ranajit-jana / camunda-camel-boot Goto Github PK
View Code? Open in Web Editor NEWThis project forked from larbigj/camunda-camel-boot
camunda-camel-boot
This project forked from larbigj/camunda-camel-boot
camunda-camel-boot
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.11/logback-core-1.1.11.jar
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
CVE | Severity | CVSS | Dependency | Type | Fixed in (spring-boot-starter-actuator version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2017-5929 | High | 9.8 | detected in multiple dependencies | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2022-1471 | High | 9.8 | snakeyaml-1.17.jar | Transitive | N/A* | ❌ |
CVE-2022-27772 | High | 7.8 | spring-boot-1.5.6.RELEASE.jar | Transitive | 2.2.11.RELEASE | ❌ |
CVE-2018-1272 | High | 7.5 | spring-core-4.3.10.RELEASE.jar | Transitive | 1.5.11.RELEASE | ❌ |
CVE-2017-18640 | High | 7.5 | snakeyaml-1.17.jar | Transitive | 2.3.0.RELEASE | ❌ |
CVE-2022-25857 | High | 7.5 | snakeyaml-1.17.jar | Transitive | 2.6.9 | ❌ |
CVE-2021-42550 | Medium | 6.6 | detected in multiple dependencies | Transitive | 2.5.8 | ❌ |
CVE-2022-41854 | Medium | 6.5 | snakeyaml-1.17.jar | Transitive | 2.6.9 | ❌ |
CVE-2022-38752 | Medium | 6.5 | snakeyaml-1.17.jar | Transitive | 2.6.9 | ❌ |
CVE-2022-38751 | Medium | 6.5 | snakeyaml-1.17.jar | Transitive | 2.6.9 | ❌ |
CVE-2022-38749 | Medium | 6.5 | snakeyaml-1.17.jar | Transitive | 2.6.9 | ❌ |
CVE-2022-38750 | Medium | 5.5 | snakeyaml-1.17.jar | Transitive | 2.6.9 | ❌ |
CVE-2018-1199 | Medium | 5.3 | spring-core-4.3.10.RELEASE.jar | Transitive | 1.5.10.RELEASE | ❌ |
CVE-2022-22970 | Medium | 5.3 | spring-core-4.3.10.RELEASE.jar | Transitive | 2.4.0 | ❌ |
CVE-2021-22096 | Medium | 4.3 | spring-core-4.3.10.RELEASE.jar | Transitive | 2.4.0 | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.jar
Dependency Hierarchy:
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.11/logback-core-1.1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
QOS.ch Logback before 1.2.0 has a serialization vulnerability affecting the SocketServer and ServerSocketReceiver components.
Publish Date: 2017-03-13
URL: CVE-2017-5929
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-5929
Release Date: 2017-03-13
Fix Resolution (ch.qos.logback:logback-classic): 1.2.0
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.0.0.RELEASE
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
SnakeYaml's Constructor() class does not restrict types which can be instantiated during deserialization. Deserializing yaml content provided by an attacker can lead to remote code execution. We recommend using SnakeYaml's SafeConsturctor when parsing untrusted content to restrict deserialization.
Publish Date: 2022-12-01
URL: CVE-2022-1471
Base Score Metrics:
Step up your Open Source Security Game with Mend here
Spring Boot
Library home page: http://projects.spring.io/spring-boot/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/boot/spring-boot/1.5.6.RELEASE/spring-boot-1.5.6.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
** UNSUPPORTED WHEN ASSIGNED ** spring-boot versions prior to version v2.2.11.RELEASE was vulnerable to temporary directory hijacking. This vulnerability impacted the org.springframework.boot.web.server.AbstractConfigurableWebServerFactory.createTempDir method. NOTE: This vulnerability only affects products and/or versions that are no longer supported by the maintainer.
Publish Date: 2022-03-30
URL: CVE-2022-27772
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-cm59-pr5q-cw85
Release Date: 2022-03-30
Fix Resolution (org.springframework.boot:spring-boot): 2.2.11.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.2.11.RELEASE
Step up your Open Source Security Game with Mend here
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.10.RELEASE/spring-core-4.3.10.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Spring Framework, versions 5.0 prior to 5.0.5 and versions 4.3 prior to 4.3.15 and older unsupported versions, provide client-side support for multipart requests. When Spring MVC or Spring WebFlux server application (server A) receives input from a remote client, and then uses that input to make a multipart request to another server (server B), it can be exposed to an attack, where an extra multipart is inserted in the content of the request from server A, causing server B to use the wrong value for a part it expects. This could to lead privilege escalation, for example, if the part content represents a username or user roles.
Publish Date: 2018-04-06
URL: CVE-2018-1272
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2018-1272
Release Date: 2018-04-05
Fix Resolution (org.springframework:spring-core): 4.3.15.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 1.5.11.RELEASE
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
The Alias feature in SnakeYAML before 1.26 allows entity expansion during a load operation, a related issue to CVE-2003-1564.
Publish Date: 2019-12-12
URL: CVE-2017-18640
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-18640
Release Date: 2019-12-12
Fix Resolution (org.yaml:snakeyaml): 1.26
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.3.0.RELEASE
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
The package org.yaml:snakeyaml from 0 and before 1.31 are vulnerable to Denial of Service (DoS) due missing to nested depth limitation for collections.
Publish Date: 2022-08-30
URL: CVE-2022-25857
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25857
Release Date: 2022-08-30
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9
Step up your Open Source Security Game with Mend here
logback-core module
Library home page: http://logback.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-core/1.1.11/logback-core-1.1.11.jar
Dependency Hierarchy:
logback-classic module
Library home page: http://logback.qos.ch
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/ch/qos/logback/logback-classic/1.1.11/logback-classic-1.1.11.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
In logback version 1.2.7 and prior versions, an attacker with the required privileges to edit configurations files could craft a malicious configuration allowing to execute arbitrary code loaded from LDAP servers.
Publish Date: 2021-12-16
URL: CVE-2021-42550
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=VE-2021-42550
Release Date: 2021-12-16
Fix Resolution (ch.qos.logback:logback-core): 1.2.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.5.8
Fix Resolution (ch.qos.logback:logback-classic): 1.2.8
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.5.8
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Those using Snakeyaml to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack overflow. This effect may support a denial of service attack.
Publish Date: 2022-11-11
URL: CVE-2022-41854
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/531/
Release Date: 2022-11-11
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stack-overflow.
Publish Date: 2022-09-05
URL: CVE-2022-38752
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-9w3m-gqgf-c4p9
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.32
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38751
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47039
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38749
Base Score Metrics:
Type: Upgrade version
Origin: https://bitbucket.org/snakeyaml/snakeyaml/issues/526/stackoverflow-oss-fuzz-47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9
Step up your Open Source Security Game with Mend here
YAML 1.1 parser and emitter for Java
Library home page: http://www.snakeyaml.org
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/yaml/snakeyaml/1.17/snakeyaml-1.17.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Using snakeYAML to parse untrusted YAML files may be vulnerable to Denial of Service attacks (DOS). If the parser is running on user supplied input, an attacker may supply content that causes the parser to crash by stackoverflow.
Publish Date: 2022-09-05
URL: CVE-2022-38750
Base Score Metrics:
Type: Upgrade version
Origin: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=47027
Release Date: 2022-09-05
Fix Resolution (org.yaml:snakeyaml): 1.31
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.6.9
Step up your Open Source Security Game with Mend here
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.10.RELEASE/spring-core-4.3.10.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Spring Security (Spring Security 4.1.x before 4.1.5, 4.2.x before 4.2.4, and 5.0.x before 5.0.1; and Spring Framework 4.3.x before 4.3.14 and 5.0.x before 5.0.3) does not consider URL path parameters when processing security constraints. By adding a URL path parameter with special encodings, an attacker may be able to bypass a security constraint. The root cause of this issue is a lack of clarity regarding the handling of path parameters in the Servlet Specification. Some Servlet containers include path parameters in the value returned for getPathInfo() and some do not. Spring Security uses the value returned by getPathInfo() as part of the process of mapping requests to security constraints. In this particular attack, different character encodings used in path parameters allows secured Spring MVC static resource URLs to be bypassed.
Publish Date: 2018-03-16
URL: CVE-2018-1199
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1199
Release Date: 2018-01-29
Fix Resolution (org.springframework:spring-core): 4.3.14.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 1.5.10.RELEASE
Step up your Open Source Security Game with Mend here
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.10.RELEASE/spring-core-4.3.10.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution (org.springframework:spring-core): 5.2.22.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.4.0
Step up your Open Source Security Game with Mend here
Spring Core
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-core/4.3.10.RELEASE/spring-core-4.3.10.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
In Spring Framework versions 5.3.0 - 5.3.10, 5.2.0 - 5.2.17, and older unsupported versions, it is possible for a user to provide malicious input to cause the insertion of additional log entries.
Publish Date: 2021-10-28
URL: CVE-2021-22096
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2021-22096
Release Date: 2021-10-28
Fix Resolution (org.springframework:spring-core): 5.2.18.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-actuator): 2.4.0
Step up your Open Source Security Game with Mend here
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
CVE | Severity | CVSS | Dependency | Type | Fixed in (mysql-connector-java version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2017-3523 | High | 8.5 | mysql-connector-java-5.1.34.jar | Direct | 5.1.41 | ❌ |
CVE-2022-21363 | Medium | 6.6 | mysql-connector-java-5.1.34.jar | Direct | mysql:mysql-connector-java:8.0.28 | ❌ |
CVE-2017-3586 | Medium | 6.4 | mysql-connector-java-5.1.34.jar | Direct | 5.1.42 | ❌ |
CVE-2019-2692 | Medium | 6.3 | mysql-connector-java-5.1.34.jar | Direct | 5.1.48 | ❌ |
CVE-2020-2934 | Medium | 5.0 | mysql-connector-java-5.1.34.jar | Direct | 5.1.49 | ❌ |
CVE-2020-2875 | Medium | 4.7 | mysql-connector-java-5.1.34.jar | Direct | 5.1.49 | ❌ |
CVE-2015-2575 | Medium | 4.2 | mysql-connector-java-5.1.34.jar | Direct | 5.1.35 | ❌ |
CVE-2017-3589 | Low | 3.3 | mysql-connector-java-5.1.34.jar | Direct | 5.1.42 | ❌ |
CVE-2020-2933 | Low | 2.2 | mysql-connector-java-5.1.34.jar | Direct | 5.1.49 | ❌ |
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.40 and earlier. Difficult to exploit vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 8.5 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H).
Publish Date: 2017-04-24
URL: CVE-2017-3523
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-2xxh-f8r3-hvvr
Release Date: 2017-04-24
Fix Resolution: 5.1.41
Step up your Open Source Security Game with Mend here
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.27 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.1 Base Score 6.6 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H).
Publish Date: 2022-01-19
URL: CVE-2022-21363
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-g76j-4cxx-23h9
Release Date: 2022-01-19
Fix Resolution: mysql:mysql-connector-java:8.0.28
Step up your Open Source Security Game with Mend here
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with network access via multiple protocols to compromise MySQL Connectors. While the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 6.4 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3586
Base Score Metrics:
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1444406
Release Date: 2017-04-24
Fix Resolution: 5.1.42
Step up your Open Source Security Game with Mend here
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 8.0.15 and prior. Difficult to exploit vulnerability allows high privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in takeover of MySQL Connectors. CVSS 3.0 Base Score 6.3 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:U/C:H/I:H/A:H).
Publish Date: 2019-04-23
URL: CVE-2019-2692
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-jcq3-cprp-m333
Release Date: 2019-04-23
Fix Resolution: 5.1.48
Step up your Open Source Security Game with Mend here
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.19 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data and unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 5.0 (Confidentiality, Integrity and Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2934
Base Score Metrics:
Type: Upgrade version
Origin: https://www.oracle.com/security-alerts/cpuapr2020.html
Release Date: 2020-04-15
Fix Resolution: 5.1.49
Step up your Open Source Security Game with Mend here
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 8.0.14 and prior and 5.1.48 and prior. Difficult to exploit vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks require human interaction from a person other than the attacker and while the vulnerability is in MySQL Connectors, attacks may significantly impact additional products. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data as well as unauthorized read access to a subset of MySQL Connectors accessible data. CVSS 3.0 Base Score 4.7 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N).
Publish Date: 2020-04-15
URL: CVE-2020-2875
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-04-15
Fix Resolution: 5.1.49
Step up your Open Source Security Game with Mend here
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Unspecified vulnerability in the MySQL Connectors component in Oracle MySQL 5.1.34 and earlier allows remote authenticated users to affect confidentiality and integrity via unknown vectors related to Connector/J.
Publish Date: 2015-04-16
URL: CVE-2015-2575
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-gc43-g62c-99g2
Release Date: 2015-04-16
Fix Resolution: 5.1.35
Step up your Open Source Security Game with Mend here
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Vulnerability in the MySQL Connectors component of Oracle MySQL (subcomponent: Connector/J). Supported versions that are affected are 5.1.41 and earlier. Easily "exploitable" vulnerability allows low privileged attacker with logon to the infrastructure where MySQL Connectors executes to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized update, insert or delete access to some of MySQL Connectors accessible data. CVSS 3.0 Base Score 3.3 (Integrity impacts). CVSS Vector: (CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N).
Publish Date: 2017-04-24
URL: CVE-2017-3589
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-3589
Release Date: 2017-04-24
Fix Resolution: 5.1.42
Step up your Open Source Security Game with Mend here
MySQL JDBC Type 4 driver
Library home page: http://dev.mysql.com/doc/connector-j/en/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/mysql/mysql-connector-java/5.1.34/mysql-connector-java-5.1.34.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Vulnerability in the MySQL Connectors product of Oracle MySQL (component: Connector/J). Supported versions that are affected are 5.1.48 and prior. Difficult to exploit vulnerability allows high privileged attacker with network access via multiple protocols to compromise MySQL Connectors. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of MySQL Connectors. CVSS 3.0 Base Score 2.2 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:N/I:N/A:L).
Publish Date: 2020-04-15
URL: CVE-2020-2933
Base Score Metrics:
Type: Upgrade version
Origin: https://docs.oracle.com/javase/7/docs/api/javax/xml/XMLConstants.html#FEATURE_SECURE_PROCESSING
Release Date: 2020-04-15
Fix Resolution: 5.1.49
Step up your Open Source Security Game with Mend here
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
CVE | Severity | CVSS | Dependency | Type | Fixed in (spring-boot-starter-web version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2018-14721 | High | 10.0 | jackson-databind-2.8.9.jar | Transitive | 1.5.18.RELEASE | ❌ |
CVE-2019-14540 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2019-17531 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2016-1000027 | High | 9.8 | spring-web-4.3.10.RELEASE.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2017-15095 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 1.5.7.RELEASE | ❌ |
CVE-2018-14720 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 1.5.18.RELEASE | ❌ |
CVE-2019-16335 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2019-17267 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2018-11307 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 1.5.14.RELEASE | ❌ |
CVE-2019-16942 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2020-8840 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2019-16943 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2018-19362 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 1.5.18.RELEASE | ❌ |
CVE-2018-19361 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 1.5.18.RELEASE | ❌ |
CVE-2018-19360 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 1.5.18.RELEASE | ❌ |
CVE-2019-10202 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.1.6.RELEASE | ❌ |
CVE-2019-14893 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2019-14892 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2020-9546 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2017-17485 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 1.5.11.RELEASE | ❌ |
CVE-2019-14379 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2020-9547 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-9548 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2019-20330 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2018-14719 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2018-14718 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 1.5.18.RELEASE | ❌ |
CVE-2018-8014 | High | 9.8 | tomcat-embed-core-8.5.16.jar | Transitive | 1.5.15.RELEASE | ❌ |
CVE-2018-7489 | High | 9.8 | jackson-databind-2.8.9.jar | Transitive | 1.5.11.RELEASE | ❌ |
CVE-2020-10968 | High | 8.8 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-10969 | High | 8.8 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-11111 | High | 8.8 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-11113 | High | 8.8 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-11112 | High | 8.8 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-10672 | High | 8.8 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-10673 | High | 8.8 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2019-0232 | High | 8.1 | tomcat-embed-core-8.5.16.jar | Transitive | 1.5.21.RELEASE | ❌ |
CVE-2017-12617 | High | 8.1 | tomcat-embed-core-8.5.16.jar | Transitive | 1.5.8.RELEASE | ❌ |
CVE-2020-11619 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36189 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36188 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-11620 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-10650 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36181 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36180 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36183 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36182 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2018-5968 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 1.5.11.RELEASE | ❌ |
CVE-2020-36185 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36184 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36187 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36186 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2021-20190 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-36179 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.2.0.RELEASE | ❌ |
CVE-2020-24616 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2020-14060 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2020-14061 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2020-14062 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2020-24750 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2020-14195 | High | 8.1 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2019-12086 | High | 7.5 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2019-0199 | High | 7.5 | tomcat-embed-core-8.5.16.jar | Transitive | 1.5.20.RELEASE | ❌ |
CVE-2018-12022 | High | 7.5 | jackson-databind-2.8.9.jar | Transitive | 1.5.14.RELEASE | ❌ |
CVE-2018-12023 | High | 7.5 | jackson-databind-2.8.9.jar | Transitive | 1.5.14.RELEASE | ❌ |
CVE-2019-10072 | High | 7.5 | tomcat-embed-core-8.5.16.jar | Transitive | 1.5.22.RELEASE | ❌ |
CVE-2019-14439 | High | 7.5 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2018-8034 | High | 7.5 | tomcat-embed-websocket-8.5.16.jar | Transitive | 1.5.15.RELEASE | ❌ |
CVE-2021-25122 | High | 7.5 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2021-41079 | High | 7.5 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2018-11040 | High | 7.5 | detected in multiple dependencies | Transitive | 1.5.14.RELEASE | ❌ |
CVE-2018-15756 | High | 7.5 | spring-web-4.3.10.RELEASE.jar | Transitive | 1.5.17.RELEASE | ❌ |
CVE-2022-42004 | High | 7.5 | jackson-databind-2.8.9.jar | Transitive | 2.6.0 | ❌ |
CVE-2022-42003 | High | 7.5 | jackson-databind-2.8.9.jar | Transitive | 2.6.0 | ❌ |
CVE-2019-17563 | High | 7.5 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2020-36518 | High | 7.5 | jackson-databind-2.8.9.jar | Transitive | 2.6.0 | ❌ |
CVE-2020-13934 | High | 7.5 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2020-13935 | High | 7.5 | tomcat-embed-websocket-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2022-42252 | High | 7.5 | tomcat-embed-core-8.5.16.jar | Transitive | N/A* | ❌ |
CVE-2017-7536 | High | 7.0 | hibernate-validator-5.3.5.Final.jar | Transitive | 1.5.9.RELEASE | ❌ |
CVE-2020-9484 | High | 7.0 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2021-25329 | High | 7.0 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2022-22950 | Medium | 6.5 | spring-expression-4.3.10.RELEASE.jar | Transitive | 2.4.0 | ❌ |
CVE-2020-5421 | Medium | 6.5 | spring-web-4.3.10.RELEASE.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2019-0221 | Medium | 6.1 | tomcat-embed-core-8.5.16.jar | Transitive | 1.5.21.RELEASE | ❌ |
CVE-2018-1271 | Medium | 5.9 | spring-webmvc-4.3.10.RELEASE.jar | Transitive | 1.5.11.RELEASE | ❌ |
CVE-2019-12814 | Medium | 5.9 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2018-8037 | Medium | 5.9 | tomcat-embed-core-8.5.16.jar | Transitive | 1.5.15.RELEASE | ❌ |
CVE-2019-12384 | Medium | 5.9 | jackson-databind-2.8.9.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2018-11039 | Medium | 5.9 | spring-web-4.3.10.RELEASE.jar | Transitive | 1.5.14.RELEASE | ❌ |
CVE-2021-24122 | Medium | 5.9 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2020-10693 | Medium | 5.3 | hibernate-validator-5.3.5.Final.jar | Transitive | 2.0.0.RELEASE | ❌ |
CVE-2021-33037 | Medium | 5.3 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2020-1935 | Medium | 4.8 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2020-13943 | Medium | 4.3 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
CVE-2021-22096 | Medium | 4.3 | detected in multiple dependencies | Transitive | 2.4.0 | ❌ |
CVE-2021-43980 | Low | 3.7 | tomcat-embed-core-8.5.16.jar | Transitive | 2.1.0.RELEASE | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Partial details (16 vulnerabilities) are displayed below due to a content size limitation in GitHub. To view information on the remaining vulnerabilities, navigate to the Mend Application.
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.7 might allow remote attackers to conduct server-side request forgery (SSRF) attacks by leveraging failure to block the axis2-jaxws class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14721
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14721
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariConfig.
Publish Date: 2019-09-15
URL: CVE-2019-14540
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14540
Release Date: 2019-09-15
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the apache-log4j-extra (version 1.2.x) jar in the classpath, and an attacker can provide a JNDI service to access, it is possible to make the service execute a malicious payload.
Publish Date: 2019-10-12
URL: CVE-2019-17531
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-17531
Release Date: 2019-10-12
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.10.1
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.2.0.RELEASE
Step up your Open Source Security Game with Mend here
Spring Web
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-web/4.3.10.RELEASE/spring-web-4.3.10.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Pivotal Spring Framework through 5.3.16 suffers from a potential remote code execution (RCE) issue if used for Java deserialization of untrusted data. Depending on how the library is implemented within a product, this issue may or not occur, and authentication may be required. NOTE: the vendor's position is that untrusted data is not an intended use case. The product's behavior will not be changed because some users rely on deserialization of trusted data.
Publish Date: 2020-01-02
URL: CVE-2016-1000027
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-01-02
Fix Resolution (org.springframework:spring-web): 4.3.26.RELEASE
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A deserialization flaw was discovered in the jackson-databind in versions before 2.8.10 and 2.9.1, which could allow an unauthenticated user to perform code execution by sending the maliciously crafted input to the readValue method of the ObjectMapper. This issue extends the previous flaw CVE-2017-7525 by blacklisting more classes that could be used maliciously.
Publish Date: 2018-02-06
URL: CVE-2017-15095
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2017-15095
Release Date: 2017-06-27
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.10
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.7.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.7 might allow attackers to conduct external XML entity (XXE) attacks by leveraging failure to block unspecified JDK classes from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-14720
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2018-14720
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to com.zaxxer.hikari.HikariDataSource. This is a different vulnerability than CVE-2019-14540.
Publish Date: 2019-09-15
URL: CVE-2019-16335
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-09-15
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind before 2.9.10. It is related to net.sf.ehcache.hibernate.EhcacheJtaTransactionManagerLookup.
Publish Date: 2019-10-07
URL: CVE-2019-17267
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-10-07
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
An issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.5. Use of Jackson default typing along with a gadget class from iBatis allows exfiltration of content. Fixed in 2.7.9.4, 2.8.11.2, and 2.9.6.
Publish Date: 2019-07-09
URL: CVE-2018-11307
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-07-09
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.2
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.14.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the commons-dbcp (1.4) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of org.apache.commons.dbcp.datasources.SharedPoolDataSource and org.apache.commons.dbcp.datasources.PerUserPoolDataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16942
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16942
Release Date: 2019-10-01
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
FasterXML jackson-databind 2.0.0 through 2.9.10.2 lacks certain xbean-reflect/JNDI blocking, as demonstrated by org.apache.xbean.propertyeditor.JndiConverter.
Publish Date: 2020-02-10
URL: CVE-2020-8840
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-02-10
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A Polymorphic Typing issue was discovered in FasterXML jackson-databind 2.0.0 through 2.9.10. When Default Typing is enabled (either globally or for a specific property) for an externally exposed JSON endpoint and the service has the p6spy (3.8.6) jar in the classpath, and an attacker can find an RMI service endpoint to access, it is possible to make the service execute a malicious payload. This issue exists because of com.p6spy.engine.spy.P6DataSource mishandling.
Publish Date: 2019-10-01
URL: CVE-2019-16943
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16943
Release Date: 2019-10-01
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.5
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.0.0.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the jboss-common-core class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19362
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19362
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the openjpa class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19361
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19361
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
FasterXML jackson-databind 2.x before 2.9.8 might allow attackers to have unspecified impact by leveraging failure to block the axis2-transport-jms class from polymorphic deserialization.
Publish Date: 2019-01-02
URL: CVE-2018-19360
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19360
Release Date: 2019-01-02
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.8.11.3
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 1.5.18.RELEASE
Step up your Open Source Security Game with Mend here
General data-binding functionality for Jackson: works on core streaming API
Library home page: http://github.com/FasterXML/jackson
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/fasterxml/jackson/core/jackson-databind/2.8.9/jackson-databind-2.8.9.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A series of deserialization vulnerabilities have been discovered in Codehaus 1.9.x implemented in EAP 7. This CVE fixes CVE-2017-17485, CVE-2017-7525, CVE-2017-15095, CVE-2018-5968, CVE-2018-7489, CVE-2018-1000873, CVE-2019-12086 reported for FasterXML jackson-databind by implementing a whitelist approach that will mitigate these vulnerabilities and future ones alike.
Publish Date: 2019-10-01
URL: CVE-2019-10202
Base Score Metrics:
Type: Upgrade version
Origin: https://lists.apache.org/thread/08302h5kp2l9ry2zq8vydomlhn0fg4j4
Release Date: 2019-10-01
Fix Resolution (com.fasterxml.jackson.core:jackson-databind): 2.9.9
Direct dependency fix Resolution (org.springframework.boot:spring-boot-starter-web): 2.1.6.RELEASE
Step up your Open Source Security Game with Mend here
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
CVE | Severity | CVSS | Dependency | Type | Fixed in (camunda-bpm-spring-boot-starter-webapp version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-23305 | High | 9.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ |
CVE-2016-1000031 | High | 9.8 | commons-fileupload-1.2.2.jar | Transitive | N/A* | ❌ |
CVE-2019-17571 | High | 9.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ |
CVE-2020-9493 | High | 9.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ |
CVE-2022-23307 | High | 8.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ |
CVE-2022-23302 | High | 8.8 | log4j-1.2.13.jar | Transitive | N/A* | ❌ |
CVE-2016-3092 | High | 7.5 | commons-fileupload-1.2.2.jar | Transitive | N/A* | ❌ |
CVE-2023-24998 | High | 7.5 | commons-fileupload-1.2.2.jar | Transitive | N/A* | ❌ |
CVE-2021-4104 | High | 7.5 | log4j-1.2.13.jar | Transitive | N/A* | ❌ |
WS-2014-0034 | High | 7.5 | commons-fileupload-1.2.2.jar | Transitive | N/A* | ❌ |
CVE-2013-2186 | High | 7.3 | commons-fileupload-1.2.2.jar | Transitive | N/A* | ❌ |
CVE-2014-0050 | High | 7.3 | commons-fileupload-1.2.2.jar | Transitive | N/A* | ❌ |
CVE-2013-0248 | Medium | 4.0 | commons-fileupload-1.2.2.jar | Transitive | N/A* | ❌ |
CVE-2020-9488 | Low | 3.7 | log4j-1.2.13.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23305
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.2
Step up your Open Source Security Game with Mend here
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution
Publish Date: 2016-10-25
URL: CVE-2016-1000031
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-1000031
Release Date: 2016-10-25
Fix Resolution: 1.3.3
Step up your Open Source Security Game with Mend here
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.
Publish Date: 2019-12-20
URL: CVE-2019-17571
Base Score Metrics:
Type: Upgrade version
Release Date: 2019-12-20
Fix Resolution: log4j-manual - 1.2.17-16;log4j-javadoc - 1.2.17-16;log4j - 1.2.17-16,1.2.17-16
Step up your Open Source Security Game with Mend here
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.
Publish Date: 2021-06-16
URL: CVE-2020-9493
Base Score Metrics:
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2021/06/16/1
Release Date: 2021-06-16
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Step up your Open Source Security Game with Mend here
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.
Publish Date: 2022-01-18
URL: CVE-2022-23307
Base Score Metrics:
Type: Upgrade version
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Step up your Open Source Security Game with Mend here
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2022-01-18
URL: CVE-2022-23302
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2022-01-18
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.1
Step up your Open Source Security Game with Mend here
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.
Publish Date: 2016-07-04
URL: CVE-2016-3092
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092
Release Date: 2016-07-04
Fix Resolution: org.apache.tomcat.embed:tomcat-embed-core:9.0.0.M8,8.5.3,8.0.36,7.0.70,org.apache.tomcat:tomcat-coyote:9.0.0.M8,8.5.3,8.0.36,7.0.70,commons-fileupload:commons-fileupload:1.3.2
Step up your Open Source Security Game with Mend here
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.
Publish Date: 2023-02-20
URL: CVE-2023-24998
Base Score Metrics:
Type: Upgrade version
Origin: https://seclists.org/oss-sec/2023/q1/108
Release Date: 2023-02-20
Fix Resolution: commons-fileupload:commons-fileupload:1.5;org.apache.tomcat:tomcat-coyote:8.5.85,9.0.71,10.1.5
Step up your Open Source Security Game with Mend here
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.
Publish Date: 2021-12-14
URL: CVE-2021-4104
Base Score Metrics:
Type: Upgrade version
Origin: https://nvd.nist.gov/vuln/detail/CVE-2021-4104
Release Date: 2021-12-14
Fix Resolution: uom-parent - 1.0.3-3.module,1.0.3-3.module;uom-se-javadoc - 1.0.4-3.module;parfait-examples - 0.5.4-4.module;log4j-manual - 1.2.17-16;si-units-javadoc - 0.6.5-2.module;unit-api - 1.0-5.module,1.0-5.module;unit-api-javadoc - 1.0-5.module;parfait - 0.5.4-4.module,0.5.4-4.module;log4j-javadoc - 1.2.17-16;uom-systems-javadoc - 0.7-1.module;uom-lib-javadoc - 1.0.1-6.module;uom-systems - 0.7-1.module,0.7-1.module;log4j - 1.2.17-16,1.2.17-16;uom-se - 1.0.4-3.module,1.0.4-3.module;uom-lib - 1.0.1-6.module,1.0.1-6.module;parfait-javadoc - 0.5.4-4.module;pcp-parfait-agent - 0.5.4-4.module;si-units - 0.6.5-2.module,0.6.5-2.module
Step up your Open Source Security Game with Mend here
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
The class FileUploadBase in Apache Commons Fileupload before 1.4 has potential resource leak - InputStream not closed on exception.
Publish Date: 2014-02-17
URL: WS-2014-0034
Base Score Metrics:
Type: Upgrade version
Release Date: 2014-02-17
Fix Resolution: 1.4
Step up your Open Source Security Game with Mend here
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.
Publish Date: 2013-10-28
URL: CVE-2013-2186
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-2186
Release Date: 2013-10-28
Fix Resolution: commons-fileupload:commons-fileupload:1.3.1
Step up your Open Source Security Game with Mend here
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.
Publish Date: 2014-04-01
URL: CVE-2014-0050
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0050
Release Date: 2014-03-28
Fix Resolution: 1.3.2
Step up your Open Source Security Game with Mend here
The FileUpload component provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-fileupload/commons-fileupload/1.2.2/commons-fileupload-1.2.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.
Publish Date: 2013-03-15
URL: CVE-2013-0248
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0248
Release Date: 2013-03-15
Fix Resolution: 1.3
Step up your Open Source Security Game with Mend here
Log4j
Library home page: http://logging.apache.org/log4j/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/log4j/log4j/1.2.13/log4j-1.2.13.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender. Fixed in Apache Log4j 2.12.3 and 2.13.1
Publish Date: 2020-04-27
URL: CVE-2020-9488
Base Score Metrics:
Type: Upgrade version
Origin: https://reload4j.qos.ch/
Release Date: 2020-04-27
Fix Resolution: ch.qos.reload4j:reload4j:1.2.18.3
Step up your Open Source Security Game with Mend here
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/camel/camel-core/2.19.2/camel-core-2.19.2.jar
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
CVE | Severity | CVSS | Dependency | Type | Fixed in (camel-spring-boot-starter version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2017-12633 | High | 9.8 | camel-core-2.19.2.jar | Transitive | 2.19.4 | ❌ |
The Core Camel Java DSL based router
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/camel/camel-core/2.19.2/camel-core-2.19.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
The camel-hessian component in Apache Camel 2.x before 2.19.4 and 2.20.x before 2.20.1 is vulnerable to Java object de-serialisation vulnerability. De-serializing untrusted data can lead to security flaws.
Publish Date: 2017-11-15
URL: CVE-2017-12633
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-12633
Release Date: 2017-11-15
Fix Resolution (org.apache.camel:camel-core): 2.19.4
Direct dependency fix Resolution (org.apache.camel:camel-spring-boot-starter): 2.19.4
Step up your Open Source Security Game with Mend here
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.10.RELEASE/spring-beans-4.3.10.RELEASE.jar
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
CVE | Severity | CVSS | Dependency | Type | Fixed in (camunda-bpm-camel-spring version) | Remediation Available |
---|---|---|---|---|---|---|
CVE-2022-22965 | High | 9.8 | spring-beans-4.3.10.RELEASE.jar | Transitive | N/A* | ❌ |
CVE-2020-26945 | High | 8.1 | mybatis-3.2.8.jar | Transitive | N/A* | ❌ |
CVE-2017-9801 | High | 7.5 | commons-email-1.2.jar | Transitive | 0.6 | ❌ |
CVE-2018-1294 | High | 7.5 | commons-email-1.2.jar | Transitive | N/A* | ❌ |
CVE-2022-22970 | Medium | 5.3 | spring-beans-4.3.10.RELEASE.jar | Transitive | N/A* | ❌ |
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the section "Details" below to see if there is a version of transitive dependency where vulnerability is fixed.
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.10.RELEASE/spring-beans-4.3.10.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
A Spring MVC or Spring WebFlux application running on JDK 9+ may be vulnerable to remote code execution (RCE) via data binding. The specific exploit requires the application to run on Tomcat as a WAR deployment. If the application is deployed as a Spring Boot executable jar, i.e. the default, it is not vulnerable to the exploit. However, the nature of the vulnerability is more general, and there may be other ways to exploit it.
Publish Date: 2022-04-01
URL: CVE-2022-22965
Base Score Metrics:
Type: Upgrade version
Origin: https://spring.io/blog/2022/03/31/spring-framework-rce-early-announcement
Release Date: 2022-04-01
Fix Resolution: org.springframework:spring-beans:5.2.20.RELEASE,5.3.18
Step up your Open Source Security Game with Mend here
The MyBatis data mapper framework makes it easier to use a relational database with object-oriented applications. MyBatis couples objects with stored procedures or SQL statements using a XML descriptor or annotations. Simplicity is the biggest advantage of the MyBatis data mapper over object relational mapping tools.
Library home page: http://www.mybatis.org/core/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/mybatis/mybatis/3.2.8/mybatis-3.2.8.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
MyBatis before 3.5.6 mishandles deserialization of object streams.
Publish Date: 2020-10-10
URL: CVE-2020-26945
Base Score Metrics:
Type: Upgrade version
Release Date: 2020-10-26
Fix Resolution: org.mybatis:mybatis:3.5.6
Step up your Open Source Security Game with Mend here
Commons-Email aims to provide an API for sending email. It is built on top of the JavaMail API, which it aims to simplify.
Library home page: http://commons.apache.org/email/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-email/1.2/commons-email-1.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
When a call-site passes a subject for an email that contains line-breaks in Apache Commons Email 1.0 through 1.4, the caller can add arbitrary SMTP headers.
Publish Date: 2017-08-07
URL: CVE-2017-9801
Base Score Metrics:
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-9801
Release Date: 2017-08-07
Fix Resolution (org.apache.commons:commons-email): 1.5
Direct dependency fix Resolution (org.camunda.bpm.extension.camel:camunda-bpm-camel-spring): 0.6
Step up your Open Source Security Game with Mend here
Commons-Email aims to provide an API for sending email. It is built on top of the JavaMail API, which it aims to simplify.
Library home page: http://commons.apache.org/email/
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/commons/commons-email/1.2/commons-email-1.2.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
If a user of Apache Commons Email (typically an application programmer) passes unvalidated input as the so-called "Bounce Address", and that input contains line-breaks, then the email details (recipients, contents, etc.) might be manipulated. Mitigation: Users should upgrade to Commons-Email 1.5. You can mitigate this vulnerability for older versions of Commons Email by stripping line-breaks from data, that will be passed to Email.setBounceAddress(String).
Publish Date: 2018-03-20
URL: CVE-2018-1294
Base Score Metrics:
Type: Upgrade version
Origin: GHSA-v7cm-w955-pj6g
Release Date: 2018-03-20
Fix Resolution: org.apache.commons:commons-email:1.5
Step up your Open Source Security Game with Mend here
Spring Beans
Library home page: https://github.com/spring-projects/spring-framework
Path to dependency file: /pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/springframework/spring-beans/4.3.10.RELEASE/spring-beans-4.3.10.RELEASE.jar
Dependency Hierarchy:
Found in HEAD commit: 359b5d85c318e9f0aa116ed84be44dc8ad415e1d
Found in base branch: master
In spring framework versions prior to 5.3.20+ , 5.2.22+ and old unsupported versions, applications that handle file uploads are vulnerable to DoS attack if they rely on data binding to set a MultipartFile or javax.servlet.Part to a field in a model object.
Publish Date: 2022-05-12
URL: CVE-2022-22970
Base Score Metrics:
Type: Upgrade version
Origin: https://tanzu.vmware.com/security/cve-2022-22970
Release Date: 2022-05-12
Fix Resolution: org.springframework:spring-beans:5.2.22,5.3.20;org.springframework:spring-core:5.2.22,5.3.20
Step up your Open Source Security Game with Mend here
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.