harrinry / bazel Goto Github PK
View Code? Open in Web Editor NEWThis project forked from butterflynetwork/bazel
Correct, reproducible, and fast builds for everyone.
Home Page: https://bazel.build
License: Apache License 2.0
This project forked from butterflynetwork/bazel
Correct, reproducible, and fast builds for everyone.
Home Page: https://bazel.build
License: Apache License 2.0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: /7.Final.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
The Bzip2 decompression decoder function doesn't allow setting size restrictions on the decompressed output data (which affects the allocation size used during decompression). All users of Bzip2Decoder are affected. The malicious input can trigger an OOME and so a DoS attack
Publish Date: 2021-10-19
URL: CVE-2021-37136
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-grg4-wf29-r9vv
Release Date: 2021-10-19
Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all::4.1.68.Final
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: /7.Final.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
The ZlibDecoders in Netty 4.1.x before 4.1.46 allow for unbounded memory allocation while decoding a ZlibEncoded byte stream. An attacker could send a large ZlibEncoded byte stream to the Netty server, forcing the server to allocate all of its free memory to a single decoder.
Publish Date: 2020-04-07
URL: CVE-2020-11612
Base Score Metrics:
Type: Upgrade version
Origin: https://netty.io/news/2020/02/28/4-1-46-Final.html
Release Date: 2020-04-07
Fix Resolution: io.netty:netty-codec:4.1.46.Final;io.netty:netty-all:4.1.46.Final
Apache Ant
Library home page: http://ant.apache.org/
Path to dependency file: /third_party/java/proguard/proguard5.3.3/buildscripts/build.gradle
Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.7.0/9746af1a485e50cf18dcb232489032a847067066/ant-1.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
As mitigation for CVE-2020-1945 Apache Ant 1.10.8 changed the permissions of temporary files it created so that only the current user was allowed to access them. Unfortunately the fixcrlf task deleted the temporary file and created a new one without said protection, effectively nullifying the effort. This would still allow an attacker to inject modified source files into the build process.
Publish Date: 2020-10-01
URL: CVE-2020-11979
Base Score Metrics:
Type: Upgrade version
Origin: https://ant.apache.org/security.html
Release Date: 2020-10-01
Fix Resolution: org.apache.ant🐜1.10.9
A massively spiffy yet delicately unobtrusive compression library.
Library home page: https://github.com/cyanskies/zlib.git
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
inffast.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
Publish Date: 2017-05-23
URL: CVE-2016-9841
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9841
Release Date: 2017-05-23
Fix Resolution: v1.2.9
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Path to dependency file: /third_party/py/mock/html/mock.html
Path to vulnerable library: /jquery.js,/third_party/py/mock/html/_static/jquery.js
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
jQuery before 1.9.0 is vulnerable to Cross-site Scripting (XSS) attacks. The jQuery(strInput) function does not differentiate selectors from HTML in a reliable fashion. In vulnerable versions, jQuery determined whether the input was HTML by looking for the '<' character anywhere in the string, giving attackers more flexibility when attempting to construct a malicious payload. In fixed versions, jQuery only deems the input to be HTML if it explicitly starts with the '<' character, limiting exploitability only to attackers who can control the beginning of a string, which is far less common.
Publish Date: 2018-01-18
URL: CVE-2012-6708
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2012-6708
Release Date: 2018-01-18
Fix Resolution: jQuery - v1.9.0
Core Jackson abstractions, basic JSON streaming API implementation
Path to dependency file: /third_party/protobuf/3.6.0/ruby/pom.xml
Path to vulnerable library: /.m2/repository/com/fasterxml/jackson/core/jackson-core/2.4.3/jackson-core-2.4.3.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
In Jackson Core before version 2.8.6 if the REST endpoint consumes POST requests with JSON or XML data and data are invalid, the first unrecognized token is printed to server.log. If the first token is word of length 10MB, the whole word is printed. This is potentially dangerous and can be used to attack the server by filling the disk with logs.
Publish Date: 2018-06-24
URL: WS-2018-0124
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=WS-2018-0124
Release Date: 2018-01-24
Fix Resolution: 2.8.6
⛑️ Automatic Remediation is available for this issue
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: /7.Final.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.61.Final there is a vulnerability that enables request smuggling. The content-length header is not correctly validated if the request only uses a single Http2HeaderFrame with the endStream set to to true. This could lead to request smuggling if the request is proxied to a remote peer and translated to HTTP/1.1. This is a followup of GHSA-wm47-8v5p-wjpj/CVE-2021-21295 which did miss to fix this one case. This was fixed as part of 4.1.61.Final.
Publish Date: 2021-03-30
URL: CVE-2021-21409
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-f256-j965-7f32
Release Date: 2021-03-30
Fix Resolution: io.netty:netty-codec-http2:4.1.61.Final
⛑️ Automatic Remediation is available for this issue
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Path to dependency file: /third_party/py/mock/html/mock.html
Path to vulnerable library: /jquery.js,/third_party/py/mock/html/_static/jquery.js
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
jQuery before 3.0.0 is vulnerable to Cross-site Scripting (XSS) attacks when a cross-domain Ajax request is performed without the dataType option, causing text/javascript responses to be executed.
Publish Date: 2018-01-18
URL: CVE-2015-9251
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2015-9251
Release Date: 2018-01-18
Fix Resolution: jQuery - v3.0.0
Google's common JavaScript library
Library home page: https://registry.npmjs.org/google-closure-library/-/google-closure-library-20160125.0.0.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/google-closure-library/package.json
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
A URL parsing issue in goog.uri of the Google Closure Library versions up to and including v20200224 allows an attacker to send malicious URLs to be parsed by the library and return the wrong authority. Mitigation: update your library to version v20200315.
Publish Date: 2020-03-26
URL: CVE-2020-8910
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8910
Release Date: 2020-03-26
Fix Resolution: v20200315
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to vulnerable library: /ss/apache-commons-compress-1.9.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
When reading a specially crafted 7Z archive, the construction of the list of codecs that decompress an entry can result in an infinite loop. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35515
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: org.apache.commons:commons-compress:1.21
Library home page: https://source.codeaurora.org/quic/le/grpc/
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Nanopb is a small code-size Protocol Buffers implementation. In Nanopb before versions 0.4.4 and 0.3.9.7, decoding specifically formed message can leak memory if dynamic allocation is enabled and an oneof field contains a static submessage that contains a dynamic field, and the message being decoded contains the submessage multiple times. This is rare in normal messages, but it is a concern when untrusted data is parsed. This is fixed in versions 0.3.9.7 and 0.4.4. The following workarounds are available: 1) Set the option no_unions
for the oneof field. This will generate fields as separate instead of C union, and avoids triggering the problematic code. 2) Set the type of the submessage field inside oneof to FT_POINTER
. This way the whole submessage will be dynamically allocated and the problematic code is not executed. 3) Use an arena allocator for nanopb, to make sure all memory can be released afterwards.
Publish Date: 2020-11-25
URL: CVE-2020-26243
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1902065
Release Date: 2020-11-25
Fix Resolution: nanopb-0.3.9.7,nanopb-0.4.4
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: /7.Final.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
HttpObjectDecoder.java in Netty before 4.1.44 allows a Content-Length header to be accompanied by a second Content-Length header, or by a Transfer-Encoding header.
Publish Date: 2020-01-29
URL: CVE-2019-20445
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20445
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-codec-http:4.1.44
⛑️ Automatic Remediation is available for this issue
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.js
Path to vulnerable library: /js/bootstrap.js
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.min.js
Path to vulnerable library: /js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the tooltip data-viewport attribute.
Publish Date: 2019-01-09
URL: CVE-2018-20676
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20676
Release Date: 2019-01-09
Fix Resolution: bootstrap - 3.4.0
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /third_party/protobuf/3.6.0/java/util/pom.xml
Path to vulnerable library: /.m2/repository/com/google/protobuf/protobuf-java/3.6.0/protobuf-java-3.6.0.jar
Dependency Hierarchy:
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /third_party/protobuf/3.6.0/benchmarks/java/pom.xml
Path to vulnerable library: /.m2/repository/com/google/protobuf/protobuf-java/3.5.0/protobuf-java-3.5.0.jar
Dependency Hierarchy:
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /third_party/protobuf/3.6.0/ruby/pom.xml
Path to vulnerable library: /.m2/repository/com/google/protobuf/protobuf-java/3.0.0/protobuf-java-3.0.0.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
An issue in protobuf-java allowed the interleaving of com.google.protobuf.UnknownFieldSet fields in such a way that would be processed out of order. A small malicious payload can occupy the parser for several minutes by creating large numbers of short-lived objects that cause frequent, repeated pauses. We recommend upgrading libraries beyond the vulnerable versions.
Publish Date: 2022-01-10
URL: CVE-2021-22569
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wrvw-hg22-4m67
Release Date: 2022-01-10
Fix Resolution: com.google.protobuf:protobuf-java:3.16.1,3.18.2,3.19.2; com.google.protobuf:protobuf-kotlin:3.18.2,3.19.2; google-protobuf - 3.19.2
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.js
Path to vulnerable library: /js/bootstrap.js
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.min.js
Path to vulnerable library: /js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
In Bootstrap before 3.4.0, XSS is possible in the affix configuration target property.
Publish Date: 2019-01-09
URL: CVE-2018-20677
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-20677
Release Date: 2019-01-09
Fix Resolution: Bootstrap - v3.4.0;NorDroN.AngularTemplate - 0.1.6;Dynamic.NET.Express.ProjectTemplates - 0.8.0;dotnetng.template - 1.0.0.4;ZNxtApp.Core.Module.Theme - 1.0.9-Beta;JMeter - 5.0.0
The modern build of lodash’s `_.template` as a module.
Library home page: https://registry.npmjs.org/lodash.template/-/lodash.template-3.6.2.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/lodash.template/package.json
Dependency Hierarchy:
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Versions of lodash lower than 4.17.12 are vulnerable to Prototype Pollution. The function defaultsDeep could be tricked into adding or modifying properties of Object.prototype using a constructor payload.
Publish Date: 2019-07-26
URL: CVE-2019-10744
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jf85-cpcp-j695
Release Date: 2019-07-26
Fix Resolution: lodash-4.17.12, lodash-amd-4.17.12, lodash-es-4.17.12, lodash.defaultsdeep-4.6.1, lodash.merge- 4.6.2, lodash.mergewith-4.6.2, lodash.template-4.5.0
A massively spiffy yet delicately unobtrusive compression library.
Library home page: https://github.com/cyanskies/zlib.git
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
inftrees.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact by leveraging improper pointer arithmetic.
Publish Date: 2017-05-23
URL: CVE-2016-9840
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9840
Release Date: 2017-05-23
Fix Resolution: v1.2.9
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: http://code.google.com/p/guava-libraries
Path to dependency file: /third_party/protobuf/3.6.0/benchmarks/java/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/guava/guava/18.0/guava-18.0.jar
Dependency Hierarchy:
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Guava has only one code dependency - javax.annotation,
per the JSR-305 spec.</p>
Library home page: https://github.com/google/guava
Path to dependency file: /third_party/protobuf/3.6.0/java/util/pom.xml
Path to vulnerable library: /.m2/repository/com/google/guava/guava/19.0/guava-19.0.jar
Dependency Hierarchy:
Guava is a suite of core and expanded libraries that include utility classes, google's collections, io classes, and much much more.
Library home page: https://github.com/google/guava
Path to vulnerable library: /jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
A temp directory creation vulnerability exists in all versions of Guava, allowing an attacker with access to the machine to potentially access data in a temporary directory created by the Guava API com.google.common.io.Files.createTempDir(). By default, on unix-like systems, the created directory is world-readable (readable by an attacker with access to the system). The method in question has been marked @deprecated in versions 30.0 and later and should not be used. For Android developers, we recommend choosing a temporary directory API provided by Android, such as context.getCacheDir(). For other Java developers, we recommend migrating to the Java 7 API java.nio.file.Files.createTempDirectory() which explicitly configures permissions of 700, or configuring the Java runtime's java.io.tmpdir system property to point to a location whose permissions are appropriately configured.
Publish Date: 2020-12-10
URL: CVE-2020-8908
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-8908
Release Date: 2020-12-10
Fix Resolution: v30.0
A massively spiffy yet delicately unobtrusive compression library.
Library home page: https://github.com/cyanskies/zlib.git
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
The inflateMark function in inflate.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving left shifts of negative integers.
Publish Date: 2017-05-23
URL: CVE-2016-9842
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9842
Release Date: 2017-05-23
Fix Resolution: v1.2.9
Apache HttpComponents Client
Path to vulnerable library: /pclient-4.5.3.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.
Publish Date: 2020-12-02
URL: CVE-2020-13956
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2020-13956
Release Date: 2020-12-02
Fix Resolution: org.apache.httpcomponents:httpclient:4.5.13;org.apache.httpcomponents:httpclient-osgi:4.5.13;org.apache.httpcomponents.client5:httpclient5:5.0.3;org.apache.httpcomponents.client5:httpclient5-osgi:5.0.3
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Path to vulnerable library: /tils-3.0.21.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Security vulnerability found in plexus-utils before 3.0.24. XML injection found in XmlWriterUtil.java.
Publish Date: 2016-05-07
URL: WS-2016-7062
Base Score Metrics:
Type: Upgrade version
Origin: codehaus-plexus/plexus-utils@f933e5e
Release Date: 2016-05-07
Fix Resolution: 3.0.24
⛑️ Automatic Remediation is available for this issue
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/1.4.2/jquery.min.js
Path to dependency file: /third_party/py/mock/html/mock.html
Path to vulnerable library: /jquery.js,/third_party/py/mock/html/_static/jquery.js
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
jquery prior to 1.9.0 allows Cross-site Scripting attacks via the load method. The load method fails to recognize and remove "<script>" HTML tags that contain a whitespace character, i.e: "</script >", which results in the enclosed script logic to be executed.
Publish Date: 2020-05-19
URL: CVE-2020-7656
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-q4m3-2j7h-f7xw
Release Date: 2020-05-28
Fix Resolution: jquery - 1.9.0
A utility library delivering consistency, customization, performance, and extras.
Library home page: https://registry.npmjs.org/lodash/-/lodash-1.0.2.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/lodash/package.json
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Lodash versions prior to 4.17.21 are vulnerable to Command Injection via the template function.
Publish Date: 2021-02-15
URL: CVE-2021-23337
Base Score Metrics:
Type: Upgrade version
Origin: lodash/lodash@3469357
Release Date: 2021-02-15
Fix Resolution: lodash - 4.17.21
A Java framework to parse command line options with annotations.
Library home page: http://beust.com/
Path to vulnerable library: /ander-1.48.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Inclusion of Functionality from Untrusted Control Sphere vulnerability found in jcommander before 1.75. jcommander resolving dependencies over HTTP instead of HTTPS.
Publish Date: 2019-02-19
URL: WS-2019-0490
Base Score Metrics:
Type: Upgrade version
Origin: cbeust/jcommander#465
Release Date: 2019-02-19
Fix Resolution: com.beust:jcommander:1.75
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js
Path to vulnerable library: /phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js
Dependency Hierarchy:
Library that provides collection, processing, and rendering functionality for PHP code coverage information.
Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/819f92bba8b001d4363065928088de22f25a3a48
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
In jQuery versions greater than or equal to 1.0.3 and before 3.5.0, passing HTML containing elements from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11023
Base Score Metrics:
JavaScript library for DOM operations
Library home page: https://cdnjs.cloudflare.com/ajax/libs/jquery/3.4.1/jquery.min.js
Path to vulnerable library: /phpunit/php-code-coverage/src/Report/Html/Renderer/Template/js/jquery.min.js
Dependency Hierarchy:
Library that provides collection, processing, and rendering functionality for PHP code coverage information.
Library home page: https://api.github.com/repos/sebastianbergmann/php-code-coverage/zipball/819f92bba8b001d4363065928088de22f25a3a48
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
In jQuery versions greater than or equal to 1.2 and before 3.5.0, passing HTML from untrusted sources - even after sanitizing it - to one of jQuery's DOM manipulation methods (i.e. .html(), .append(), and others) may execute untrusted code. This problem is patched in jQuery 3.5.0.
Publish Date: 2020-04-29
URL: CVE-2020-11022
Base Score Metrics:
Type: Upgrade version
Origin: https://blog.jquery.com/2020/04/10/jquery-3-5-0-released/
Release Date: 2020-04-29
Fix Resolution: jQuery - 3.5.0
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: /7.Final.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty (io.netty:netty-codec-http2) before version 4.1.60.Final there is a vulnerability that enables request smuggling. If a Content-Length header is present in the original HTTP/2 request, the field is not validated by Http2MultiplexHandler
as it is propagated up. This is fine as long as the request is not proxied through as HTTP/1.1. If the request comes in as an HTTP/2 stream, gets converted into the HTTP/1.1 domain objects (HttpRequest
, HttpContent
, etc.) via Http2StreamFrameToHttpObjectCodec
and then sent up to the child channel's pipeline and proxied through a remote peer as HTTP/1.1 this may result in request smuggling. In a proxy case, users may assume the content-length is validated somehow, which is not the case. If the request is forwarded to a backend channel that is a HTTP/1.1 connection, the Content-Length now has meaning and needs to be checked. An attacker can smuggle requests inside the body as it gets downgraded from HTTP/2 to HTTP/1.1. For an example attack refer to the linked GitHub Advisory. Users are only affected if all of this is true: HTTP2MultiplexCodec
or Http2FrameCodec
is used, Http2StreamFrameToHttpObjectCodec
is used to convert to HTTP/1.1 objects, and these HTTP/1.1 objects are forwarded to another remote peer. This has been patched in 4.1.60.Final As a workaround, the user can do the validation by themselves by implementing a custom ChannelInboundHandler
that is put in the ChannelPipeline
behind Http2StreamFrameToHttpObjectCodec
.
Publish Date: 2021-03-09
URL: CVE-2021-21295
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-wm47-8v5p-wjpj
Release Date: 2021-03-09
Fix Resolution: io.netty:netty-all:4.1.60;io.netty:netty-codec-http:4.1.60;io.netty:netty-codec-http2:4.1.60
Apache Ant
Library home page: http://ant.apache.org/
Path to dependency file: /third_party/java/proguard/proguard5.3.3/buildscripts/build.gradle
Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.7.0/9746af1a485e50cf18dcb232489032a847067066/ant-1.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
When reading a specially crafted TAR archive an Apache Ant build can be made to allocate large amounts of memory that finally leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Publish Date: 2021-07-14
URL: CVE-2021-36373
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-36373
Release Date: 2021-07-14
Fix Resolution: org.apache.ant🐜1.9.16,1.10.11
Library home page: https://source.codeaurora.org/quic/le/grpc/
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Nanopb is a small code-size Protocol Buffers implementation in ansi C. In Nanopb before versions 0.3.9.8 and 0.4.5, decoding a specifically formed message can cause invalid free()
or realloc()
calls if the message type contains an oneof
field, and the oneof
directly contains both a pointer field and a non-pointer field. If the message data first contains the non-pointer field and then the pointer field, the data of the non-pointer field is incorrectly treated as if it was a pointer value. Such message data rarely occurs in normal messages, but it is a concern when untrusted data is parsed. This has been fixed in versions 0.3.9.8 and 0.4.5. See referenced GitHub Security Advisory for more information including workarounds.
Publish Date: 2021-03-23
URL: CVE-2021-21401
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-7mv5-5mxh-qg88
Release Date: 2021-03-23
Fix Resolution: nanopb - 0.3.9.8,0.4.5
Jersey is the open source (under dual CDDL+GPL license) JAX-RS (JSR 311) production quality Reference Implementation for building RESTful Web services.
Library home page: https://jersey.java.net/
Path to dependency file: /third_party/protobuf/3.6.0/benchmarks/java/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/sun/jersey/jersey-core/1.11/jersey-core-1.11.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
jersey: XXE via parameter entities not disabled by the jersey SAX parser
Publish Date: 2019-12-15
URL: CVE-2014-3643
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-3643
Release Date: 2019-12-15
Fix Resolution: com.sun.jersey:jersey-core:1.13;com.sun.jersey:jersey-server:1.13
A massively spiffy yet delicately unobtrusive compression library.
Library home page: https://github.com/cyanskies/zlib.git
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
The crc32_big function in crc32.c in zlib 1.2.8 might allow context-dependent attackers to have unspecified impact via vectors involving big-endian CRC calculation.
Publish Date: 2017-05-23
URL: CVE-2016-9843
Base Score Metrics:
Type: Upgrade version
Origin: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-9843
Release Date: 2017-05-23
Fix Resolution: v1.2.9
Apache Ant
Library home page: http://ant.apache.org/
Path to dependency file: /third_party/java/proguard/proguard5.3.3/buildscripts/build.gradle
Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.7.0/9746af1a485e50cf18dcb232489032a847067066/ant-1.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Algorithmic complexity vulnerability in the sorting algorithms in bzip2 compressing stream (BZip2CompressorOutputStream) in Apache Commons Compress before 1.4.1 allows remote attackers to cause a denial of service (CPU consumption) via a file with many repeating inputs.
Publish Date: 2012-06-29
URL: CVE-2012-2098
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-2098
Release Date: 2012-06-29
Fix Resolution: org.apache.ant🐜1.8.4,org.apache.commons:commons-compress:1.4.1
Library home page: https://source.codeaurora.org/quic/le/grpc/
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
In pb_write of pb_encode.c, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege with System execution privileges needed. User interaction is not needed for exploitation.Product: AndroidVersions: Android kernelAndroid ID: A-178754781
Publish Date: 2021-04-15
URL: CVE-2021-0488
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-3p39-mfxg-hrq4
Release Date: 2021-04-15
Fix Resolution: nanopb-0.4.2, nanopb-0.3.9.6, nanopb-0.2.9.5
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.js
Path to vulnerable library: /js/bootstrap.js
Dependency Hierarchy:
The most popular front-end framework for developing responsive, mobile first projects on the web.
Library home page: https://cdnjs.cloudflare.com/ajax/libs/twitter-bootstrap/3.3.6/js/bootstrap.min.js
Path to vulnerable library: /js/bootstrap.min.js
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
In Bootstrap before 3.4.1 and 4.3.x before 4.3.1, XSS is possible in the tooltip or popover data-template attribute.
Publish Date: 2019-02-20
URL: CVE-2019-8331
Base Score Metrics:
Type: Upgrade version
Origin: twbs/bootstrap#28236
Release Date: 2019-02-20
Fix Resolution: bootstrap - 3.4.1,4.3.1;bootstrap-sass - 3.4.1,4.3.1
Strips glob magic from a string to provide the parent path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-2.0.0.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/glob-base/node_modules/glob-parent/package.json
Dependency Hierarchy:
Strips glob magic from a string to provide the parent directory path
Library home page: https://registry.npmjs.org/glob-parent/-/glob-parent-3.1.0.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/glob-parent/package.json
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
This affects the package glob-parent before 5.1.2. The enclosure regex used to check for strings ending in enclosure containing path separator.
Publish Date: 2021-06-03
URL: CVE-2020-28469
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-28469
Release Date: 2021-06-03
Fix Resolution: glob-parent - 5.1.2
Apache Ant
Library home page: http://ant.apache.org/
Path to dependency file: /third_party/java/proguard/proguard5.3.3/buildscripts/build.gradle
Path to vulnerable library: /.gradle/caches/modules-2/files-2.1/org.apache.ant/ant/1.7.0/9746af1a485e50cf18dcb232489032a847067066/ant-1.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
When reading a specially crafted ZIP archive, or a derived formats, an Apache Ant build can be made to allocate large amounts of memory that leads to an out of memory error, even for small inputs. This can be used to disrupt builds using Apache Ant. Commonly used derived formats from ZIP archives are for instance JAR files and many office files. Apache Ant prior to 1.9.16 and 1.10.11 were affected.
Publish Date: 2021-07-14
URL: CVE-2021-36374
Base Score Metrics:
Type: Upgrade version
Origin: https://ant.apache.org/security.html
Release Date: 2021-07-14
Fix Resolution: org.apache.ant🐜1.9.16,1.10.11
Core Protocol Buffers library. Protocol Buffers are a way of encoding structured data in an efficient yet extensible format.
Library home page: https://developers.google.com/protocol-buffers/
Path to dependency file: /third_party/protobuf/3.6.0/ruby/pom.xml
Path to vulnerable library: /.m2/repository/com/google/protobuf/protobuf-java/3.0.0/protobuf-java-3.0.0.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
protobuf allows remote authenticated attackers to cause a heap-based buffer overflow.
Publish Date: 2017-09-25
URL: CVE-2015-5237
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/protocolbuffers/protobuf/releases/tag/v3.4.0
Release Date: 2017-09-25
Fix Resolution: 3.4.0
⛑️ Automatic Remediation is available for this issue
Library home page: https://source.codeaurora.org/quic/le/grpc/
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
There is a potentially exploitable out of memory condition In Nanopb before 0.4.1, 0.3.9.5, and 0.2.9.4. When nanopb is compiled with PB_ENABLE_MALLOC, the message to be decoded contains a repeated string, bytes or message field and realloc() runs out of memory when expanding the array nanopb can end up calling free()
on a pointer value that comes from uninitialized memory. Depending on platform this can result in a crash or further memory corruption, which may be exploitable in some cases. This problem is fixed in nanopb-0.4.1, nanopb-0.3.9.5, nanopb-0.2.9.4.
Publish Date: 2020-02-04
URL: CVE-2020-5235
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-5235
Release Date: 2020-02-06
Fix Resolution: 0.4.1, 0.3.9.5,0.2.9.4
JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Library home page: http://junit.org
Path to vulnerable library: /t/junit-4.12.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
In JUnit4 from version 4.7 and before 4.13.1, the test rule TemporaryFolder contains a local information disclosure vulnerability. On Unix like systems, the system's temporary directory is shared between all users on that system. Because of this, when files and directories are written into this directory they are, by default, readable by other users on that same system. This vulnerability does not allow other users to overwrite the contents of these directories or files. This is purely an information disclosure vulnerability. This vulnerability impacts you if the JUnit tests write sensitive information, like API keys or passwords, into the temporary folder, and the JUnit tests execute in an environment where the OS has other untrusted users. Because certain JDK file system APIs were only added in JDK 1.7, this this fix is dependent upon the version of the JDK you are using. For Java 1.7 and higher users: this vulnerability is fixed in 4.13.1. For Java 1.6 and lower users: no patch is available, you must use the workaround below. If you are unable to patch, or are stuck running on Java 1.6, specifying the java.io.tmpdir
system environment variable to a directory that is exclusively owned by the executing user will fix this vulnerability. For more information, including an example of vulnerable code, see the referenced GitHub Security Advisory.
Publish Date: 2020-10-12
URL: CVE-2020-15250
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-269g-pwp5-87pp
Release Date: 2020-10-12
Fix Resolution: junit:junit:4.13.1
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-2.0.10.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/gulp/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.3.0.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/jasmine/node_modules/minimatch/package.json
Dependency Hierarchy:
a glob matcher in javascript
Library home page: https://registry.npmjs.org/minimatch/-/minimatch-0.2.14.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/globule/node_modules/minimatch/package.json
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Minimatch is a minimal matching utility that works by converting glob expressions into JavaScript RegExp
objects. The primary function, minimatch(path, pattern)
in Minimatch 3.0.1 and earlier is vulnerable to ReDoS in the pattern
parameter.
Publish Date: 2018-05-31
URL: CVE-2016-10540
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2016-10540
Release Date: 2018-05-31
Fix Resolution: Pvc.Browserify - 0.0.1.1;JetBrains.Rider.Frontend4 - 203.0.20201014.202610-eap04;JetBrains.Rider.Frontend5 - 203.0.20201006.200056-eap03,213.0.20211008.154703-eap03;Bridge.AWS - 0.3.30.36;tslint - 3.11.0;MIDIator.WebClient - 1.0.105;BumperLane.Public.Service.Contracts - 0.23.35.214-prerelease;ng-grid - 2.0.4;minimatch - 3.0.2;Virteom.Tenant.Mobile.Bluetooth - 0.21.29.159-prerelease;ShowingVault.DotNet.Sdk - 0.13.41.190-prerelease;Triarc.Web.Build - 1.3.0;Virteom.Tenant.Mobile.Framework.UWP - 0.20.41.103-prerelease;Virteom.Tenant.Mobile.Framework.iOS - 0.20.41.103-prerelease;BumperLane.Public.Api.V2.ClientModule - 0.23.35.214-prerelease;Virteom.Tenant.Mobile.Bluetooth.iOS - 0.20.41.103-prerelease;Virteom.Public.Utilities - 0.23.37.212-prerelease;Mustache.Reports.Data - 1.2.2;Virteom.Tenant.Mobile.Framework - 0.21.29.159-prerelease;Virteom.Tenant.Mobile.Bluetooth.Android - 0.20.41.103-prerelease;z4a-dotnet-scaffold - 1.0.0.2;Raml.Parser - 2.0.0,1.0.2;AntData.ORM - 1.2.9;ApiExplorer.HelpPage - 1.0.0-alpha3;SitecoreMaster.TrueDynamicPlaceholders - 1.0.3;Virteom.Tenant.Mobile.Framework.Android - 0.20.41.103-prerelease;BumperLane.Public.Api.Client - 0.23.35.214-prerelease
Google's common JavaScript library
Library home page: https://registry.npmjs.org/google-closure-library/-/google-closure-library-20160125.0.0.tgz
Path to dependency file: /third_party/protobuf/3.6.0/js/package.json
Path to vulnerable library: /third_party/protobuf/3.6.0/js/node_modules/google-closure-library/package.json
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
In google-closure-library, versions before 20190301.0.0 are vulnerable to Cross-Site-Scripting. The safedomtreeprocessor.processToString() function improperly processes empty elements.
Publish Date: 2019-02-22
URL: WS-2019-0249
Base Score Metrics:
Type: Upgrade version
Origin: https://www.npmjs.com/advisories/878
Release Date: 2019-02-22
Fix Resolution: 20190301.0.0
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to vulnerable library: /ss/apache-commons-compress-1.9.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
When reading a specially crafted TAR archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' tar package.
Publish Date: 2021-07-13
URL: CVE-2021-35517
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: org.apache.commons:commons-compress:1.21
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to vulnerable library: /ss/apache-commons-compress-1.9.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
When reading a specially crafted ZIP archive, the read method of Apache Commons Compress 1.7 to 1.17's ZipArchiveInputStream can fail to return the correct EOF indication after the end of the stream has been reached. When combined with a java.io.InputStreamReader this can lead to an infinite stream, which can be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2018-08-16
URL: CVE-2018-11771
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11771
Release Date: 2018-08-16
Fix Resolution: 1.18
⛑️ Automatic Remediation is available for this issue
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to vulnerable library: /ss/apache-commons-compress-1.9.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
When reading a specially crafted ZIP archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' zip package.
Publish Date: 2021-07-13
URL: CVE-2021-36090
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: org.apache.commons:commons-compress:1.21
Core Jackson abstractions, basic JSON streaming API implementation
Path to dependency file: /third_party/protobuf/3.6.0/ruby/pom.xml
Path to vulnerable library: /.m2/repository/com/fasterxml/jackson/core/jackson-core/2.4.3/jackson-core-2.4.3.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
OutOfMemoryError when writing BigDecimal In Jackson Core before version 2.7.7.
When enabled the WRITE_BIGDECIMAL_AS_PLAIN setting, Jackson will attempt to write out the whole number, no matter how large the exponent.
Publish Date: 2016-08-25
URL: WS-2018-0125
Base Score Metrics:
Type: Upgrade version
Origin: https://github.com/FasterXML/jackson-core/releases/tag/jackson-core-2.7.7
Release Date: 2016-08-25
Fix Resolution: com.fasterxml.jackson.core:jackson-core:2.7.7
⛑️ Automatic Remediation is available for this issue
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: /7.Final.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
The Snappy frame decoder function doesn't restrict the chunk length which may lead to excessive memory usage. Beside this it also may buffer reserved skippable chunks until the whole chunk was received which may lead to excessive memory usage as well. This vulnerability can be triggered by supplying malicious input that decompresses to a very big size (via a network stream or a file) or by sending a huge skippable chunk.
Publish Date: 2021-10-19
URL: CVE-2021-37137
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9vjp-v76f-g363
Release Date: 2021-10-19
Fix Resolution: io.netty:netty-codec:4.1.68.Final;io.netty:netty-all:4.1.68.Final
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: /7.Final.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Netty is an open-source, asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers & clients. In Netty before version 4.1.59.Final there is a vulnerability on Unix-like systems involving an insecure temp file. When netty's multipart decoders are used local information disclosure can occur via the local system temporary directory if temporary storing uploads on the disk is enabled. On unix-like systems, the temporary directory is shared between all user. As such, writing to this directory using APIs that do not explicitly set the file/directory permissions can lead to information disclosure. Of note, this does not impact modern MacOS Operating Systems. The method "File.createTempFile" on unix-like systems creates a random file, but, by default will create this file with the permissions "-rw-r--r--". Thus, if sensitive information is written to this file, other local users can read this information. This is the case in netty's "AbstractDiskHttpData" is vulnerable. This has been fixed in version 4.1.59.Final. As a workaround, one may specify your own "java.io.tmpdir" when you start the JVM or use "DefaultHttpDataFactory.setBaseDir(...)" to set the directory to something that is only readable by the current user.
Publish Date: 2021-02-08
URL: CVE-2021-21290
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-5mcr-gq6c-3hq2
Release Date: 2021-02-08
Fix Resolution: io.netty:netty-codec-http:4.1.59.Final
Library home page: http://archive.apache.org/dist/uima/uima-ducc-2.1.0/uima-ducc-2.1.0-bin.tar.gz
Path to vulnerable library: /commons-codec-1.9.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
Apache commons-codec before version “commons-codec-1.13-RC1” is vulnerable to information disclosure due to Improper Input validation.
Publish Date: 2019-05-20
URL: WS-2019-0379
Base Score Metrics:
Type: Upgrade version
Origin: apache/commons-codec@48b6157
Release Date: 2019-05-20
Fix Resolution: commons-codec:commons-codec:1.13
Apache Commons Compress software defines an API for working with compression and archive formats. These include: bzip2, gzip, pack200, lzma, xz, Snappy, traditional Unix Compress, DEFLATE and ar, cpio, jar, tar, zip, dump, 7z, arj.
Path to vulnerable library: /ss/apache-commons-compress-1.9.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
When reading a specially crafted 7Z archive, Compress can be made to allocate large amounts of memory that finally leads to an out of memory error even for very small inputs. This could be used to mount a denial of service attack against services that use Compress' sevenz package.
Publish Date: 2021-07-13
URL: CVE-2021-35516
Base Score Metrics:
Type: Upgrade version
Origin: https://commons.apache.org/proper/commons-compress/security-reports.html
Release Date: 2021-07-13
Fix Resolution: org.apache.commons:commons-compress:1.21
Netty is an asynchronous event-driven network application framework for rapid development of maintainable high performance protocol servers and clients.
Library home page: http://netty.io/
Path to vulnerable library: /7.Final.jar
Dependency Hierarchy:
Found in HEAD commit: c258fdc57bed0b623184b81d1c7127a55e698fdd
Found in base branch: master
HttpObjectDecoder.java in Netty before 4.1.44 allows an HTTP header that lacks a colon, which might be interpreted as a separate header with an incorrect syntax, or might be interpreted as an "invalid fold."
Publish Date: 2020-01-29
URL: CVE-2019-20444
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-20444
Release Date: 2020-01-29
Fix Resolution: io.netty:netty-all:4.1.44.Final
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.