ontio-community / explorer-statistics Goto Github PK
View Code? Open in Web Editor NEWLicense: GNU Lesser General Public License v3.0
License: GNU Lesser General Public License v3.0
Below is a list of CRIT CVEs for explorer-statistics service. Most can be rectified by specifying fixed dep versions in a custom pom.xml
file, but unfortunately not org.springframework:spring-web
.
Here is the full list.
Total: 10 (CRITICAL: 10)
┌─────────────────────────────────────────────────────────────┬──────────────────┬──────────┬────────┬───────────────────┬────────────────┬────────────────────────────────────────────────────────────┐
│ Library │ Vulnerability │ Severity │ Status │ Installed Version │ Fixed Version │ Title │
├─────────────────────────────────────────────────────────────┼──────────────────┼──────────┼────────┼───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ com.github.pagehelper:pagehelper (app.jar) │ CVE-2022-28111 │ CRITICAL │ fixed │ 5.2.1 │ 5.3.1 │ MyBatis PageHelper vulnerable to time-blind SQL injection │
│ │ │ │ │ │ │ via orderBy parameter │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-28111 │
├─────────────────────────────────────────────────────────────┼──────────────────┤ │ ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ io.springfox:springfox-swagger-ui (app.jar) │ CVE-2019-17495 │ │ │ 2.9.2 │ 2.10.0 │ Cross-site scripting in Swagger-UI │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2019-17495 │
├─────────────────────────────────────────────────────────────┼──────────────────┤ │ ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ org.bouncycastle:bcprov-jdk15on (app.jar) │ CVE-2018-1000613 │ │ │ 1.59 │ 1.60 │ bouncycastle: lack of class checking in deserialization of │
│ │ │ │ │ │ │ XMSS/XMSS^MT private keys with... │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2018-1000613 │
├─────────────────────────────────────────────────────────────┼──────────────────┤ │ ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot (app.jar) │ CVE-2022-22965 │ │ │ 2.5.1 │ 2.5.12, 2.6.6 │ RCE via Data Binding on JDK 9+ │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22965 │
├─────────────────────────────────────────────────────────────┼──────────────────┤ │ │ ├────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework.boot:spring-boot-actuator-autoconfigure │ CVE-2023-20873 │ │ │ │ 2.7.11, 3.0.6 │ Security Bypass With Wildcard Pattern Matching on Cloud │
│ (app.jar) │ │ │ │ │ │ Foundry │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2023-20873 │
├─────────────────────────────────────────────────────────────┼──────────────────┤ │ ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework:spring-beans (app.jar) │ CVE-2022-22965 │ │ │ 5.3.8 │ 5.2.20, 5.3.18 │ RCE via Data Binding on JDK 9+ │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22965 │
├─────────────────────────────────────────────────────────────┤ │ │ │ │ │ │
│ org.springframework:spring-core (app.jar) │ │ │ │ │ │ │
│ │ │ │ │ │ │ │
├─────────────────────────────────────────────────────────────┼──────────────────┤ │ │ ├────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework:spring-web (app.jar) │ CVE-2016-1000027 │ │ │ │ 6.0.0 │ spring: HttpInvokerServiceExporter readRemoteInvocation │
│ │ │ │ │ │ │ method untrusted java deserialization │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2016-1000027 │
├─────────────────────────────────────────────────────────────┼──────────────────┤ │ │ ├────────────────┼────────────────────────────────────────────────────────────┤
│ org.springframework:spring-webmvc (app.jar) │ CVE-2022-22965 │ │ │ │ 5.2.20, 5.3.18 │ RCE via Data Binding on JDK 9+ │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-22965 │
├─────────────────────────────────────────────────────────────┼──────────────────┤ │ ├───────────────────┼────────────────┼────────────────────────────────────────────────────────────┤
│ org.yaml:snakeyaml (app.jar) │ CVE-2022-1471 │ │ │ 1.28 │ 2.0 │ Constructor Deserialization Remote Code Execution │
│ │ │ │ │ │ │ https://avd.aquasec.com/nvd/cve-2022-1471 │
└─────────────────────────────────────────────────────────────┴──────────────────┴──────────┴────────┴───────────────────┴────────────────┴────────────────────────────────────────────────────────────┘
Hey guys, we found the following critical CVE's;
OntStatistics:
CVE-2019-14379
CVE-2019-14540
CVE-2019-14892
CVE-2019-14893
CVE-2019-16335
CVE-2019-16942
CVE-2019-16943
CVE-2019-17267
CVE-2019-17531
CVE-2019-20330
CVE-2020-8840
CVE-2020-9546
CVE-2020-9547
CVE-2020-9548
CVE-2019-17495
CVE-2020-1938
Please help look into this. Thanks.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.