alfresco / alfresco-data-model Goto Github PK

Vulnerable Library - jackson-databind-2.9.8.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.9.8/jackson-databind-2.9.8.jar

Dependency Hierarchy:

• tika-parsers-1.21.jar (Root Library)
  • ❌ jackson-databind-2.9.8.jar (Vulnerable Library)

Found in HEAD commit: 2ee7d65e4e3e438ced5f0e5bc514568aa8b26e57

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.x before 2.9.9. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint, the service has the mysql-connector-java jar (8.0.14 or earlier) in the classpath, and an attacker can host a crafted MySQL server reachable by the victim, an attacker can send a crafted JSON message that allows them to read arbitrary local files on the server. This occurs because of missing com.mysql.cj.jdbc.admin.MiniAdmin validation.

Publish Date: 2019-05-17

URL: CVE-2019-12086

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12086

Release Date: 2019-05-17

Fix Resolution: 2.9.9

Vulnerable Library - bcprov-jdk15-1.45.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.45.jar (Vulnerable Library)

Found in HEAD commit: 961580dbee65395298d219c927dcbf4246ed115b

Vulnerability Details

Bouncy Castle BKS version 1 keystore (BKS-V1) files use an HMAC that is only 16 bits long, which can allow an attacker to compromise the integrity of a BKS-V1 keystore. All BKS-V1 keystores are vulnerable. Bouncy Castle release 1.47 introduces BKS version 2, which uses a 160-bit MAC.

Publish Date: 2018-04-16

URL: CVE-2018-5382

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://vulners.com/cert/VU:306792

Release Date: 2018-04-16

Fix Resolution: 1.4.7,1.6.0

Vulnerable Library - pdfbox-1.8.4.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Library home page: http://www.apache.org/pdfbox-parent/pdfbox/

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/pdfbox/pdfbox/1.8.4/pdfbox-1.8.4.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ pdfbox-1.8.4.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

Affected versions of the package are vulnerable to Authentication Bypass.

Publish Date: 2016-08-03

URL: WS-2016-0130

CVSS 2 Score Details (3.1)

Base Score Metrics not available

Suggested Fix

Type: Change files

Origin: apache/pdfbox@f0c0fb1

Release Date: 2016-05-05

Fix Resolution: Replace or update the following file: StandardSecurityHandler.java

Vulnerable Library - bcprov-jdk15on-1.54.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)

Found in HEAD commit: 646b2c9dbbeef2587639cc1a7c32632535f330ff

Vulnerability Details

Legion of the Bouncy Castle Legion of the Bouncy Castle Java Cryptography APIs 1.58 up to but not including 1.60 contains a CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') vulnerability in XMSS/XMSS^MT private key deserialization that can result in Deserializing an XMSS/XMSS^MT private key can result in the execution of unexpected code. This attack appear to be exploitable via A handcrafted private key can include references to unexpected classes which will be picked up from the class path for the executing application. This vulnerability appears to have been fixed in 1.60 and later.

Publish Date: 2018-07-09

URL: CVE-2018-1000613

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-1000613

Release Date: 2018-07-09

Fix Resolution: 1.60

Vulnerable Library - spring-web-3.2.14.RELEASE.jar

Spring Web

path: /root/.m2/repository/org/springframework/spring-web/3.2.14.RELEASE/spring-web-3.2.14.RELEASE.jar

Library home page: https://github.com/SpringSource/spring-framework

Dependency Hierarchy:

• alfresco-core-7.9.jar (Root Library)
  • spring-surf-core-configservice-6.20.jar
    • ❌ spring-web-3.2.14.RELEASE.jar (Vulnerable Library)

Vulnerability Details

Under some situations, the Spring Framework 4.2.0 to 4.2.1, 4.0.0 to 4.1.7, 3.2.0 to 3.2.14 and older unsupported versions is vulnerable to a Reflected File Download (RFD) attack. The attack involves a malicious user crafting a URL with a batch script extension that results in the response being downloaded rather than rendered and also includes some input reflected in the response.

Publish Date: 2017-05-25

URL: CVE-2015-5211

CVSS 3 Score Details (8.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://pivotal.io/security/cve-2015-5211

Fix Resolution: Users of affected Spring Framework versions should upgrade as follows: For 3.2.x upgrade to 3.2.15+. For 4.0.x and 4.1.x upgrade to 4.1.8+. For 4.2.x upgrade to 4.2.2+. In the above mentioned versions Spring MVC checks if the URL contains a file extension prior to writing with an HttpMessageConverter, and if the extension is unknown a “Content-Disposition” response header is added to suggest the download filename “f.txt”. The list of “known” extensions by default includes the ones associated with the built-in HttpMessageConverter implementations as well as any additional extensions explicitly registered for content negotiation purposes. For 4.x the fix also includes URL checks for SockJS URLs and validation of the JSONP callback parameter in all areas where JSONP is supported.

Vulnerable Library - bcprov-jdk15on-1.54.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)

Found in HEAD commit: 646b2c9dbbeef2587639cc1a7c32632535f330ff

Vulnerability Details

In Bouncy Castle JCE Provider version 1.55 and earlier the DSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Publish Date: 2018-06-01

URL: CVE-2016-1000338

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@b0c3ce9#diff-3679f5a9d2b939d0d3ee1601a7774fb0

Release Date: 2016-10-14

Fix Resolution: Replace or update the following files: DSASigner.java, DSATest.java

Vulnerable Library - poi-scratchpad-3.10-FINAL.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-scratchpad/3.10-FINAL/poi-scratchpad-3.10-FINAL.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ poi-scratchpad-3.10-FINAL.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

HSLFSlideShow in Apache POI before 3.11 allows remote attackers to cause a denial of service (infinite loop and deadlock) via a crafted PPT file.

Publish Date: 2015-01-06

URL: CVE-2014-9527

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-9527

Release Date: 2015-01-06

Fix Resolution: REL_3_11_FINAL

Vulnerable Library - poi-scratchpad-3.10-FINAL.jar

Apache POI - Java API To Access Microsoft Format Files

Library home page: http://poi.apache.org/

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-scratchpad/3.10-FINAL/poi-scratchpad-3.10-FINAL.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ poi-scratchpad-3.10-FINAL.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

Apache POI in versions prior to release 3.17 are vulnerable to Denial of Service Attacks: 1) Infinite Loops while parsing crafted WMF, EMF, MSG and macros (POI bugs 61338 and 61294), and 2) Out of Memory Exceptions while parsing crafted DOC, PPT and XLS (POI bugs 52372 and 61295).

Publish Date: 2018-01-29

URL: CVE-2017-12626

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: apache/poi@a07ed9e

Release Date: 2017-07-25

Fix Resolution: Replace or update the following files: HwmfPicture.java, TestHwmfParsing.java, 61338.wmf

Vulnerable Library - bcprov-jdk15-1.45.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.45.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

The TLS implementation in the Bouncy Castle Java library before 1.48 and C# library before 1.8 does not properly consider timing side-channel attacks on a noncompliant MAC check operation during the processing of malformed CBC padding, which allows remote attackers to conduct distinguishing attacks and plaintext-recovery attacks via statistical analysis of timing data for crafted packets, a related issue to CVE-2013-0169.

Publish Date: 2013-02-08

URL: CVE-2013-1624

CVSS 2 Score Details (4.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2013-1624

Release Date: 2013-02-08

Fix Resolution: 1.48,1.8

Vulnerable Library - poi-ooxml-3.10-FINAL.jar

null

Library home page: http://poi.apache.org/

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-ooxml/3.10-FINAL/poi-ooxml-3.10-FINAL.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ poi-ooxml-3.10-FINAL.jar (Vulnerable Library)

Found in HEAD commit: 961580dbee65395298d219c927dcbf4246ed115b

Vulnerability Details

The OPC SAX setup in Apache POI before 3.10.1 allows remote attackers to read arbitrary files via an OpenXML file containing an XML external entity declaration in conjunction with an entity reference, related to an XML External Entity (XXE) issue.

Publish Date: 2014-09-04

URL: CVE-2014-3529

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3529

Release Date: 2014-09-04

Fix Resolution: 3.10.1

Vulnerable Library - guava-17.0.jar

Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.

Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>

path: /root/.m2/repository/com/google/guava/guava/17.0/guava-17.0.jar

Library home page: http://code.google.com/p/guava-libraries/guava

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • cdm-4.5.5.jar
    • ❌ guava-17.0.jar (Vulnerable Library)

Vulnerability Details

Unbounded memory allocation in Google Guava 11.0 through 24.x before 24.1.1 allows remote attackers to conduct denial of service attacks against servers that depend on this library and deserialize attacker-provided data, because the AtomicDoubleArray class (when serialized with Java serialization) and the CompoundOrdering class (when serialized with GWT serialization) perform eager allocation without appropriate checks on what a client has sent and whether the data size is reasonable.

Publish Date: 2018-04-26

URL: CVE-2018-10237

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-10237

Release Date: 2018-04-26

Fix Resolution: 24.1.1

Vulnerable Library - bcprov-jdk15-1.45.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.45.jar (Vulnerable Library)

Found in HEAD commit: 961580dbee65395298d219c927dcbf4246ed115b

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the ECIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Publish Date: 2018-06-04

URL: CVE-2016-1000352

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000352

Release Date: 2018-06-04

Fix Resolution: 1.56

Vulnerable Library - bcprov-jdk15-1.45.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.45.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the primary engine class used for AES was AESFastEngine. Due to the highly table driven approach used in the algorithm it turns out that if the data channel on the CPU can be monitored the lookup table accesses are sufficient to leak information on the AES key being used. There was also a leak in AESEngine although it was substantially less. AESEngine has been modified to remove any signs of leakage (testing carried out on Intel X86-64) and is now the primary AES class for the BC JCE provider from 1.56. Use of AESFastEngine is now only recommended where otherwise deemed appropriate.

Publish Date: 2018-06-04

URL: CVE-2016-1000339

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000339

Release Date: 2018-06-04

Fix Resolution: 1.56

Vulnerable Library - cxf-rt-transports-http-3.0.10.jar

Apache CXF Runtime HTTP Transport

Library home page: http://cxf.apache.org

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/cxf/cxf-rt-transports-http/3.0.10/cxf-rt-transports-http-3.0.10.jar

Dependency Hierarchy:

• chemistry-opencmis-client-impl-1.0.0.jar (Root Library)
  • ❌ cxf-rt-transports-http-3.0.10.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

The HTTP transport module in Apache CXF prior to 3.0.12 and 3.1.x prior to 3.1.9 uses FormattedServiceListWriter to provide an HTML page which lists the names and absolute URL addresses of the available service endpoints. The module calculates the base URL using the current HttpServletRequest. The calculated base URL is used by FormattedServiceListWriter to build the service endpoint absolute URLs. If the unexpected matrix parameters have been injected into the request URL then these matrix parameters will find their way back to the client in the services list page which represents an XSS risk to the client.

Publish Date: 2017-08-10

URL: CVE-2016-6812

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-6812

Release Date: 2017-08-10

Fix Resolution: 3.0.12,3.1.9

Vulnerable Library - bcprov-jdk15-1.45.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.45.jar (Vulnerable Library)

Found in HEAD commit: 961580dbee65395298d219c927dcbf4246ed115b

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the other party DH public key is not fully validated. This can cause issues as invalid keys can be used to reveal details about the other party's private key where static Diffie-Hellman is in use. As of release 1.56 the key parameters are checked on agreement calculation.

Publish Date: 2018-06-04

URL: CVE-2016-1000346

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000346

Release Date: 2018-06-04

Fix Resolution: 1.56

Vulnerable Library - junrar-0.7.jar

rar decompression library in plain java

path: /root/.m2/repository/com/github/junrar/junrar/0.7/junrar-0.7.jar

Library home page: https://github.com/junrar/junrar

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • ❌ junrar-0.7.jar (Vulnerable Library)

Found in HEAD commit: 71f84047cacb504b7ef8818af514444b2ea4d36f

Vulnerability Details

Archive.java in Junrar before 1.0.1, as used in Apache Tika and other products, is affected by a denial of service vulnerability due to an infinite loop when handling corrupt RAR files.

Publish Date: 2018-06-14

URL: CVE-2018-12418

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-12418

Release Date: 2018-06-14

Fix Resolution: 1.0.1

Vulnerable Library - bcprov-jdk15-1.45.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.45.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

The Bouncy Castle Java library before 1.51 does not validate a point is withing the elliptic curve, which makes it easier for remote attackers to obtain private keys via a series of crafted elliptic curve Diffie Hellman (ECDH) key exchanges, aka an "invalid curve attack."

Publish Date: 2015-11-09

URL: CVE-2015-7940

CVSS 2 Score Details (5.0)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-7940

Release Date: 2015-11-09

Fix Resolution: 1.51

Vulnerable Library - cxf-rt-frontend-jaxrs-3.0.16.jar

Apache CXF Runtime JAX-RS Frontend

Library home page: http://cxf.apache.org

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/cxf/cxf-rt-frontend-jaxrs/3.0.16/cxf-rt-frontend-jaxrs-3.0.16.jar

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • cxf-rt-rs-client-3.0.16.jar
    • ❌ cxf-rt-frontend-jaxrs-3.0.16.jar (Vulnerable Library)

Found in HEAD commit: cbfe8041c3ecbbf176a5208a087cb87e8ad2504f

Vulnerability Details

Apache CXF supports sending and receiving attachments via either the JAX-WS or JAX-RS specifications. It is possible to craft a message attachment header that could lead to a Denial of Service (DoS) attack on a CXF web service provider. Both JAX-WS and JAX-RS services are vulnerable to this attack. From Apache CXF 3.2.1 and 3.1.14, message attachment headers that are greater than 300 characters will be rejected by default. This value is configurable via the property "attachment-max-header-size".

Publish Date: 2017-11-14

URL: CVE-2017-12624

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12624

Release Date: 2017-11-14

Fix Resolution: 3.2.1, 3.1.14

Vulnerable Library - poi-ooxml-3.10-FINAL.jar

null

Library home page: http://poi.apache.org/

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-ooxml/3.10-FINAL/poi-ooxml-3.10-FINAL.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ poi-ooxml-3.10-FINAL.jar (Vulnerable Library)

Found in HEAD commit: 961580dbee65395298d219c927dcbf4246ed115b

Vulnerability Details

Apache POI before 3.10.1 and 3.11.x before 3.11-beta2 allows remote attackers to cause a denial of service (CPU consumption and crash) via a crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Publish Date: 2014-09-04

URL: CVE-2014-3574

CVSS 2 Score Details (4.3)

Base Score Metrics not available

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2014-3574

Release Date: 2014-09-04

Fix Resolution: 3.10.1,3.11-beta2

Vulnerable Library - commons-codec-1.11.jar

The Apache Commons Codec package contains simple encoder and decoders for various formats such as Base64 and Hexadecimal. In addition to these widely used encoders and decoders, the codec package also maintains a collection of phonetic encoding utilities.

path: /root/.m2/repository/commons-codec/commons-codec/1.11/commons-codec-1.11.jar

Library home page: http://commons.apache.org/proper/commons-codec/

Dependency Hierarchy:

• alfresco-core-7.9.jar (Root Library)
  • ❌ commons-codec-1.11.jar (Vulnerable Library)

Vulnerability Details

Not all "business" method implementations of public API in Apache Commons Codec 1.x are thread safe, which might disclose the wrong data or allow an attacker to change non-private fields.

Updated 2018-10-07 - an additional review by WhiteSource research team could not indicate on a clear security vulnerability

Publish Date: 2007-10-07

URL: WS-2009-0001

CVSS 2 Score Details (0.0)

Base Score Metrics not available

Vulnerable Library - cxf-rt-transports-http-3.0.12.jar

Apache CXF Runtime HTTP Transport

path: /root/.m2/repository/org/apache/cxf/cxf-rt-transports-http/3.0.12/cxf-rt-transports-http-3.0.12.jar

Library home page: http://cxf.apache.org

Dependency Hierarchy:

• chemistry-opencmis-client-impl-1.0.0.jar (Root Library)
  • ❌ cxf-rt-transports-http-3.0.12.jar (Vulnerable Library)

Found in HEAD commit: 71f84047cacb504b7ef8818af514444b2ea4d36f

Vulnerability Details

It is possible to configure Apache CXF to use the com.sun.net.ssl implementation via 'System.setProperty("java.protocol.handler.pkgs", "com.sun.net.ssl.internal.www.protocol");'. When this system property is set, CXF uses some reflection to try to make the HostnameVerifier work with the old com.sun.net.ssl.HostnameVerifier interface. However, the default HostnameVerifier implementation in CXF does not implement the method in this interface, and an exception is thrown. However, in Apache CXF prior to 3.2.5 and 3.1.16 the exception is caught in the reflection code and not properly propagated. What this means is that if you are using the com.sun.net.ssl stack with CXF, an error with TLS hostname verification will not be thrown, leaving a CXF client subject to man-in-the-middle attacks.

Publish Date: 2018-07-02

URL: CVE-2018-8039

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-8039

Release Date: 2018-02-06

Fix Resolution: 3.1.16,3.2.5

Vulnerable Library - bcprov-jdk15-1.45.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.45.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES implementation allowed the use of ECB mode. This mode is regarded as unsafe and support for it has been removed from the provider.

Publish Date: 2018-06-04

URL: CVE-2016-1000344

CVSS 3 Score Details (7.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000344

Release Date: 2018-06-04

Fix Resolution: 1.56

Vulnerable Library - fontbox-1.8.4.jar

The Apache FontBox library is an open source Java tool to obtain low level information from font files. FontBox is a subproject of Apache PDFBox.

Library home page: http://pdfbox.apache.org/

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/pdfbox/fontbox/1.8.4/fontbox-1.8.4.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • pdfbox-1.8.4.jar
    • ❌ fontbox-1.8.4.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

In Apache PDFBox 1.8.0 to 1.8.14 and 2.0.0RC1 to 2.0.10, a carefully crafted (or fuzzed) file can trigger an infinite loop which leads to an out of memory exception in Apache PDFBox's AFMParser.

Publish Date: 2018-07-03

URL: CVE-2018-8036

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Change files

Origin: apache/pdfbox@4cedf61

Release Date: 2018-06-21

Fix Resolution: Replace or update the following files: AFMParser.java, AFMParserTest.java

Vulnerable Library - bcprov-jdk15on-1.54.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)

Found in HEAD commit: 646b2c9dbbeef2587639cc1a7c32632535f330ff

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DSA key pair generator generates a weak private key if used with default values. If the JCA key pair generator is not explicitly initialised with DSA parameters, 1.55 and earlier generates a private value assuming a 1024 bit key size. In earlier releases this can be dealt with by explicitly passing parameters to the key pair generator.

Publish Date: 2018-06-04

URL: CVE-2016-1000343

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@50a5306#diff-5578e61500abb2b87b300d3114bdfd7d

Release Date: 2016-11-03

Fix Resolution: Replace or update the following files: KeyPairGeneratorSpi.java, DSATest.java

Vulnerable Library - spring-core-5.0.4.RELEASE.jar

Spring Core

path: /root/.m2/repository/org/springframework/spring-core/5.0.4.RELEASE/spring-core-5.0.4.RELEASE.jar

Library home page: https://github.com/spring-projects/spring-framework

Dependency Hierarchy:

• alfresco-core-7.5.1.jar (Root Library)
  • spring-orm-5.0.4.RELEASE.jar
    • ❌ spring-core-5.0.4.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 71f84047cacb504b7ef8818af514444b2ea4d36f

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1272

Release Date: 2018-04-06

Fix Resolution: v4.3.15.RELEASE,v5.0.5.RELEASE

Vulnerable Library - pdfbox-2.0.8.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

path: /root/.m2/repository/org/apache/pdfbox/pdfbox/2.0.8/pdfbox-2.0.8.jar

Library home page: http://www.apache.org/pdfbox-parent/pdfbox/

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • ❌ pdfbox-2.0.8.jar (Vulnerable Library)

Vulnerability Details

In Apache PDFBox 1.8.0 to 1.8.15 and 2.0.0RC1 to 2.0.11, a carefully crafted PDF file can trigger an extremely long running computation when parsing the page tree.

Publish Date: 2018-10-05

URL: CVE-2018-11797

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Vulnerable Library - commons-compress-1.14.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, LZ4, Brotli and ar, cpio, jar, tar, zip, dump, 7z, arj.

path: /root/.m2/repository/org/apache/commons/commons-compress/1.14/commons-compress-1.14.jar

Library home page: http://commons.apache.org/proper/commons-compress/

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • ❌ commons-compress-1.14.jar (Vulnerable Library)

Vulnerability Details

A specially crafted ZIP archive can be used to cause an infinite loop inside of Apache Commons Compress' extra field parser used by the ZipFile and ZipArchiveInputStream classes in versions 1.11 to 1.15. This can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-03-16

URL: CVE-2018-1324

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1324

Release Date: 2018-03-16

Fix Resolution: 1.16

Vulnerable Library - commons-compress-1.14.jar

Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE, LZ4, Brotli and ar, cpio, jar, tar, zip, dump, 7z, arj.

path: /root/.m2/repository/org/apache/commons/commons-compress/1.14/commons-compress-1.14.jar

Library home page: http://commons.apache.org/proper/commons-compress/

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • ❌ commons-compress-1.14.jar (Vulnerable Library)

Vulnerability Details

When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.

Publish Date: 2018-08-16

URL: CVE-2018-11771

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: http://www.securitytracker.com/id/1041503

Fix Resolution: The vendor has issued a fix (1.18).

The vendor advisory is available at:

https://commons.apache.org/proper/commons-compress/security-reports.html#Apache_Commons_Compress_Security_Vulnerabilities

Vulnerable Library - jsoup-1.7.2.jar

jsoup HTML parser

path: /root/.m2/repository/org/jsoup/jsoup/1.7.2/jsoup-1.7.2.jar

Library home page: http://jsoup.org/

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • grib-4.5.5.jar
    • ❌ jsoup-1.7.2.jar (Vulnerable Library)

Found in HEAD commit: 71f84047cacb504b7ef8818af514444b2ea4d36f

Vulnerability Details

Cross-site scripting (XSS) vulnerability in jsoup before 1.8.3.

Publish Date: 2017-09-25

URL: CVE-2015-6748

CVSS 3 Score Details (6.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-6748

Release Date: 2017-09-25

Fix Resolution: 1.8.3.

Vulnerable Library - pdfbox-1.8.4.jar

The Apache PDFBox library is an open source Java tool for working with PDF documents.

Library home page: http://www.apache.org/pdfbox-parent/pdfbox/

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/pdfbox/pdfbox/1.8.4/pdfbox-1.8.4.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ pdfbox-1.8.4.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

Apache PDFBox before 1.8.12 and 2.x before 2.0.1 does not properly initialize the XML parsers, which allows context-dependent attackers to conduct XML External Entity (XXE) attacks via a crafted PDF.

Publish Date: 2016-06-01

URL: CVE-2016-2175

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-2175

Release Date: 2016-06-01

Fix Resolution: 1.8.12,2.0.1

Vulnerable Library - bcprov-jdk15-1.45.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.45.jar (Vulnerable Library)

Found in HEAD commit: 961580dbee65395298d219c927dcbf4246ed115b

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier the DHIES/ECIES CBC mode vulnerable to padding oracle attack. For BC 1.55 and older, in an environment where timings can be easily observed, it is possible with enough observations to identify when the decryption is failing due to padding.

Publish Date: 2018-06-04

URL: CVE-2016-1000345

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000345

Release Date: 2018-06-04

Fix Resolution: 1.56

Vulnerable Library - bcprov-jdk15-1.46.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.46/bcprov-jdk15-1.46.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.46.jar (Vulnerable Library)

Found in HEAD commit: f8b78fcc4299a4953a369727ed8f8da47bcf7f1c

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier ECDSA does not fully validate ASN.1 encoding of signature on verification. It is possible to inject extra elements in the sequence making up the signature and still have it validate, which in some cases may allow the introduction of 'invisible' data into a signed structure.

Publish Date: 2018-06-04

URL: CVE-2016-1000342

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000342

Release Date: 2018-06-04

Fix Resolution: 1.56

Vulnerable Library - poi-ooxml-3.10-FINAL.jar

null

Library home page: http://poi.apache.org/

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/apache/poi/poi-ooxml/3.10-FINAL/poi-ooxml-3.10-FINAL.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ poi-ooxml-3.10-FINAL.jar (Vulnerable Library)

Found in HEAD commit: 961580dbee65395298d219c927dcbf4246ed115b

Vulnerability Details

Apache POI in versions prior to release 3.15 allows remote attackers to cause a denial of service (CPU consumption) via a specially crafted OOXML file, aka an XML Entity Expansion (XEE) attack.

Publish Date: 2017-03-24

URL: CVE-2017-5644

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-5644

Release Date: 2019-04-08

Fix Resolution: 3.15

Vulnerable Library - bcprov-jdk15-1.45.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15/1.45/bcprov-jdk15-1.45.jar

Dependency Hierarchy:

• tika-parsers-1.6-20160727-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15-1.45.jar (Vulnerable Library)

Found in HEAD commit: 8d47ee77da8722e03793aa0fd2117f9c959efc51

Vulnerability Details

In the Bouncy Castle JCE Provider version 1.55 and earlier DSA signature generation is vulnerable to timing attack. Where timings can be closely observed for the generation of signatures, the lack of blinding in 1.55, or earlier, may allow an attacker to gain information about the signature's k value and ultimately the private value as well.

Publish Date: 2018-06-04

URL: CVE-2016-1000341

CVSS 3 Score Details (5.9)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000341

Release Date: 2018-06-04

Fix Resolution: 1.56

Vulnerable Library - bcprov-jdk15on-1.54.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)

Found in HEAD commit: 646b2c9dbbeef2587639cc1a7c32632535f330ff

Vulnerability Details

Bouncy Castle BC 1.54 - 1.59, BC-FJA 1.0.0, BC-FJA 1.0.1 and earlier have a flaw in the Low-level interface to RSA key pair generator, specifically RSA Key Pairs generated in low-level API with added certainty may have less M-R tests than expected. This appears to be fixed in versions BC 1.60 beta 4 and later, BC-FJA 1.0.2 and later.

Publish Date: 2018-06-05

URL: CVE-2018-1000180

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@22467b6

Release Date: 2018-04-22

Fix Resolution: Replace or update the following file: RSAKeyPairGenerator.java

Vulnerable Library - bcprov-jdk15on-1.54.jar

The Bouncy Castle Crypto package is a Java implementation of cryptographic algorithms. This jar contains JCE provider and lightweight API for the Bouncy Castle Cryptography APIs for JDK 1.5 to JDK 1.8.

Library home page: http://www.bouncycastle.org/java.html

Path to dependency file: /alfresco-data-model/pom.xml

Path to vulnerable library: /root/.m2/repository/org/bouncycastle/bcprov-jdk15on/1.54/bcprov-jdk15on-1.54.jar

Dependency Hierarchy:

• tika-parsers-1.17-20180201-alfresco-patched.jar (Root Library)
  • ❌ bcprov-jdk15on-1.54.jar (Vulnerable Library)

Found in HEAD commit: 646b2c9dbbeef2587639cc1a7c32632535f330ff

Vulnerability Details

In the Bouncy Castle JCE Provider versions 1.51 to 1.55, a carry propagation bug was introduced in the implementation of squaring for several raw math classes have been fixed (org.bouncycastle.math.raw.Nat???). These classes are used by our custom elliptic curve implementations (org.bouncycastle.math.ec.custom.**), so there was the possibility of rare (in general usage) spurious calculations for elliptic curve scalar multiplications. Such errors would have been detected with high probability by the output validation for our scalar multipliers.

Publish Date: 2018-06-04

URL: CVE-2016-1000340

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Change files

Origin: bcgit/bc-java@7906420#diff-e5934feac8203ca0104ab291a3560a31

Release Date: 2016-11-29

Fix Resolution: Replace or update the following files: Nat160.java, Nat256.java, Nat192.java, SecP256R1FieldTest.java, Nat128.java, Nat224.java, SecP384R1FieldTest.java