jarTypes that extend and augment the Java Collections Framework.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
CVSS 3 Score Details (7.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19
Release Date: 2015-11-18
Fix Resolution (commons-collections:commons-collections): 3.2.2
Direct dependency fix Resolution (org.robotframework:javalib-core): 2.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - spring-core-5.1.0.RELEASE.jarSpring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/5.1.0.RELEASE/spring-core-5.1.0.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
CVSS 3 Score Details (4.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution: org.springframework:spring-core:5.2.18.RELEASE,5.3.12;org.springframework:spring-web:5.2.18.RELEASE,5.3.12;org.springframework:spring-webmvc:5.2.18.RELEASE,5.3.12;org.springframework:spring-webflux:5.2.18.RELEASE,5.3.12
Step up your Open Source Security Game with Mend here
Vulnerable Library - neko-htmlunit-2.35.0.jarHtmlUnit adaptation of NekoHtml. It has the same functionality but exposing HTMLElements to be overridden.
Library home page: http://htmlunit.sourceforge.net
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/htmlunit/neko-htmlunit/2.35.0/neko-htmlunit-2.35.0.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
HtmlUnit NekoHtml Parser before 2.61.0 suffers from a denial of service vulnerability. Crafted input associated with the parsing of Processing Instruction (PI) data leads to heap memory consumption. This is similar to CVE-2022-28366 but affects a much later version of the product.
Publish Date: 2022-04-25
URL: CVE-2022-29546
CVSS 3 Score Details (7.5)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Release Date: 2022-04-25
Fix Resolution: net.sourceforge.htmlunit:neko-htmlunit:2.61.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - log4j-core-2.13.2.jarThe Apache Log4j Implementation
Library home page: https://logging.apache.org/log4j/2.x/
Path to dependency file: /pom.xml
Path to vulnerable library: /canner/.m2/repository/org/apache/logging/log4j/log4j-core/2.13.2/log4j-core-2.13.2.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
Apache Log4j2 2.0-beta9 through 2.15.0 (excluding security releases 2.12.2, 2.12.3, and 2.3.1) JNDI features used in configuration, log messages, and parameters do not protect against attacker controlled LDAP and other JNDI related endpoints. An attacker who can control log messages or log message parameters can execute arbitrary code loaded from LDAP servers when message lookup substitution is enabled. From log4j 2.15.0, this behavior has been disabled by default. From version 2.16.0 (along with 2.12.2, 2.12.3, and 2.3.1), this functionality has been completely removed. Note that this vulnerability is specific to log4j-core and does not affect log4net, log4cxx, or other Apache Logging Services projects.
Publish Date: 2021-12-10
URL: CVE-2021-44228
CVSS 3 Score Details (10.0)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://logging.apache.org/log4j/2.x/security.html
Release Date: 2021-12-10
Fix Resolution: 2.15.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - jetty-util-9.4.16.v20190411.jarUtility classes for Jetty
Library home page: http://www.eclipse.org/jetty
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-util/9.4.16.v20190411/jetty-util-9.4.16.v20190411.jar
Dependency Hierarchy:
Found in HEAD commit: 7d69c95a5145433319eabeefd4d4e15fc385b776
Vulnerability Details
In Eclipse Jetty version 9.2.27, 9.3.26, and 9.4.16, the server running on Windows is vulnerable to exposure of the fully qualified Base Resource directory name on Windows to a remote client when it is configured for showing a Listing of directory contents. This information reveal is restricted to only the content in the configured base resource directories.
Publish Date: 2019-04-22
URL: CVE-2019-10246
CVSS 3 Score Details (5.3)
Base Score Metrics:
Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10246
Release Date: 2019-04-22
Fix Resolution: jetty-9.3.27.v20190418,jetty-9.4.17.v20190418,jetty-9.2.28.v20190418
Step up your Open Source Security Game with Mend here
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
π Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. πππ
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google β€οΈ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.