ranajit-jana / camunda-camel-boot Goto Github PK

Vulnerable Library - spring-boot-starter-actuator-1.5.6.RELEASE.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.11/logback-core-1.1.11.jar

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

CVE-2017-5929

Vulnerable Libraries - logback-classic-1.1.11.jar, logback-core-1.1.11.jar

logback-classic-1.1.11.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • spring-boot-starter-logging-1.5.6.RELEASE.jar
      • ❌ logback-classic-1.1.11.jar (Vulnerable Library)

logback-core-1.1.11.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.11/logback-core-1.1.11.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • spring-boot-starter-logging-1.5.6.RELEASE.jar
      • logback-classic-1.1.11.jar
        • ❌ logback-core-1.1.11.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.

Publish Date: 2017-03-13

URL: CVE-2017-5929

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929

Release Date: 2017-03-13

Fix Resolution (ch.qos.logback:logback-classic): 1.2.0

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2022-1471

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.

Publish Date: 2022-12-01

URL: CVE-2022-1471

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Step up your Open Source Security Game with Mend here

CVE-2022-27772

Vulnerable Library - spring-boot-1.5.6.RELEASE.jar

Spring Boot

Library home page: http://projects.spring.io/spring-boot/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/1.5.6.RELEASE/spring-boot-1.5.6.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ spring-boot-1.5.6.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.

Publish Date: 2022-03-30

URL: CVE-2022-27772

CVSS 3 Score Details (7.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-cm59-pr5q-cw85

Release Date: 2022-03-30

Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.2.11.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2018-1272

Vulnerable Library - spring-core-4.3.10.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.10.RELEASE/spring-core-4.3.10.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ spring-core-4.3.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.

Publish Date: 2018-04-06

URL: CVE-2018-1272

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2018-1272

Release Date: 2018-04-05

Fix Resolution (org.springframework:spring-core): 4.3.15.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 1.5.11.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2017-18640

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.

Publish Date: 2019-12-12

URL: CVE-2017-18640

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640

Release Date: 2019-12-12

Fix Resolution (org.yaml:snakeyaml): 1.26

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.3.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2022-25857

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.

Publish Date: 2022-08-30

URL: CVE-2022-25857

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857

Release Date: 2022-08-30

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9

Step up your Open Source Security Game with Mend here

CVE-2021-42550

Vulnerable Libraries - logback-core-1.1.11.jar, logback-classic-1.1.11.jar

logback-core-1.1.11.jar

logback-core module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.11/logback-core-1.1.11.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • spring-boot-starter-logging-1.5.6.RELEASE.jar
      • logback-classic-1.1.11.jar
        • ❌ logback-core-1.1.11.jar (Vulnerable Library)

logback-classic-1.1.11.jar

logback-classic module

Library home page: http://logback.qos.ch

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • spring-boot-starter-logging-1.5.6.RELEASE.jar
      • ❌ logback-classic-1.1.11.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.

Publish Date: 2021-12-16

URL: CVE-2021-42550

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550

Release Date: 2021-12-16

Fix Resolution (ch.qos.logback:logback-core): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.5.8

Fix Resolution (ch.qos.logback:logback-classic): 1.2.8

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.5.8

Step up your Open Source Security Game with Mend here

CVE-2022-41854

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.

Publish Date: 2022-11-11

URL: CVE-2022-41854

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/

Release Date: 2022-11-11

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9

Step up your Open Source Security Game with Mend here

CVE-2022-38752

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.

Publish Date: 2022-09-05

URL: CVE-2022-38752

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-9w3m-gqgf-c4p9

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.32

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9

Step up your Open Source Security Game with Mend here

CVE-2022-38751

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38751

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9

Step up your Open Source Security Game with Mend here

CVE-2022-38749

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38749

CVSS 3 Score Details (6.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9

Step up your Open Source Security Game with Mend here

CVE-2022-38750

Vulnerable Library - snakeyaml-1.17.jar

YAML 1.1 parser and emitter for Java

Library home page: http://www.snakeyaml.org

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ snakeyaml-1.17.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.

Publish Date: 2022-09-05

URL: CVE-2022-38750

CVSS 3 Score Details (5.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027

Release Date: 2022-09-05

Fix Resolution (org.yaml:snakeyaml): 1.31

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9

Step up your Open Source Security Game with Mend here

CVE-2018-1199

Vulnerable Library - spring-core-4.3.10.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.10.RELEASE/spring-core-4.3.10.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ spring-core-4.3.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.

Publish Date: 2018-03-16

URL: CVE-2018-1199

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199

Release Date: 2018-01-29

Fix Resolution (org.springframework:spring-core): 4.3.14.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 1.5.10.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2022-22970

Vulnerable Library - spring-core-4.3.10.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.10.RELEASE/spring-core-4.3.10.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ spring-core-4.3.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution (org.springframework:spring-core): 5.2.22.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.4.0

Step up your Open Source Security Game with Mend here

CVE-2021-22096

Vulnerable Library - spring-core-4.3.10.RELEASE.jar

Spring Core

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.10.RELEASE/spring-core-4.3.10.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-actuator-1.5.6.RELEASE.jar (Root Library)
  • spring-boot-starter-1.5.6.RELEASE.jar
    • ❌ spring-core-4.3.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.

Publish Date: 2021-10-28

URL: CVE-2021-22096

CVSS 3 Score Details (4.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2021-22096

Release Date: 2021-10-28

Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.4.0

Step up your Open Source Security Game with Mend here

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

CVE-2017-3523

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.34.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).

Publish Date: 2017-04-24

URL: CVE-2017-3523

CVSS 3 Score Details (8.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-2xxh-f8r3-hvvr

Release Date: 2017-04-24

Fix Resolution: 5.1.41

Step up your Open Source Security Game with Mend here

CVE-2022-21363

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.34.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).

Publish Date: 2022-01-19

URL: CVE-2022-21363

CVSS 3 Score Details (6.6)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-g76j-4cxx-23h9

Release Date: 2022-01-19

Fix Resolution: mysql:mysql-connector-java:8.0.28

Step up your Open Source Security Game with Mend here

CVE-2017-3586

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.34.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3586

CVSS 3 Score Details (6.4)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406

Release Date: 2017-04-24

Fix Resolution: 5.1.42

Step up your Open Source Security Game with Mend here

CVE-2019-2692

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.34.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).

Publish Date: 2019-04-23

URL: CVE-2019-2692

CVSS 3 Score Details (6.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: GHSA-jcq3-cprp-m333

Release Date: 2019-04-23

Fix Resolution: 5.1.48

Step up your Open Source Security Game with Mend here

CVE-2020-2934

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.34.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2934

CVSS 3 Score Details (5.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://www.oracle.com/security-alerts/cpuapr2020.html

Release Date: 2020-04-15

Fix Resolution: 5.1.49

Step up your Open Source Security Game with Mend here

CVE-2020-2875

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.34.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).

Publish Date: 2020-04-15

URL: CVE-2020-2875

CVSS 3 Score Details (4.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2020-04-15

Fix Resolution: 5.1.49

Step up your Open Source Security Game with Mend here

CVE-2015-2575

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.34.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.

Publish Date: 2015-04-16

URL: CVE-2015-2575

CVSS 3 Score Details (4.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-gc43-g62c-99g2

Release Date: 2015-04-16

Fix Resolution: 5.1.35

Step up your Open Source Security Game with Mend here

CVE-2017-3589

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.34.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).

Publish Date: 2017-04-24

URL: CVE-2017-3589

CVSS 3 Score Details (3.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589

Release Date: 2017-04-24

Fix Resolution: 5.1.42

Step up your Open Source Security Game with Mend here

CVE-2020-2933

Vulnerable Library - mysql-connector-java-5.1.34.jar

MySQL JDBC Type 4 driver

Library home page: http://dev.mysql.com/doc/connector-j/en/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar

Dependency Hierarchy:

• ❌ mysql-connector-java-5.1.34.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).

Publish Date: 2020-04-15

URL: CVE-2020-2933

CVSS 3 Score Details (2.2)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: High
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING

Release Date: 2020-04-15

Fix Resolution: 5.1.49

Step up your Open Source Security Game with Mend here

Vulnerable Library - spring-boot-starter-web-1.5.6.RELEASE.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

CVE-2018-14721

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14721

CVSS 3 Score Details (10.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Changed
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-14540

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.

Publish Date: 2019-09-15

URL: CVE-2019-14540

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-17531

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.

Publish Date: 2019-10-12

URL: CVE-2019-17531

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531

Release Date: 2019-10-12

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.1

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2016-1000027

Vulnerable Library - spring-web-4.3.10.RELEASE.jar

Spring Web

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.10.RELEASE/spring-web-4.3.10.RELEASE.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ spring-web-4.3.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.

Publish Date: 2020-01-02

URL: CVE-2016-1000027

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-01-02

Fix Resolution (org.springframework:spring-web): 4.3.26.RELEASE

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2017-15095

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.

Publish Date: 2018-02-06

URL: CVE-2017-15095

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095

Release Date: 2017-06-27

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.10

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.7.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2018-14720

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-14720

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-16335

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.

Publish Date: 2019-09-15

URL: CVE-2019-16335

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-09-15

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-17267

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.

Publish Date: 2019-10-07

URL: CVE-2019-17267

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-10-07

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2018-11307

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.

Publish Date: 2019-07-09

URL: CVE-2018-11307

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2019-07-09

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.2

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.14.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-16942

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16942

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2020-8840

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.

Publish Date: 2020-02-10

URL: CVE-2020-8840

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-02-10

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-16943

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.

Publish Date: 2019-10-01

URL: CVE-2019-16943

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2018-19362

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19362

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2018-19361

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19361

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2018-19360

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.

Publish Date: 2019-01-02

URL: CVE-2018-19360

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360

Release Date: 2019-01-02

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE

Step up your Open Source Security Game with Mend here

CVE-2019-10202

Vulnerable Library - jackson-databind-2.8.9.jar

General data-binding functionality for Jackson: works on core streaming API

Library home page: http://github.com/FasterXML/jackson

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar

Dependency Hierarchy:

• spring-boot-starter-web-1.5.6.RELEASE.jar (Root Library)
  • ❌ jackson-databind-2.8.9.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.

Publish Date: 2019-10-01

URL: CVE-2019-10202

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4

Release Date: 2019-10-01

Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.9

Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.6.RELEASE

Step up your Open Source Security Game with Mend here

Vulnerable Library - camunda-bpm-spring-boot-starter-webapp-2.1.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

CVE-2022-23305

Vulnerable Library - log4j-1.2.13.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-bpm-spring-boot-starter-2.1.2.jar
      • java-uuid-generator-3.1.2.jar
        • ❌ log4j-1.2.13.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23305

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2

Step up your Open Source Security Game with Mend here

CVE-2016-1000031

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-webapp-7.6.0.war
      • camunda-engine-rest-core-7.6.0.jar
        • ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution

Publish Date: 2016-10-25

URL: CVE-2016-1000031

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031

Release Date: 2016-10-25

Fix Resolution: 1.3.3

Step up your Open Source Security Game with Mend here

CVE-2019-17571

Vulnerable Library - log4j-1.2.13.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-bpm-spring-boot-starter-2.1.2.jar
      • java-uuid-generator-3.1.2.jar
        • ❌ log4j-1.2.13.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.

Publish Date: 2019-12-20

URL: CVE-2019-17571

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E

Release Date: 2019-12-20

Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16

Step up your Open Source Security Game with Mend here

CVE-2020-9493

Vulnerable Library - log4j-1.2.13.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-bpm-spring-boot-starter-2.1.2.jar
      • java-uuid-generator-3.1.2.jar
        • ❌ log4j-1.2.13.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.

Publish Date: 2021-06-16

URL: CVE-2020-9493

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1

Release Date: 2021-06-16

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

CVE-2022-23307

Vulnerable Library - log4j-1.2.13.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-bpm-spring-boot-starter-2.1.2.jar
      • java-uuid-generator-3.1.2.jar
        • ❌ log4j-1.2.13.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.

Publish Date: 2022-01-18

URL: CVE-2022-23307

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

CVE-2022-23302

Vulnerable Library - log4j-1.2.13.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-bpm-spring-boot-starter-2.1.2.jar
      • java-uuid-generator-3.1.2.jar
        • ❌ log4j-1.2.13.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2022-01-18

URL: CVE-2022-23302

CVSS 3 Score Details (8.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2022-01-18

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1

Step up your Open Source Security Game with Mend here

CVE-2016-3092

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-webapp-7.6.0.war
      • camunda-engine-rest-core-7.6.0.jar
        • ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.

Publish Date: 2016-07-04

URL: CVE-2016-3092

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092

Release Date: 2016-07-04

Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M8,8.5.3,8.0.36,7.0.70,org.apache.tomcat:tomcat-coyote:9.0.0.M8,8.5.3,8.0.36,7.0.70,commons-fileupload:commons-fileupload:1.3.2

Step up your Open Source Security Game with Mend here

CVE-2023-24998

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-webapp-7.6.0.war
      • camunda-engine-rest-core-7.6.0.jar
        • ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.

Publish Date: 2023-02-20

URL: CVE-2023-24998

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://seclists.org/oss-sec/2023/q1/108

Release Date: 2023-02-20

Fix Resolution: commons-fileupload:commons-fileupload:1.5;org.apache.tomcat:tomcat-coyote:8.5.85,9.0.71,10.1.5

Step up your Open Source Security Game with Mend here

CVE-2021-4104

Vulnerable Library - log4j-1.2.13.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-bpm-spring-boot-starter-2.1.2.jar
      • java-uuid-generator-3.1.2.jar
        • ❌ log4j-1.2.13.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.

Publish Date: 2021-12-14

URL: CVE-2021-4104

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104

Release Date: 2021-12-14

Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module

Step up your Open Source Security Game with Mend here

WS-2014-0034

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-webapp-7.6.0.war
      • camunda-engine-rest-core-7.6.0.jar
        • ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.

Publish Date: 2014-02-17

URL: WS-2014-0034

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Release Date: 2014-02-17

Fix Resolution: 1.4

Step up your Open Source Security Game with Mend here

CVE-2013-2186

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-webapp-7.6.0.war
      • camunda-engine-rest-core-7.6.0.jar
        • ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.

Publish Date: 2013-10-28

URL: CVE-2013-2186

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186

Release Date: 2013-10-28

Fix Resolution: commons-fileupload:commons-fileupload:1.3.1

Step up your Open Source Security Game with Mend here

CVE-2014-0050

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-webapp-7.6.0.war
      • camunda-engine-rest-core-7.6.0.jar
        • ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.

Publish Date: 2014-04-01

URL: CVE-2014-0050

CVSS 3 Score Details (7.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050

Release Date: 2014-03-28

Fix Resolution: 1.3.2

Step up your Open Source Security Game with Mend here

CVE-2013-0248

Vulnerable Library - commons-fileupload-1.2.2.jar

The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-webapp-7.6.0.war
      • camunda-engine-rest-core-7.6.0.jar
        • ❌ commons-fileupload-1.2.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.

Publish Date: 2013-03-15

URL: CVE-2013-0248

CVSS 3 Score Details (4.0)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Local
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: Low

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248

Release Date: 2013-03-15

Fix Resolution: 1.3

Step up your Open Source Security Game with Mend here

CVE-2020-9488

Vulnerable Library - log4j-1.2.13.jar

Log4j

Library home page: http://logging.apache.org/log4j/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar

Dependency Hierarchy:

• camunda-bpm-spring-boot-starter-webapp-2.1.2.jar (Root Library)
  • camunda-bpm-spring-boot-starter-webapp-core-2.1.2.jar
    • camunda-bpm-spring-boot-starter-2.1.2.jar
      • java-uuid-generator-3.1.2.jar
        • ❌ log4j-1.2.13.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1

Publish Date: 2020-04-27

URL: CVE-2020-9488

CVSS 3 Score Details (3.7)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: Low
  • Integrity Impact: None
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://reload4j.qos.ch/

Release Date: 2020-04-27

Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3

Step up your Open Source Security Game with Mend here

Vulnerable Library - camel-spring-boot-starter-2.19.2.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/camel/camel-core/2.19.2/camel-core-2.19.2.jar

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

CVE-2017-12633

Vulnerable Library - camel-core-2.19.2.jar

The Core Camel Java DSL based router

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/camel/camel-core/2.19.2/camel-core-2.19.2.jar

Dependency Hierarchy:

• camel-spring-boot-starter-2.19.2.jar (Root Library)
  • camel-core-starter-2.19.2.jar
    • ❌ camel-core-2.19.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.

Publish Date: 2017-11-15

URL: CVE-2017-12633

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12633

Release Date: 2017-11-15

Fix Resolution (org.apache.camel:camel-core): 2.19.4

Direct dependency fix Resolution (org.apache.camel:camel-spring-boot-starter): 2.19.4

Step up your Open Source Security Game with Mend here

Vulnerable Library - camunda-bpm-camel-spring-0.5.jar

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.10.RELEASE/spring-beans-4.3.10.RELEASE.jar

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

CVE-2022-22965

Vulnerable Library - spring-beans-4.3.10.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.10.RELEASE/spring-beans-4.3.10.RELEASE.jar

Dependency Hierarchy:

• camunda-bpm-camel-spring-0.5.jar (Root Library)
  • ❌ spring-beans-4.3.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.

Publish Date: 2022-04-01

URL: CVE-2022-22965

CVSS 3 Score Details (9.8)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement

Release Date: 2022-04-01

Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18

Step up your Open Source Security Game with Mend here

CVE-2020-26945

Vulnerable Library - mybatis-3.2.8.jar

The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.

Library home page: http://www.mybatis.org/core/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.2.8/mybatis-3.2.8.jar

Dependency Hierarchy:

• camunda-bpm-camel-spring-0.5.jar (Root Library)
  • camunda-bpm-camel-common-0.5.jar
    • camunda-engine-7.6.0.jar
      • ❌ mybatis-3.2.8.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

MyBatis before 3.5.6 mishandles deserialization of object streams.

Publish Date: 2020-10-10

URL: CVE-2020-26945

CVSS 3 Score Details (8.1)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Release Date: 2020-10-26

Fix Resolution: org.mybatis:mybatis:3.5.6

Step up your Open Source Security Game with Mend here

CVE-2017-9801

Vulnerable Library - commons-email-1.2.jar

Commons-Email aims to provide an API for sending email. It is built on top of the JavaMail API, which it aims to simplify.

Library home page: http://commons.apache.org/email/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-email/1.2/commons-email-1.2.jar

Dependency Hierarchy:

• camunda-bpm-camel-spring-0.5.jar (Root Library)
  • camunda-bpm-camel-common-0.5.jar
    • camunda-engine-7.6.0.jar
      • ❌ commons-email-1.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.

Publish Date: 2017-08-07

URL: CVE-2017-9801

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9801

Release Date: 2017-08-07

Fix Resolution (org.apache.commons:commons-email): 1.5

Direct dependency fix Resolution (org.camunda.bpm.extension.camel:camunda-bpm-camel-spring): 0.6

Step up your Open Source Security Game with Mend here

CVE-2018-1294

Vulnerable Library - commons-email-1.2.jar

Commons-Email aims to provide an API for sending email. It is built on top of the JavaMail API, which it aims to simplify.

Library home page: http://commons.apache.org/email/

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-email/1.2/commons-email-1.2.jar

Dependency Hierarchy:

• camunda-bpm-camel-spring-0.5.jar (Root Library)
  • camunda-bpm-camel-common-0.5.jar
    • camunda-engine-7.6.0.jar
      • ❌ commons-email-1.2.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String).

Publish Date: 2018-03-20

URL: CVE-2018-1294

CVSS 3 Score Details (7.5)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: High
  • Availability Impact: None

Suggested Fix

Type: Upgrade version

Origin: GHSA-v7cm-w955-pj6g

Release Date: 2018-03-20

Fix Resolution: org.apache.commons:commons-email:1.5

Step up your Open Source Security Game with Mend here

CVE-2022-22970

Vulnerable Library - spring-beans-4.3.10.RELEASE.jar

Spring Beans

Library home page: https://github.com/spring-projects/spring-framework

Path to dependency file: /pom.xml

Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.10.RELEASE/spring-beans-4.3.10.RELEASE.jar

Dependency Hierarchy:

• camunda-bpm-camel-spring-0.5.jar (Root Library)
  • ❌ spring-beans-4.3.10.RELEASE.jar (Vulnerable Library)

Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d

Found in base branch: master

Vulnerability Details

In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.

Publish Date: 2022-05-12

URL: CVE-2022-22970

CVSS 3 Score Details (5.3)

Base Score Metrics:

• Exploitability Metrics:
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: Low
  • User Interaction: None
  • Scope: Unchanged
• Impact Metrics:
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: High

Suggested Fix

Type: Upgrade version

Origin: https://tanzu.vmware.com/security/cve-2022-22970

Release Date: 2022-05-12

Fix Resolution: org.springframework:spring-beans:5.2.22,5.3.20;org.springframework:spring-core:5.2.22,5.3.20

Step up your Open Source Security Game with Mend here