lerer-veracode / verademo-java Goto Github PK
View Code? Open in Web Editor NEWLicense: MIT License
License: MIT License
Attribute | Details |
---|---|
Library | Keycloak SAML Core |
Description | Keycloak SSO |
Language | JAVA |
Vulnerability | SAML Assertion Insertion |
Vulnerability description | Keycloak saml-core is vulnerable to malicious SAML assertion insertion. This vulnerability is due to the fact that the assertions are not verified as signed before being accepted. |
CVE | null |
CVSS score | 6.4 |
Vulnerability present in version/s | 1.1.0.Beta1-1.9.0.CR1 |
Found library version/s | 1.8.1.Final |
Vulnerability fixed in version | 1.9.0.Final |
Library latest version | 15.0.2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | JUnit |
Description | JUnit is a unit testing framework for Java, created by Erich Gamma and Kent Beck. |
Language | JAVA |
Vulnerability | Information Disclosure |
Vulnerability description | junit is vulnerable to information disclosure. The vulnerability exists through the behaviour of TemporaryFolder on UNIX-like systems, where the system's temporary directory is shared between all users on that system by default. |
CVE | 2020-15250 |
CVSS score | 1.9 |
Vulnerability present in version/s | 4.11-beta-1-4.13 |
Found library version/s | 4.13 |
Vulnerability fixed in version | 4.13.1 |
Library latest version | 4.13.2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | tomcat-embed-core |
Description | Core Tomcat implementation |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | tomcat is vulnerable to denial of service. Re-use of an HTTP request header value from the previous stream received on an HTTP/2 connection for the request associated with the subsequent stream would most likely lead to an error and the closure of the HTTP/2 connection. It is also possible that information could leak between requests. |
CVE | 2020-17527 |
CVSS score | 5 |
Vulnerability present in version/s | 9.0.0.M1-9.0.39 |
Found library version/s | 9.0.36 |
Vulnerability fixed in version | 9.0.40 |
Library latest version | 10.1.0-M6 |
Fix |
Links:
Attribute | Details |
---|---|
Library | tomcat-embed-core |
Description | Core Tomcat implementation |
Language | JAVA |
Vulnerability | Information Disclosure |
Vulnerability description | apache tomcat is vulnerable to information disclosure. Security constraints can be bypassed to obtain and view JSP source code in certain configurations, when serving resources from a network location using the NTFS file system. The vulnerability is caused by the insufficient validation for the : character in the file path. |
CVE | 2021-24122 |
CVSS score | 4.3 |
Vulnerability present in version/s | 9.0.0.M1-9.0.39 |
Found library version/s | 9.0.36 |
Vulnerability fixed in version | 9.0.40 |
Library latest version | 10.1.0-M6 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Log4j |
Description | Apache Log4j 1.2 |
Language | JAVA |
Vulnerability | Arbitrary Code Execution |
Vulnerability description | log4j-core is vulnerable to arbitrary code execution. Deserialization of untrusted data in TcpSocketServer and UdpSocketServer when listening for log data allows an attacker to execute arbitrary code via a malicious deserialization gadget. |
CVE | 2019-17571 |
CVSS score | 7.5 |
Vulnerability present in version/s | 1.1.3-1.2.17 |
Found library version/s | 1.2.17 |
Vulnerability fixed in version | |
Library latest version | 1.2.17 |
Fix | log4j:log4j 1.x is out of life. We recommend users to upgrade to the latest version of org.apache.logging.log4j:log4j-core |
Links:
Attribute | Details |
---|---|
Library | Apache Commons IO |
Description | The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more. |
Language | JAVA |
Vulnerability | Directory Traversal |
Vulnerability description | commons-io is vulnerable to directory traversal. Invoking the method FileNameUtils.normalize with a malicious input string would potentially allow access to files within the parent directory. |
CVE | 2021-29425 |
CVSS score | 5 |
Vulnerability present in version/s | 2.2-2.6 |
Found library version/s | 2.4 |
Vulnerability fixed in version | 2.7 |
Library latest version | 2.11.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | HttpClient |
Description | The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and prov |
Language | JAVA |
Vulnerability | Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers |
Vulnerability description | http/conn/ssl/AbstractVerifier.java in Apache Commons HttpClient before 4.2.3 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. NOTE: this issue exists because of an incomplete fix for CVE-2012-5783. |
CVE | 2012-6153 |
CVSS score | 4.3 |
Vulnerability present in version/s | 3.0-3.1 |
Found library version/s | 3.1 |
Vulnerability fixed in version | null |
Library latest version | 3.1 |
Fix | null |
Links:
Attribute | Details |
---|---|
Library | Spring Web |
Description | Spring Web |
Language | JAVA |
Vulnerability | Privilege Escalation |
Vulnerability description | spring-web is vulnerable to privilege escalation. Creating or recreating the temporary storage directory creates multiple instances collision which allows a locally authenticated malicious user to read or modify files being uploaded or overwrite arbitrary files with multipart request data. |
CVE | 2021-22118 |
CVSS score | 4.6 |
Vulnerability present in version/s | 5.0.0.RELEASE-5.2.14.RELEASE |
Found library version/s | 5.2.7.RELEASE |
Vulnerability fixed in version | 5.2.15.RELEASE |
Library latest version | 5.3.10 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache XML Security for Java |
Description | Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver |
Language | JAVA |
Vulnerability | Spoofable XML Signature |
Vulnerability description | jcp/xml/dsig/internal/dom/DOMCanonicalizationMethod.java in Apache Santuario XML Security for Java 1.4.x before 1.4.8 and 1.5.x before 1.5.5 allows context-dependent attackers to spoof an XML Signature by using the CanonicalizationMethod parameter to specify an arbitrary weak canonicalization algorithm to apply to the SignedInfo part of the Signature. |
CVE | 2013-2172 |
CVSS score | 4.3 |
Vulnerability present in version/s | 1.5.0-1.5.4 |
Found library version/s | 1.5.1 |
Vulnerability fixed in version | 1.5.5 |
Library latest version | 2.2.2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Plexus Archiver Component |
Description | The Plexus project provides a full software stack for creating and executing software projects. |
Language | JAVA |
Vulnerability | Arbitrary File Write |
Vulnerability description | Plexus Archiver Component is vulnerable to zip-slip vulnerability. The vulnerability exists when the attacker inputs a malicious zip archive with filenames including file traversal characters such as dot dot (.. ), leading to concatenation of file path locating outside of the destination folder. |
CVE | 2018-1002200 |
CVSS score | 4.3 |
Vulnerability present in version/s | 1.0-alpha-3-2.4.4 |
Found library version/s | 1.0-alpha-3 |
Vulnerability fixed in version | 3.6 |
Library latest version | 4.2.5 |
Fix | null |
Links:
Attribute | Details |
---|---|
Library | tomcat-embed-core |
Description | Core Tomcat implementation |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | apache tomcat is vulnerable to denial of service. The HTTP/1.1 processor is not released after an upgrade to HTTP/2, allowing an attacker to cause a denial of service condition due to an OutOfMemoryException by sending a large number of upgrade requests. |
CVE | 2020-13934 |
CVSS score | 5 |
Vulnerability present in version/s | 9.0.0.M6-9.0.36 |
Found library version/s | 9.0.36 |
Vulnerability fixed in version | 9.0.37 |
Library latest version | 10.1.0-M6 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Commons Collections |
Description | The Apache Commons Collections package contains types that extend and augment the Java Collections Framework. |
Language | JAVA |
Vulnerability | Potential Remote Code Execution Via Java Object Deserialization |
Vulnerability description | Apache Commons includes a class called InvokerTransformer. An application is vulnerable to a deserialization attack if this class is available on the classpath and the application deserializes untrusted or user-supplied data. It's not necessary to actually use InvokerTransfomer to be vulnerable. With these two criteria satisfied, an attacker may construct a gadget chain using classes in the component to execute arbitrary code. The chain relies on the class InvokerTransformer in the org.apache.commons.collections.functors package to invoke methods during the deserialization process. |
The fix prevents deserialization of InvokerTransformer by default unless it's specifically enabled.
CVE-2015-4852, CVE-2015-6420, CVE-2015-7501, and CVE-2015-7450 are all related to this artifact.
CVE | 2015-4852
CVSS score | 7.5
Vulnerability present in version/s | 4.0-4.0
Found library version/s | 4.0
Vulnerability fixed in version | 4.1
Library latest version | 4.4
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Sling API |
Description | The Apache Sling API defines an extension to the Servlet API 2.4 to provide access to content and unified access to request parameters hiding the differences between the different methods of transferr |
Language | JAVA |
Vulnerability | Multiple Cross-site Scripting (XSS) Vulnerabilities |
Vulnerability description | Multiple cross-site scripting (XSS) vulnerabilities in Apache Sling API before 2.2.2 and Apache Sling Servlets Post before 2.1.2 allow remote attackers to inject arbitrary web script or HTML via the URI, related to (1) org/apache/sling/api/servlets/HtmlResponse and (2) org/apache/sling/servlets/post/HtmlResponse. |
CVE | 2015-2944 |
CVSS score | 4.3 |
Vulnerability present in version/s | 0.0-2.2.1 |
Found library version/s | 2.0.2-incubator |
Vulnerability fixed in version | 2.2.2 |
Library latest version | 2.23.6 |
Fix |
Links:
Attribute | Details |
---|---|
Library | jstl |
Description | null |
Language | JAVA |
Vulnerability | XML External Entity (XXE) Through An XSLT Extension |
Vulnerability description | Apache Standard Taglibs before 1.2.3 allows remote attackers to execute arbitrary code or conduct external XML entity (XXE) attacks via a crafted XSLT extension in a (1) <x:parse> or (2) <x:transform> JSTL XML tag. |
CVE | 2015-0254 |
CVSS score | 7.5 |
Vulnerability present in version/s | 1.0-1.2 |
Found library version/s | 1.2 |
Vulnerability fixed in version | |
Library latest version | 1.2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Keycloak SAML Core |
Description | Keycloak SSO |
Language | JAVA |
Vulnerability | Information Disclosure |
Vulnerability description | keycloak-saml-core is vulnerable to sensitive information disclosure. The attack exists because SAML messages are being parsed by replacing the string to obtain the attribute values with the system property in StaxParserUtil class. Therefore, attacker can just parse the chosen system property name through the SAML request ID field and can get the response with system property value in InResponseTo filed . |
CVE | 2017-2582 |
CVSS score | 4 |
Vulnerability present in version/s | 1.2.0.CR1-2.5.0.Final |
Found library version/s | 1.8.1.Final |
Vulnerability fixed in version | 2.5.1.Final |
Library latest version | 15.0.2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Commons IO |
Description | The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more. |
Language | JAVA |
Vulnerability | Remote Code Execution (RCE) Via Java Object Deserialization |
Vulnerability description | commons-io is vulnerable to remote code execution (RCE) attacks. These attacks are possible because the library doesn't restrict the classes which can be accepted when deserializing a binary. |
CVE | null |
CVSS score | 5.1 |
Vulnerability present in version/s | 1.0-2.4 |
Found library version/s | 2.4 |
Vulnerability fixed in version | 2.5 |
Library latest version | 2.11.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | MySQL Connector/J |
Description | JDBC Type 4 driver for MySQL |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | mysql-connector-java is vulnerable to denial of service. When working with a load balancing setup, if the connection property loadBalanceStrategy was set to bestResponseTime and connections to all the hosts in the original setup failed, a denial of service condition will occur in Connector/J, even if newly-added hosts are available. |
CVE | 2020-2933 |
CVSS score | 3.5 |
Vulnerability present in version/s | 5.1.6-5.1.48 |
Found library version/s | 5.1.48 |
Vulnerability fixed in version | 5.1.49 |
Library latest version | 8.0.27 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache Commons FileUpload |
Description | The Apache Commons FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications. |
Language | JAVA |
Vulnerability | Remote Code Execution Via Serialization |
Vulnerability description | Apache Commons FileUpload is vulnerable to remote code execution via serialization. In Apache Commons FileUpload, a DiskFileItem is used to handle file uploads. DiskFileItem is serializable and implements custom writeObject() and readObject() functions. An attacker is possible to modify the serialized data before it is deserialized, and write or copy files to disk in arbitrary locations. Furthermore, it's possible for an attacker to integrate this vulnerability with the ysoserial tool to upload and execute binaries in a single deserialization call. |
CVE | 2016-1000031 |
CVSS score | 7.5 |
Vulnerability present in version/s | 1.1-1.3.2 |
Found library version/s | 1.3.2 |
Vulnerability fixed in version | 1.3.3 |
Library latest version | 1.4 |
Fix | Please apply the fix patch to your code. |
Links:
Attribute | Details |
---|---|
Library | @actions/core |
Description | Actions core lib |
Language | JS |
Vulnerability | Environment Variables Tampering |
Vulnerability description | @actions/core allows tampering of environment variables. The addPath and exportVariable functions that communicate with the Actions Runner over stdout allows the unauthorized modification of the path or environment variables. |
CVE | 2020-15228 |
CVSS score | 4 |
Vulnerability present in version/s | 1.0.0-1.2.5 |
Found library version/s | 1.2.4 |
Vulnerability fixed in version | 1.2.6 |
Library latest version | 1.6.0 |
Fix |
Links:
Attribute | Details |
---|---|
Library | tomcat-embed-websocket |
Description | Core Tomcat implementation |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | apache tomcat is vulnerable to denial of service. An infinite loop to occurs when invalid payload lengths are parsed. An attacker is able to cause a denial of service condition in the application via malicious WebSocket frames with invalid payload lengths. |
CVE | 2020-13935 |
CVSS score | 5 |
Vulnerability present in version/s | 9.0.0.M1-9.0.36 |
Found library version/s | 9.0.36 |
Vulnerability fixed in version | 9.0.37 |
Library latest version | 10.1.0-M6 |
Fix |
Links:
Attribute | Details |
---|---|
Library | tomcat-embed-core |
Description | Core Tomcat implementation |
Language | JAVA |
Vulnerability | Access Restriction Bypass |
Vulnerability description | tomcat-catalina is vulnerable to access restriction bypass. Lack of proper sanitization of user provided parameter or configuration data provided by an administrator accept authentication using variations of their user name and/or to bypass some of the protection provided by the LockOut Realm. |
CVE | 2021-30640
CVSS score | 5.8
Vulnerability present in version/s | 9.0.0.M1-9.0.45
Found library version/s | 9.0.36
Vulnerability fixed in version | 9.0.46
Library latest version | 10.1.0-M6
Fix |
Links:
Attribute | Details |
---|---|
Library | Keycloak SAML Core |
Description | Keycloak SSO |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | keycloak-saml-core is vulnerable to denial of service (DoS) attacks. The vulnerability exists due to the mishandling of a Logout request with an Extensions in the middle of the request. |
CVE | 2017-2646 |
CVSS score | 5 |
Vulnerability present in version/s | 1.2.0.CR1-2.5.4.Final |
Found library version/s | 1.8.1.Final |
Vulnerability fixed in version | 2.5.5.Final |
Library latest version | 15.0.2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | tomcat-embed-core |
Description | Core Tomcat implementation |
Language | JAVA |
Vulnerability | Remote Code Execution |
Vulnerability description | tomcat-catalina is vulnerable to remote code execution. If a remote attacker knows and is able to control the contents and name of a file, remote code execution can be achieved if the server is configured to use PersistenceManager with a FileStore and the PersistenceManager is configured with the default sessionAttributeValueClassNameFilter="null" , through a request that results in the deserialization of the malicious file under the attacker's control. This CVE is due to an incomplete fix for CVE-2020-9484. |
CVE | 2021-25329 |
CVSS score | 4.4 |
Vulnerability present in version/s | 9.0.0.M1-9.0.41 |
Found library version/s | 9.0.36 |
Vulnerability fixed in version | 9.0.43 |
Library latest version | 10.1.0-M6 |
Fix |
Links:
Attribute | Details |
---|---|
Library | tomcat-embed-core |
Description | Core Tomcat implementation |
Language | JAVA |
Vulnerability | Request Smuggling |
Vulnerability description | tomcat-coyote is vulnerable request smuggling. Incorrect way of parsing of the HTTP transfer-encoding request header causes request smuggling when it is used with a reverse proxy and if the client declared it would only accept an HTTP/1.0 response. |
CVE | 2021-33037 |
CVSS score | 5 |
Vulnerability present in version/s | 9.0.0.M1-9.0.47 |
Found library version/s | 9.0.36 |
Vulnerability fixed in version | 9.0.48 |
Library latest version | 10.1.0-M6 |
Fix | Apply the fixes below. |
Links:
Attribute | Details |
---|---|
Library | MySQL Connector/J |
Description | JDBC Type 4 driver for MySQL |
Language | JAVA |
Vulnerability | Authorization Bypass |
Vulnerability description | mysql-connector-java is vulnerable to authorization bypass. A difficult-to-exploit vulnerability allows a high-privileged attacker to bypass authorization, compromise the MySQL connectors and obtain full control over the connectors. |
CVE | 2019-2692 |
CVSS score | 3.5 |
Vulnerability present in version/s | 2.0.14-8.0.15 |
Found library version/s | 5.1.48 |
Vulnerability fixed in version | 8.0.16 |
Library latest version | 8.0.27 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Spring Web |
Description | Spring Web |
Language | JAVA |
Vulnerability | Reflected File Download (RFD) Attack |
Vulnerability description | spring-web is vulnerable to Reflected File Download (RFD) attack. An incomplete fix of CVE-2015-5211 allows an attacker to bypass the protection against RFD attack via the jsessionid path parameter. |
CVE | 2020-5421
CVSS score | 3.6
Vulnerability present in version/s | 5.2.0.RELEASE-5.2.8.RELEASE
Found library version/s | 5.2.7.RELEASE
Vulnerability fixed in version | 5.2.9.RELEASE
Library latest version | 5.3.10
Fix |
Links:
Attribute | Details |
---|---|
Library | jBCrypt |
Description | OpenBSD-style Blowfish password hashing for Java |
Language | JAVA |
Vulnerability | Information Disclosure Of Password Hashes Through Crypt_raw |
Vulnerability description | Integer overflow in the crypt_raw method in the key-stretching implementation in jBCrypt before 0.4 makes it easier for remote attackers to determine cleartext values of password hashes via a brute-force attack against hashes associated with the maximum exponent. |
CVE | 2015-0886 |
CVSS score | 5 |
Vulnerability present in version/s | 0.3m-0.3m |
Found library version/s | 0.3m |
Vulnerability fixed in version | 0.4 |
Library latest version | 0.4 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Apache XML Security for Java |
Description | Apache XML Security for Java supports XML-Signature Syntax and Processing, W3C Recommendation 12 February 2002, and XML Encryption Syntax and Processing, W3C Recommendation 10 December 2002. As of ver |
Language | JAVA |
Vulnerability | Denial Of Service (DoS) Memory Consumption |
Vulnerability description | Apache Santuario XML Security for Java before 1.5.6, when applying Transforms, allows remote attackers to cause a denial of service (memory consumption) via crafted Document Type Definitions (DTDs), related to signatures. |
CVE | 2013-4517 |
CVSS score | 4.3 |
Vulnerability present in version/s | 1.0-1.5.5 |
Found library version/s | 1.5.1 |
Vulnerability fixed in version | 1.5.6 |
Library latest version | 2.2.2 |
Fix |
Links:
Attribute | Details |
---|---|
Library | tomcat-embed-core |
Description | Core Tomcat implementation |
Language | JAVA |
Vulnerability | Information Disclosure |
Vulnerability description | apache tomcat is vulnerable to information disclosure. The HTTP headers within a request can potentially be included in a subsequent request and reveal confidential information, when the agreed maximum number of concurrent streams for a connection is exceeded. |
CVE | 2020-13943 |
CVSS score | 4 |
Vulnerability present in version/s | 9.0.0.M1-9.0.37 |
Found library version/s | 9.0.36 |
Vulnerability fixed in version | 9.0.38 |
Library latest version | 10.1.0-M6 |
Fix |
Links:
Attribute | Details |
---|---|
Library | tomcat-embed-core |
Description | Core Tomcat implementation |
Language | JAVA |
Vulnerability | Information Disclosure |
Vulnerability description | tomcat-coyote is vulnerable to information leakage. When responding to new h2c connection requests, a request mix-up occurs with h2c as the request headers and a limited amount of request body is duplicated from one request to another, resulting in the request being seen by another user. |
CVE | 2021-25122 |
CVSS score | 5 |
Vulnerability present in version/s | 9.0.0.M1-9.0.41 |
Found library version/s | 9.0.36 |
Vulnerability fixed in version | 9.0.43 |
Library latest version | 10.1.0-M6 |
Fix |
Links:
Attribute | Details |
---|---|
Library | Plexus Common Utilities |
Description | A collection of various utility classes to ease working with strings, files, command lines, XML and more. |
Language | JAVA |
Vulnerability | Command Line Shell Injection |
Vulnerability description | plexus-utils is vulnerable to command line shell injection. The library does not correctly quote the contents of double-quoted strings, allowing a malicious user to inject and execute arbitrary shell code. |
CVE | 2017-1000487 |
CVSS score | 7.5 |
Vulnerability present in version/s | 1.0.4-1.5 |
Found library version/s | 1.0.4 |
Vulnerability fixed in version | null |
Library latest version | 3.4.1 |
Fix | null |
Links:
Attribute | Details |
---|---|
Library | HttpClient |
Description | The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and prov |
Language | JAVA |
Vulnerability | Man In The Middle (MitM) Attacks Are Possible With Spoofed SSL Servers |
Vulnerability description | The Apache Commons HTTPClient 3.x (as used in Amazon Flexible Payments Service FPS merchant Java SDK and other SDK products), does not verify that the server hostname matches a domain name in the subjects Common Name CN or subjectAltName field of the X.509 certificate, which allows Man In The Middle attackers to spoof SSL servers via an arbitrary valid certificate. |
CVE | 2012-5783 |
CVSS score | 5.8 |
Vulnerability present in version/s | 1.0-3.1 |
Found library version/s | 3.1 |
Vulnerability fixed in version | |
Library latest version | 3.1 |
Fix | The Apache HTTP client is now EOL and has been replaced by the Apache Commons library. The new group id is org.apache.httpcomponents and the new artifact id is httpclient. |
Links:
Attribute | Details |
---|---|
Library | HttpClient |
Description | The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and prov |
Language | JAVA |
Vulnerability | Improper Certificate Common Name Verification Allows Spoofing SSL Servers |
Vulnerability description | org.apache.http.conn.ssl.AbstractVerifier in Apache HttpComponents HttpClient before 4.3.5 and HttpAsyncClient before 4.0.2 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a "CN=" string in a field in the distinguished name (DN) of a certificate, as demonstrated by the "foo,CN=www.apache.org" string in the O field. |
CVE | 2014-3577 |
CVSS score | 5.8 |
Vulnerability present in version/s | 3.0-3.1 |
Found library version/s | 3.1 |
Vulnerability fixed in version | null |
Library latest version | 3.1 |
Fix | null |
Links:
Attribute | Details |
---|---|
Library | node-fetch |
Description | A light-weight module that brings Fetch API to node.js |
Language | JS |
Vulnerability | Denial Of Service (DoS) |
Vulnerability description | node-fetch is vulnerable to denial of service. The size option after following a redirect is not adhered to, which does not result in a FetchError being thrown and the process ending without failure when a content size was over the limit. |
CVE | 2020-15168 |
CVSS score | 5 |
Vulnerability present in version/s | 2.0.0-2.6.0 |
Found library version/s | 2.6.0 |
Vulnerability fixed in version | 2.6.1 |
Library latest version | 3.0.0 |
Fix |
Links:
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.