GithubHelp home page GithubHelp logo

verademo-java's People

Contributors

antfie avatar ctcampbell avatar lerer avatar relaxnow avatar tjarrettveracode avatar

Watchers

avatar

verademo-java's Issues

CVE: 0000-0000 found in Keycloak SAML Core - Version: 1.8.1.Final [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Keycloak SAML Core
Description Keycloak SSO
Language JAVA
Vulnerability SAML Assertion Insertion
Vulnerability description Keycloak saml-core is vulnerable to malicious SAML assertion insertion. This vulnerability is due to the fact that the assertions are not verified as signed before being accepted.
CVE null
CVSS score 6.4
Vulnerability present in version/s 1.1.0.Beta1-1.9.0.CR1
Found library version/s 1.8.1.Final
Vulnerability fixed in version 1.9.0.Final
Library latest version 15.0.2
Fix

Links:

CVE: 2020-15250 found in JUnit - Version: 4.13 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library JUnit
Description JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck.
Language JAVA
Vulnerability Information Disclosure
Vulnerability description junit is vulnerable to information disclosure. The vulnerability exists through the behaviour of TemporaryFolder on UNIX-like systems, where the system's temporary directory is shared between all users on that system by default.
CVE 2020-15250
CVSS score 1.9
Vulnerability present in version/s 4.11-beta-1-4.13
Found library version/s 4.13
Vulnerability fixed in version 4.13.1
Library latest version 4.13.2
Fix

Links:

CVE: 2020-17527 found in tomcat-embed-core - Version: 9.0.36 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library tomcat-embed-core
Description Core Tomcat implementation
Language JAVA
Vulnerability Denial Of Service (DoS)
Vulnerability description tomcat is vulnerable to denial of service. Re-use of an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream would most likely lead to an error and the closure of the HTTP/2 connection. It is also possible that information could leak between requests.
CVE 2020-17527
CVSS score 5
Vulnerability present in version/s 9.0.0.M1-9.0.39
Found library version/s 9.0.36
Vulnerability fixed in version 9.0.40
Library latest version 10.1.0-M6
Fix

Links:

CVE: 2021-24122 found in tomcat-embed-core - Version: 9.0.36 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library tomcat-embed-core
Description Core Tomcat implementation
Language JAVA
Vulnerability Information Disclosure
Vulnerability description apache tomcat is vulnerable to information disclosure. Security constraints can be bypassed to obtain and view JSP source code in certain configurations, when serving resources from a network location using the NTFS file system. The vulnerability is caused by the insufficient validation for the : character in the file path.
CVE 2021-24122
CVSS score 4.3
Vulnerability present in version/s 9.0.0.M1-9.0.39
Found library version/s 9.0.36
Vulnerability fixed in version 9.0.40
Library latest version 10.1.0-M6
Fix

Links:

CVE: 2019-17571 found in Apache Log4j - Version: 1.2.17 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Log4j
Description Apache Log4j 1.2
Language JAVA
Vulnerability Arbitrary Code Execution
Vulnerability description log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in TcpSocketServer and UdpSocketServer when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget.
CVE 2019-17571
CVSS score 7.5
Vulnerability present in version/s 1.1.3-1.2.17
Found library version/s 1.2.17
Vulnerability fixed in version
Library latest version 1.2.17
Fix log4j:log4j 1.x is out of life. We recommend users to upgrade to the latest version of org.apache.logging.log4j:log4j-core

Links:

CVE: 2021-29425 found in Apache Commons IO - Version: 2.4 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons IO
Description The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Language JAVA
Vulnerability Directory Traversal
Vulnerability description commons-io is vulnerable to directory traversal. Invoking the method FileNameUtils.normalize with a malicious input string would potentially allow access to files within the parent directory.
CVE 2021-29425
CVSS score 5
Vulnerability present in version/s 2.2-2.6
Found library version/s 2.4
Vulnerability fixed in version 2.7
Library latest version 2.11.0
Fix

Links:

CVE: 2012-6153 found in HttpClient - Version: 3.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library HttpClient
Description The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and prov
Language JAVA
Vulnerability Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers
Vulnerability description http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783.
CVE 2012-6153
CVSS score 4.3
Vulnerability present in version/s 3.0-3.1
Found library version/s 3.1
Vulnerability fixed in version null
Library latest version 3.1
Fix null

Links:

CVE: 2021-22118 found in Spring Web - Version: 5.2.7.RELEASE [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Spring Web
Description Spring Web
Language JAVA
Vulnerability Privilege Escalation
Vulnerability description spring-web is vulnerable to privilege escalation. Creating or recreating the temporary storage directory creates multiple instances collision which allows a locally authenticated malicious user to read or modify files being uploaded or overwrite arbitrary files with multipart request data.
CVE 2021-22118
CVSS score 4.6
Vulnerability present in version/s 5.0.0.RELEASE-5.2.14.RELEASE
Found library version/s 5.2.7.RELEASE
Vulnerability fixed in version 5.2.15.RELEASE
Library latest version 5.3.10
Fix

Links:

CVE: 2013-2172 found in Apache XML Security for Java - Version: 1.5.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache XML Security for Java
Description Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver
Language JAVA
Vulnerability Spoofable XML Signature
Vulnerability description jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak canonicalization algorithm to apply to the SignedInfo part of the Signature.
CVE 2013-2172
CVSS score 4.3
Vulnerability present in version/s 1.5.0-1.5.4
Found library version/s 1.5.1
Vulnerability fixed in version 1.5.5
Library latest version 2.2.2
Fix

Links:

CVE: 2018-1002200 found in Plexus Archiver Component - Version: 1.0-alpha-3 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Plexus Archiver Component
Description The Plexus project provides a full software stack for creating and executing software projects.
Language JAVA
Vulnerability Arbitrary File Write
Vulnerability description Plexus Archiver Component is vulnerable to zip-slip vulnerability. The vulnerability exists when the attacker inputs a malicious zip archive with filenames including file traversal characters such as dot dot (..), leading to concatenation of file path locating outside of the destination folder.
CVE 2018-1002200
CVSS score 4.3
Vulnerability present in version/s 1.0-alpha-3-2.4.4
Found library version/s 1.0-alpha-3
Vulnerability fixed in version 3.6
Library latest version 4.2.5
Fix null

Links:

CVE: 2020-13934 found in tomcat-embed-core - Version: 9.0.36 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library tomcat-embed-core
Description Core Tomcat implementation
Language JAVA
Vulnerability Denial Of Service (DoS)
Vulnerability description apache tomcat is vulnerable to denial of service. The HTTP/1.1 processor is not released after an upgrade to HTTP/2, allowing an attacker to cause a denial of service condition due to an OutOfMemoryException by sending a large number of upgrade requests.
CVE 2020-13934
CVSS score 5
Vulnerability present in version/s 9.0.0.M6-9.0.36
Found library version/s 9.0.36
Vulnerability fixed in version 9.0.37
Library latest version 10.1.0-M6
Fix

Links:

CVE: 2015-4852 found in Apache Commons Collections - Version: 4.0 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons Collections
Description The Apache Commons Collections package contains types that extend and augment the Java Collections Framework.
Language JAVA
Vulnerability Potential Remote Code Execution Via Java Object Deserialization
Vulnerability description Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It's not necessary to actually use InvokerTransfomer to be vulnerable. With these two criteria satisfied, an attacker may construct a gadget chain using classes in the component to execute arbitrary code. The chain relies on the class InvokerTransformer in the org.apache.commons.collections.functors package to invoke methods during the deserialization process.

The fix prevents deserialization of InvokerTransformer by default unless it's specifically enabled.

CVE-2015-4852, CVE-2015-6420, CVE-2015-7501, and CVE-2015-7450 are all related to this artifact.
CVE | 2015-4852
CVSS score | 7.5
Vulnerability present in version/s | 4.0-4.0
Found library version/s | 4.0
Vulnerability fixed in version | 4.1
Library latest version | 4.4
Fix |

Links:

CVE: 2015-2944 found in Apache Sling API - Version: 2.0.2-incubator [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Sling API
Description The Apache Sling API defines an extension to the Servlet API 2.4 to provide access to content and unified access to request parameters hiding the differences between the different methods of transferr
Language JAVA
Vulnerability Multiple Cross-site Scripting (XSS) Vulnerabilities
Vulnerability description Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse.
CVE 2015-2944
CVSS score 4.3
Vulnerability present in version/s 0.0-2.2.1
Found library version/s 2.0.2-incubator
Vulnerability fixed in version 2.2.2
Library latest version 2.23.6
Fix

Links:

CVE: 2015-0254 found in jstl - Version: 1.2 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library jstl
Description null
Language JAVA
Vulnerability XML External Entity (XXE) Through An XSLT Extension
Vulnerability description Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag.
CVE 2015-0254
CVSS score 7.5
Vulnerability present in version/s 1.0-1.2
Found library version/s 1.2
Vulnerability fixed in version
Library latest version 1.2
Fix

Links:

CVE: 2017-2582 found in Keycloak SAML Core - Version: 1.8.1.Final [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Keycloak SAML Core
Description Keycloak SSO
Language JAVA
Vulnerability Information Disclosure
Vulnerability description keycloak-saml-core is vulnerable to sensitive information disclosure. The attack exists because SAML messages are being parsed by replacing the string to obtain the attribute values with the system property in StaxParserUtil class. Therefore, attacker can just parse the chosen system property name through the SAML request ID field and can get the response with system property value in InResponseTo filed .
CVE 2017-2582
CVSS score 4
Vulnerability present in version/s 1.2.0.CR1-2.5.0.Final
Found library version/s 1.8.1.Final
Vulnerability fixed in version 2.5.1.Final
Library latest version 15.0.2
Fix

Links:

CVE: 0000-0000 found in Apache Commons IO - Version: 2.4 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons IO
Description The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.
Language JAVA
Vulnerability Remote Code Execution (RCE) Via Java Object Deserialization
Vulnerability description commons-io is vulnerable to remote code execution (RCE) attacks. These attacks are possible because the library doesn't restrict the classes which can be accepted when deserializing a binary.
CVE null
CVSS score 5.1
Vulnerability present in version/s 1.0-2.4
Found library version/s 2.4
Vulnerability fixed in version 2.5
Library latest version 2.11.0
Fix

Links:

CVE: 2020-2933 found in MySQL Connector/J - Version: 5.1.48 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library MySQL Connector/J
Description JDBC Type 4 driver for MySQL
Language JAVA
Vulnerability Denial Of Service (DoS)
Vulnerability description mysql-connector-java is vulnerable to denial of service. When working with a load balancing setup, if the connection property loadBalanceStrategy was set to bestResponseTime and connections to all the hosts in the original setup failed, a denial of service condition will occur in Connector/J, even if newly-added hosts are available.
CVE 2020-2933
CVSS score 3.5
Vulnerability present in version/s 5.1.6-5.1.48
Found library version/s 5.1.48
Vulnerability fixed in version 5.1.49
Library latest version 8.0.27
Fix

Links:

CVE: 2016-1000031 found in Apache Commons FileUpload - Version: 1.3.2 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache Commons FileUpload
Description The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Language JAVA
Vulnerability Remote Code Execution Via Serialization
Vulnerability description Apache Commons FileUpload is vulnerable to remote code execution via serialization. In Apache Commons FileUpload, a DiskFileItem is used to handle file uploads. DiskFileItem is serializable and implements custom writeObject() and readObject() functions. An attacker is possible to modify the serialized data before it is deserialized, and write or copy files to disk in arbitrary locations. Furthermore, it's possible for an attacker to integrate this vulnerability with the ysoserial tool to upload and execute binaries in a single deserialization call.
CVE 2016-1000031
CVSS score 7.5
Vulnerability present in version/s 1.1-1.3.2
Found library version/s 1.3.2
Vulnerability fixed in version 1.3.3
Library latest version 1.4
Fix Please apply the fix patch to your code.

Links:

CVE: 2020-15228 found in @actions/core - Version: 1.2.4 [JS]

Veracode Software Composition Analysis

Attribute Details
Library @actions/core
Description Actions core lib
Language JS
Vulnerability Environment Variables Tampering
Vulnerability description @actions/core allows tampering of environment variables. The addPath and exportVariable functions that communicate with the Actions Runner over stdout allows the unauthorized modification of the path or environment variables.
CVE 2020-15228
CVSS score 4
Vulnerability present in version/s 1.0.0-1.2.5
Found library version/s 1.2.4
Vulnerability fixed in version 1.2.6
Library latest version 1.6.0
Fix

Links:

CVE: 2020-13935 found in tomcat-embed-websocket - Version: 9.0.36 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library tomcat-embed-websocket
Description Core Tomcat implementation
Language JAVA
Vulnerability Denial Of Service (DoS)
Vulnerability description apache tomcat is vulnerable to denial of service. An infinite loop to occurs when invalid payload lengths are parsed. An attacker is able to cause a denial of service condition in the application via malicious WebSocket frames with invalid payload lengths.
CVE 2020-13935
CVSS score 5
Vulnerability present in version/s 9.0.0.M1-9.0.36
Found library version/s 9.0.36
Vulnerability fixed in version 9.0.37
Library latest version 10.1.0-M6
Fix

Links:

CVE: 2021-30640 found in tomcat-embed-core - Version: 9.0.36 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library tomcat-embed-core
Description Core Tomcat implementation
Language JAVA
Vulnerability Access Restriction Bypass
Vulnerability description tomcat-catalina is vulnerable to access restriction bypass. Lack of proper sanitization of user provided parameter or configuration data provided by an administrator accept authentication using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm.

CVE | 2021-30640
CVSS score | 5.8
Vulnerability present in version/s | 9.0.0.M1-9.0.45
Found library version/s | 9.0.36
Vulnerability fixed in version | 9.0.46
Library latest version | 10.1.0-M6
Fix |

Links:

CVE: 2017-2646 found in Keycloak SAML Core - Version: 1.8.1.Final [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Keycloak SAML Core
Description Keycloak SSO
Language JAVA
Vulnerability Denial Of Service (DoS)
Vulnerability description keycloak-saml-core is vulnerable to denial of service (DoS) attacks. The vulnerability exists due to the mishandling of a Logout request with an Extensions in the middle of the request.
CVE 2017-2646
CVSS score 5
Vulnerability present in version/s 1.2.0.CR1-2.5.4.Final
Found library version/s 1.8.1.Final
Vulnerability fixed in version 2.5.5.Final
Library latest version 15.0.2
Fix

Links:

CVE: 2021-25329 found in tomcat-embed-core - Version: 9.0.36 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library tomcat-embed-core
Description Core Tomcat implementation
Language JAVA
Vulnerability Remote Code Execution
Vulnerability description tomcat-catalina is vulnerable to remote code execution. If a remote attacker knows and is able to control the contents and name of a file, remote code execution can be achieved if the server is configured to use PersistenceManager with a FileStore and the PersistenceManager is configured with the default sessionAttributeValueClassNameFilter="null", through a request that results in the deserialization of the malicious file under the attacker's control. This CVE is due to an incomplete fix for CVE-2020-9484.
CVE 2021-25329
CVSS score 4.4
Vulnerability present in version/s 9.0.0.M1-9.0.41
Found library version/s 9.0.36
Vulnerability fixed in version 9.0.43
Library latest version 10.1.0-M6
Fix

Links:

CVE: 2021-33037 found in tomcat-embed-core - Version: 9.0.36 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library tomcat-embed-core
Description Core Tomcat implementation
Language JAVA
Vulnerability Request Smuggling
Vulnerability description tomcat-coyote is vulnerable request smuggling. Incorrect way of parsing of the HTTP transfer-encoding request header causes request smuggling when it is used with a reverse proxy and if the client declared it would only accept an HTTP/1.0 response.
CVE 2021-33037
CVSS score 5
Vulnerability present in version/s 9.0.0.M1-9.0.47
Found library version/s 9.0.36
Vulnerability fixed in version 9.0.48
Library latest version 10.1.0-M6
Fix Apply the fixes below.

Links:

CVE: 2019-2692 found in MySQL Connector/J - Version: 5.1.48 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library MySQL Connector/J
Description JDBC Type 4 driver for MySQL
Language JAVA
Vulnerability Authorization Bypass
Vulnerability description mysql-connector-java is vulnerable to authorization bypass. A difficult-to-exploit vulnerability allows a high-privileged attacker to bypass authorization, compromise the MySQL connectors and obtain full control over the connectors.
CVE 2019-2692
CVSS score 3.5
Vulnerability present in version/s 2.0.14-8.0.15
Found library version/s 5.1.48
Vulnerability fixed in version 8.0.16
Library latest version 8.0.27
Fix

Links:

CVE: 2020-5421 found in Spring Web - Version: 5.2.7.RELEASE [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Spring Web
Description Spring Web
Language JAVA
Vulnerability Reflected File Download (RFD) Attack
Vulnerability description spring-web is vulnerable to Reflected File Download (RFD) attack. An incomplete fix of CVE-2015-5211 allows an attacker to bypass the protection against RFD attack via the jsessionid path parameter.

CVE | 2020-5421
CVSS score | 3.6
Vulnerability present in version/s | 5.2.0.RELEASE-5.2.8.RELEASE
Found library version/s | 5.2.7.RELEASE
Vulnerability fixed in version | 5.2.9.RELEASE
Library latest version | 5.3.10
Fix |

Links:

CVE: 2015-0886 found in jBCrypt - Version: 0.3m [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library jBCrypt
Description OpenBSD-style Blowfish password hashing for Java
Language JAVA
Vulnerability Information Disclosure Of Password Hashes Through Crypt_raw
Vulnerability description Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent.
CVE 2015-0886
CVSS score 5
Vulnerability present in version/s 0.3m-0.3m
Found library version/s 0.3m
Vulnerability fixed in version 0.4
Library latest version 0.4
Fix

Links:

CVE: 2013-4517 found in Apache XML Security for Java - Version: 1.5.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Apache XML Security for Java
Description Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver
Language JAVA
Vulnerability Denial Of Service (DoS) Memory Consumption
Vulnerability description Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures.
CVE 2013-4517
CVSS score 4.3
Vulnerability present in version/s 1.0-1.5.5
Found library version/s 1.5.1
Vulnerability fixed in version 1.5.6
Library latest version 2.2.2
Fix

Links:

CVE: 2020-13943 found in tomcat-embed-core - Version: 9.0.36 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library tomcat-embed-core
Description Core Tomcat implementation
Language JAVA
Vulnerability Information Disclosure
Vulnerability description apache tomcat is vulnerable to information disclosure. The HTTP headers within a request can potentially be included in a subsequent request and reveal confidential information, when the agreed maximum number of concurrent streams for a connection is exceeded.
CVE 2020-13943
CVSS score 4
Vulnerability present in version/s 9.0.0.M1-9.0.37
Found library version/s 9.0.36
Vulnerability fixed in version 9.0.38
Library latest version 10.1.0-M6
Fix

Links:

CVE: 2021-25122 found in tomcat-embed-core - Version: 9.0.36 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library tomcat-embed-core
Description Core Tomcat implementation
Language JAVA
Vulnerability Information Disclosure
Vulnerability description tomcat-coyote is vulnerable to information leakage. When responding to new h2c connection requests, a request mix-up occurs with h2c as the request headers and a limited amount of request body is duplicated from one request to another, resulting in the request being seen by another user.
CVE 2021-25122
CVSS score 5
Vulnerability present in version/s 9.0.0.M1-9.0.41
Found library version/s 9.0.36
Vulnerability fixed in version 9.0.43
Library latest version 10.1.0-M6
Fix

Links:

CVE: 2017-1000487 found in Plexus Common Utilities - Version: 1.0.4 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library Plexus Common Utilities
Description A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Language JAVA
Vulnerability Command Line Shell Injection
Vulnerability description plexus-utils is vulnerable to command line shell injection. The library does not correctly quote the contents of double-quoted strings, allowing a malicious user to inject and execute arbitrary shell code.
CVE 2017-1000487
CVSS score 7.5
Vulnerability present in version/s 1.0.4-1.5
Found library version/s 1.0.4
Vulnerability fixed in version null
Library latest version 3.4.1
Fix null

Links:

CVE: 2012-5783 found in HttpClient - Version: 3.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library HttpClient
Description The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and prov
Language JAVA
Vulnerability Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers
Vulnerability description The Apache Commons HTTPClient 3.x (as used in Amazon Flexible Payments Service FPS merchant Java SDK and other SDK products), does not verify that the server hostname matches a domain name in the subjects Common Name CN or subjectAltName field of the X.509 certificate, which allows Man In The Middle attackers to spoof SSL servers via an arbitrary valid certificate.
CVE 2012-5783
CVSS score 5.8
Vulnerability present in version/s 1.0-3.1
Found library version/s 3.1
Vulnerability fixed in version
Library latest version 3.1
Fix The Apache HTTP client is now EOL and has been replaced by the Apache Commons library. The new group id is org.apache.httpcomponents and the new artifact id is httpclient.

Links:

CVE: 2014-3577 found in HttpClient - Version: 3.1 [JAVA]

Veracode Software Composition Analysis

Attribute Details
Library HttpClient
Description The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and prov
Language JAVA
Vulnerability Improper Certificate Common Name Verification Allows Spoofing SSL Servers
Vulnerability description org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field.
CVE 2014-3577
CVSS score 5.8
Vulnerability present in version/s 3.0-3.1
Found library version/s 3.1
Vulnerability fixed in version null
Library latest version 3.1
Fix null

Links:

CVE: 2020-15168 found in node-fetch - Version: 2.6.0 [JS]

Veracode Software Composition Analysis

Attribute Details
Library node-fetch
Description A light-weight module that brings Fetch API to node.js
Language JS
Vulnerability Denial Of Service (DoS)
Vulnerability description node-fetch is vulnerable to denial of service. The size option after following a redirect is not adhered to, which does not result in a FetchError being thrown and the process ending without failure when a content size was over the limit.
CVE 2020-15168
CVSS score 5
Vulnerability present in version/s 2.0.0-2.6.0
Found library version/s 2.6.0
Vulnerability fixed in version 2.6.1
Library latest version 3.0.0
Fix

Links:

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.