From bfabdbc2c56c6785cd8ace636df1d539ac5b5b70 Mon Sep 17 00:00:00 2001 From: Tim White Date: Wed, 3 Jul 2024 11:44:45 +1200 Subject: [PATCH 1/2] Add what are almost certainly the missing scan results used for Table 4 in the paper --- .../dependency-check-report.json | 3655 + .../scan-results/grype/grype-report.json | 722 + .../scan-results/snyk/snyk-report.json | 974 + .../scan-results/steady/steady-report.json | 58 + .../dependency-check-report.json | 18346 +++++ .../scan-results/grype/grype-report.json | 418 + .../scan-results/snyk/snyk-report.json | 4495 ++ .../scan-results/steady/steady-report.json | 282 + .../dependency-check-report.json | 3655 + .../scan-results/grype/grype-report.json | 722 + .../scan-results/snyk/snyk-report.json | 974 + .../scan-results/steady/steady-report.json | 58 + .../dependency-check-report.json | 632 + .../scan-results/grype/grype-report.json | 722 + .../scan-results/snyk/snyk-report.json | 452 + .../scan-results/steady/steady-report.json | 58 + .../dependency-check-report.json | 24400 ++++++ .../scan-results/grype/grype-report.json | 96 + .../scan-results/snyk/snyk-report.json | 1579 + .../scan-results/steady/steady-report.json | 698 + .../dependency-check-report.json | 2687 + .../scan-results/grype/grype-report.json | 1684 + .../scan-results/snyk/snyk-report.json | 663 + .../scan-results/steady/steady-report.json | 186 + .../dependency-check-report.json | 1075 + .../scan-results/grype/grype-report.json | 1684 + .../scan-results/snyk/snyk-report.json | 306 + .../scan-results/steady/steady-report.json | 186 + .../dependency-check-report.json | 4216 + .../scan-results/grype/grype-report.json | 1234 + .../scan-results/snyk/snyk-report.json | 646 + .../scan-results/steady/steady-report.json | 442 + .../dependency-check-report.json | 17886 ++++ .../scan-results/grype/grype-report.json | 328 + .../scan-results/snyk/snyk-report.json | 8438 ++ .../scan-results/steady/steady-report.json | 410 + .../dependency-check-report.json | 3717 + .../scan-results/grype/grype-report.json | 1745 + .../scan-results/snyk/snyk-report.json | 321 + .../scan-results/steady/steady-report.json | 186 + .../dependency-check-report.json | 449 + .../scan-results/grype/grype-report.json | 511 + .../scan-results/snyk/snyk-report.json | 394 + .../scan-results/steady/steady-report.json | 58 + .../dependency-check-report.json | 561 + .../scan-results/grype/grype-report.json | 206 + .../scan-results/snyk/snyk-report.json | 241 + .../scan-results/steady/steady-report.json | 58 + .../dependency-check-report.json | 2638 + .../scan-results/grype/grype-report.json | 1513 + .../scan-results/snyk/snyk-report.json | 945 + .../scan-results/steady/steady-report.json | 90 + .../dependency-check-report.json | 2945 + .../scan-results/grype/grype-report.json | 1716 + .../scan-results/snyk/snyk-report.json | 970 + .../scan-results/steady/steady-report.json | 122 + .../dependency-check-report.json | 67257 ++++++++++++++++ .../scan-results/grype/grype-report.json | 1421 + .../scan-results/snyk/snyk-report.json | 17288 ++++ .../scan-results/steady/steady-report.json | 1434 + .../dependency-check-report.json | 18543 +++++ .../scan-results/grype/grype-report.json | 1853 + .../scan-results/snyk/snyk-report.json | 4078 + .../scan-results/steady/steady-report.json | 282 + .../dependency-check-report.json | 2505 + .../scan-results/grype/grype-report.json | 1290 + .../scan-results/snyk/snyk-report.json | 730 + .../scan-results/steady/steady-report.json | 58 + .../dependency-check-report.json | 3264 + .../scan-results/grype/grype-report.json | 1170 + .../scan-results/snyk/snyk-report.json | 431 + .../scan-results/steady/steady-report.json | 58 + .../dependency-check-report.json | 1574 + .../scan-results/grype/grype-report.json | 246 + .../scan-results/snyk/snyk-report.json | 238 + .../scan-results/steady/steady-report.json | 58 + 76 files changed, 248231 insertions(+) create mode 100644 CVE-2013-2186/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2013-2186/scan-results/grype/grype-report.json create mode 100644 CVE-2013-2186/scan-results/snyk/snyk-report.json create mode 100644 CVE-2013-2186/scan-results/steady/steady-report.json create mode 100644 CVE-2013-5960/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2013-5960/scan-results/grype/grype-report.json create mode 100644 CVE-2013-5960/scan-results/snyk/snyk-report.json create mode 100644 CVE-2013-5960/scan-results/steady/steady-report.json create mode 100644 CVE-2014-0050/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2014-0050/scan-results/grype/grype-report.json create mode 100644 CVE-2014-0050/scan-results/snyk/snyk-report.json create mode 100644 CVE-2014-0050/scan-results/steady/steady-report.json create mode 100644 CVE-2015-6748/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2015-6748/scan-results/grype/grype-report.json create mode 100644 CVE-2015-6748/scan-results/snyk/snyk-report.json create mode 100644 CVE-2015-6748/scan-results/steady/steady-report.json create mode 100644 CVE-2016-0779/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2016-0779/scan-results/grype/grype-report.json create mode 100644 CVE-2016-0779/scan-results/snyk/snyk-report.json create mode 100644 CVE-2016-0779/scan-results/steady/steady-report.json create mode 100644 CVE-2016-5394/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2016-5394/scan-results/grype/grype-report.json create mode 100644 CVE-2016-5394/scan-results/snyk/snyk-report.json create mode 100644 CVE-2016-5394/scan-results/steady/steady-report.json create mode 100644 CVE-2016-6798/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2016-6798/scan-results/grype/grype-report.json create mode 100644 CVE-2016-6798/scan-results/snyk/snyk-report.json create mode 100644 CVE-2016-6798/scan-results/steady/steady-report.json create mode 100644 CVE-2016-6802/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2016-6802/scan-results/grype/grype-report.json create mode 100644 CVE-2016-6802/scan-results/snyk/snyk-report.json create mode 100644 CVE-2016-6802/scan-results/steady/steady-report.json create mode 100644 CVE-2016-7051/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2016-7051/scan-results/grype/grype-report.json create mode 100644 CVE-2016-7051/scan-results/snyk/snyk-report.json create mode 100644 CVE-2016-7051/scan-results/steady/steady-report.json create mode 100644 CVE-2017-15717/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2017-15717/scan-results/grype/grype-report.json create mode 100644 CVE-2017-15717/scan-results/snyk/snyk-report.json create mode 100644 CVE-2017-15717/scan-results/steady/steady-report.json create mode 100644 CVE-2017-18349/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2017-18349/scan-results/grype/grype-report.json create mode 100644 CVE-2017-18349/scan-results/snyk/snyk-report.json create mode 100644 CVE-2017-18349/scan-results/steady/steady-report.json create mode 100644 CVE-2018-1002201/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2018-1002201/scan-results/grype/grype-report.json create mode 100644 CVE-2018-1002201/scan-results/snyk/snyk-report.json create mode 100644 CVE-2018-1002201/scan-results/steady/steady-report.json create mode 100644 CVE-2018-11771/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2018-11771/scan-results/grype/grype-report.json create mode 100644 CVE-2018-11771/scan-results/snyk/snyk-report.json create mode 100644 CVE-2018-11771/scan-results/steady/steady-report.json create mode 100644 CVE-2018-1324/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2018-1324/scan-results/grype/grype-report.json create mode 100644 CVE-2018-1324/scan-results/snyk/snyk-report.json create mode 100644 CVE-2018-1324/scan-results/steady/steady-report.json create mode 100644 CVE-2018-8017/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2018-8017/scan-results/grype/grype-report.json create mode 100644 CVE-2018-8017/scan-results/snyk/snyk-report.json create mode 100644 CVE-2018-8017/scan-results/steady/steady-report.json create mode 100644 CVE-2019-0225/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2019-0225/scan-results/grype/grype-report.json create mode 100644 CVE-2019-0225/scan-results/snyk/snyk-report.json create mode 100644 CVE-2019-0225/scan-results/steady/steady-report.json create mode 100644 CVE-2019-12402/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2019-12402/scan-results/grype/grype-report.json create mode 100644 CVE-2019-12402/scan-results/snyk/snyk-report.json create mode 100644 CVE-2019-12402/scan-results/steady/steady-report.json create mode 100644 CVE-2020-1953/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2020-1953/scan-results/grype/grype-report.json create mode 100644 CVE-2020-1953/scan-results/snyk/snyk-report.json create mode 100644 CVE-2020-1953/scan-results/steady/steady-report.json create mode 100644 CVE-2021-29425/scan-results/dependency-check/dependency-check-report.json create mode 100644 CVE-2021-29425/scan-results/grype/grype-report.json create mode 100644 CVE-2021-29425/scan-results/snyk/snyk-report.json create mode 100644 CVE-2021-29425/scan-results/steady/steady-report.json diff --git a/CVE-2013-2186/scan-results/dependency-check/dependency-check-report.json b/CVE-2013-2186/scan-results/dependency-check/dependency-check-report.json new file mode 100644 index 0000000..393c83d --- /dev/null +++ b/CVE-2013-2186/scan-results/dependency-check/dependency-check-report.json @@ -0,0 +1,3655 @@ +{ + "reportSchema" : "1.1", + "scanInfo" : { + "engineVersion" : "8.2.1", + "dataSource" : [ { + "name" : "NVD CVE Checked", + "timestamp" : "2023-10-05T09:58:30" + }, { + "name" : "NVD CVE Modified", + "timestamp" : "2023-10-05T09:00:02" + }, { + "name" : "VersionCheckOn", + "timestamp" : "2023-10-04T16:15:34" + }, { + "name" : "kev.checked", + "timestamp" : "1696389337" + } ] + }, + "projectInfo" : { + "name" : "CVE-2013-2186", + "groupID" : "io.github.jensdietrich.xshady", + "artifactID" : "CVE-2013-2186", + "version" : "1.0.0", + "reportDate" : "2023-10-04T22:15:07.405823308Z", + "credits" : { + "NVD" : "This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov", + "CISA" : "This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "NPM" : "This report may contain data retrieved from the Github Advisory Database (via NPM Audit API): https://github.com/advisories/", + "RETIREJS" : "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/", + "OSSINDEX" : "This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org" + } + }, + "dependencies" : [ { + "isVirtual" : false, + "fileName" : "commons-fileupload-1.3.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-fileupload/commons-fileupload/1.3/commons-fileupload-1.3.jar", + "md5" : "fd24e83d8f62085f84c0622087872f36", + "sha1" : "c89e540e4a12cb034fb973e12135839b5de9a87e", + "sha256" : "bcea3f830ff3867c6700c1fc12282c219ecf77ae6b36cea445b8e9dc751449fe", + "description" : "\n The FileUpload component provides a simple yet flexible means of adding support for multipart\n file upload functionality to servlets and web applications.\n ", + "license" : "http://www.apache.org/licenses/LICENSE-2.0.txt", + "projectReferences" : [ "CVE-2013-2186:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/io.github.jensdietrich.xshady/CVE-2013-2186@1.0.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-fileupload" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "fileupload" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "bundle-docurl", + "value" : "http://commons.apache.org/proper/commons-fileupload/" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "bundle-symbolicname", + "value" : "org.apache.commons.fileupload" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "implementation-build", + "value" : "tags/FILEUPLOAD_1_3_RC2@r1460338; 2013-03-24 13:39:55+0100" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-fileupload" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-fileupload" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jason@zenplex.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jmcnally@collab.net" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jochen.wiedmann@gmail.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "martinc@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sean |at| seansullivan |dot| com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "simonetripodi@apache.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jmcnally" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jochen" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jvanzyl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "martinc" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "simonetripodi" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "sullis" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jason van Zyl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jochen Wiedmann" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "John McNally" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Martin Cooper" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Sean C. Sullivan" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Simone Tripodi" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Adobe" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "CollabNet" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Multitask Consulting" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Yahoo!" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Zenplex" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-fileupload" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Commons FileUpload" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "commons-parent" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache.commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://commons.apache.org/proper/commons-fileupload/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-fileupload" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "fileupload" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "bundle-docurl", + "value" : "http://commons.apache.org/proper/commons-fileupload/" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Bundle-Name", + "value" : "Commons FileUpload" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "bundle-symbolicname", + "value" : "org.apache.commons.fileupload" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "implementation-build", + "value" : "tags/FILEUPLOAD_1_3_RC2@r1460338; 2013-03-24 13:39:55+0100" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "Commons FileUpload" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Commons FileUpload" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-fileupload" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jason@zenplex.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jmcnally@collab.net" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jochen.wiedmann@gmail.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "martinc@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sean |at| seansullivan |dot| com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "simonetripodi@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jmcnally" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jochen" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jvanzyl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "martinc" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "simonetripodi" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "sullis" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jason van Zyl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jochen Wiedmann" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "John McNally" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Martin Cooper" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Sean C. Sullivan" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Simone Tripodi" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Adobe" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "CollabNet" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Multitask Consulting" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Yahoo!" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Zenplex" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-fileupload" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Commons FileUpload" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "commons-parent" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache.commons" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://commons.apache.org/proper/commons-fileupload/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.3" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "1.3" + }, { + "type" : "version", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-version", + "value" : "1.3" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.3" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-fileupload/commons-fileupload@1.3", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-fileupload/commons-fileupload@1.3?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.3:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_fileupload&cpe_version=cpe%3A%2F%3Aapache%3Acommons_fileupload%3A1.3" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2016-1000031", + "severity" : "CRITICAL", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4", + "acInsufInfo" : "true" + }, + "cvssv3" : { + "baseScore" : 9.8, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseSeverity" : "CRITICAL", + "exploitabilityScore" : "3.9", + "impactScore" : "5.9", + "version" : "3.0" + }, + "cwes" : [ "CWE-284" ], + "description" : "Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2020.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2016-1000031?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2016-1000031] CWE-284: Improper Access Control" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20190212-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20190212-0001/" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E", + "name" : "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujul2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujul2020.html" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00036.html", + "name" : "openSUSE-SU-2019:1399" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/d66657323fd25e437face5e84899c8ca404ccd187e81c3f2fa8b6080@%3Cannounce.apache.org%3E", + "name" : "[announce] 20181105 [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior" + }, { + "source" : "MISC", + "url" : "https://www.tenable.com/security/research/tra-2016-30", + "name" : "https://www.tenable.com/security/research/tra-2016-30" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/FILEUPLOAD-279", + "name" : "https://issues.apache.org/jira/browse/FILEUPLOAD-279" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/FILEUPLOAD-279", + "name" : "https://issues.apache.org/jira/browse/FILEUPLOAD-279" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2021.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2021.html" + }, { + "source" : "OSSIndex", + "url" : "http://www.tenable.com/security/research/tra-2016-12", + "name" : "http://www.tenable.com/security/research/tra-2016-12" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, { + "source" : "MISC", + "url" : "https://www.tenable.com/security/research/tra-2016-23", + "name" : "https://www.tenable.com/security/research/tra-2016-23" + }, { + "source" : "MISC", + "url" : "https://www.tenable.com/security/research/tra-2016-12", + "name" : "https://www.tenable.com/security/research/tra-2016-12" + }, { + "source" : "CONFIRM", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, { + "source" : "MISC", + "url" : "http://www.zerodayinitiative.com/advisories/ZDI-16-570/", + "name" : "http://www.zerodayinitiative.com/advisories/ZDI-16-570/" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2020.html" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name" : "N/A" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/93604", + "name" : "93604" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/WW-4812", + "name" : "https://issues.apache.org/jira/browse/WW-4812" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.3.2" + } + } ] + }, { + "source" : "OSSINDEX", + "name" : "CVE-2013-2186", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "N", + "accessComplexity" : "L", + "authenticationr" : "N", + "confidentialImpact" : "P", + "integrityImpact" : "P", + "availabilityImpact" : "P", + "severity" : "HIGH" + }, + "cwes" : [ "CWE-20" ], + "description" : "The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/", + "name" : "https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2186", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2186" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2013-2186?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2013-2186] CWE-20: Improper Input Validation" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:commons-fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2014-0050", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cwes" : [ "CWE-264" ], + "description" : "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.", + "notes" : "", + "references" : [ { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-0252.html", + "name" : "RHSA-2014:0252" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2014-0050?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2014-0050] CWE-264: Permissions, Privileges, and Access Controls" + }, { + "source" : "FULLDISC", + "url" : "http://seclists.org/fulldisclosure/2014/Dec/23", + "name" : "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59500", + "name" : "59500" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58075", + "name" : "58075" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + }, { + "source" : "JVN", + "url" : "http://jvn.jp/en/jp/JVN14876762/index.html", + "name" : "JVN#14876762" + }, { + "source" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1062337" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59232", + "name" : "59232" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-7.html", + "name" : "http://tomcat.apache.org/security-7.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677724", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677724" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59399", + "name" : "59399" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0007.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0007.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html", + "name" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676092", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676092" + }, { + "source" : "OSSIndex", + "url" : "http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E", + "name" : "http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59185", + "name" : "59185" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59187", + "name" : "59187" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2014/dsa-2856", + "name" : "DSA-2856" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-2130-1", + "name" : "USN-2130-1" + }, { + "source" : "MISC", + "url" : "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html", + "name" : "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21669554", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21669554" + }, { + "source" : "MISC", + "url" : "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html", + "name" : "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59183", + "name" : "59183" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676853", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676853" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=143136844732487&w=2", + "name" : "HPSBGN03329" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59039", + "name" : "59039" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/65400", + "name" : "65400" + }, { + "source" : "CONFIRM", + "url" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html", + "name" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21681214", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21681214" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676410", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676410" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/60475", + "name" : "60475" + }, { + "source" : "OSSIndex", + "url" : "https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/", + "name" : "https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-0253.html", + "name" : "RHSA-2014:0253" + }, { + "source" : "MLIST", + "url" : "http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E", + "name" : "[commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-0400.html", + "name" : "RHSA-2014:0400" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-8.html", + "name" : "http://tomcat.apache.org/security-8.html" + }, { + "source" : "OSSIndex", + "url" : "http://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos", + "name" : "http://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58976", + "name" : "58976" + }, { + "source" : "CONFIRM", + "url" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html", + "name" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html" + }, { + "source" : "MANDRIVA", + "url" : "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084", + "name" : "MDVSA-2015:084" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/202107-39", + "name" : "GLSA-202107-39" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59184", + "name" : "59184" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59041", + "name" : "59041" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/57915", + "name" : "57915" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676405", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676405" + }, { + "source" : "CONFIRM", + "url" : "http://advisories.mageia.org/MGASA-2014-0110.html", + "name" : "http://advisories.mageia.org/MGASA-2014-0110.html" + }, { + "source" : "JVNDB", + "url" : "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017", + "name" : "JVNDB-2014-000017" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59492", + "name" : "59492" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675432", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675432" + }, { + "source" : "BUGTRAQ", + "url" : "http://www.securityfocus.com/archive/1/532549/100/0/threaded", + "name" : "20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" + }, { + "source" : "BUGTRAQ", + "url" : "http://www.securityfocus.com/archive/1/534161/100/0/threaded", + "name" : "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677691", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677691" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676401", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676401" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/60753", + "name" : "60753" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/r1565143", + "name" : "http://svn.apache.org/r1565143" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59725", + "name" : "59725" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676656", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676656" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676403", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676403" + }, { + "source" : "CONFIRM", + "url" : "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm", + "name" : "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:12.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:12.0in:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:14.0:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2016-3092", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.8, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.9" + }, + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.0" + }, + "cwes" : [ "CWE-20" ], + "description" : "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.", + "notes" : "", + "references" : [ { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2016/dsa-3609", + "name" : "DSA-3609" + }, { + "source" : "JVN", + "url" : "http://jvn.jp/en/jp/JVN89379547/index.html", + "name" : "JVN#89379547" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2071.html", + "name" : "RHSA-2016:2071" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20190212-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20190212-0001/" + }, { + "source" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1349468" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc?view=revision&revision=1743738", + "name" : "http://svn.apache.org/viewvc?view=revision&revision=1743738" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-3024-1", + "name" : "USN-3024-1" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2017:0455", + "name" : "RHSA-2017:0455" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2808.html", + "name" : "RHSA-2016:2808" + }, { + "source" : "MLIST", + "url" : "http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E", + "name" : "[dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1036427", + "name" : "1036427" + }, { + "source" : "OSSIndex", + "url" : "http://mail-archives.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E", + "name" : "http://mail-archives.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/201705-09", + "name" : "GLSA-201705-09" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1037029", + "name" : "1037029" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-7.html", + "name" : "http://tomcat.apache.org/security-7.html" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2016/dsa-3614", + "name" : "DSA-3614" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2016-3092?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2016-3092] CWE-20: Improper Input Validation" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-9.html", + "name" : "http://tomcat.apache.org/security-9.html" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2069.html", + "name" : "RHSA-2016:2069" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1036900", + "name" : "1036900" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", + "name" : "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2072.html", + "name" : "RHSA-2016:2072" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1039606", + "name" : "1039606" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2599.html", + "name" : "RHSA-2016:2599" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-3027-1", + "name" : "USN-3027-1" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2017:0456", + "name" : "RHSA-2017:0456" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2068.html", + "name" : "RHSA-2016:2068" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc?view=revision&revision=1743480", + "name" : "http://svn.apache.org/viewvc?view=revision&revision=1743480" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", + "name" : "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2017-0457.html", + "name" : "RHSA-2017:0457" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3092", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3092" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", + "name" : "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2070.html", + "name" : "RHSA-2016:2070" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-8.html", + "name" : "http://tomcat.apache.org/security-8.html" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/91453", + "name" : "91453" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html", + "name" : "openSUSE-SU-2016:2252" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/202107-39", + "name" : "GLSA-202107-39" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc?view=revision&revision=1743722", + "name" : "http://svn.apache.org/viewvc?view=revision&revision=1743722" + }, { + "source" : "JVNDB", + "url" : "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121", + "name" : "JVNDB-2016-000121" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc?view=revision&revision=1743742", + "name" : "http://svn.apache.org/viewvc?view=revision&revision=1743742" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2016/dsa-3611", + "name" : "DSA-3611" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", + "name" : "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2807.html", + "name" : "RHSA-2016:2807" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.3.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:9.0.0:m6:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:hp:icewall_identity_manager:5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:hp:icewall_sso_agent_option:10.0:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2023-24998", + "severity" : "HIGH", + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "CWE-770" ], + "description" : "Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n new configuration option (FileUploadBase#setFileCountMax) is not\n enabled by default and must be explicitly configured.\n\n\n", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0", + "name" : "https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0" + }, { + "source" : "OSSIndex", + "url" : "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", + "name" : "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy" + }, { + "source" : "MISC", + "url" : "http://www.openwall.com/lists/oss-security/2023/05/22/1", + "name" : "http://www.openwall.com/lists/oss-security/2023/05/22/1" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/apache/commons-fileupload/pull/185", + "name" : "https://github.com/apache/commons-fileupload/pull/185" + }, { + "source" : "OSSIndex", + "url" : "https://tomcat.apache.org/security-10.html", + "name" : "https://tomcat.apache.org/security-10.html" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24998", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24998" + }, { + "source" : "OSSIndex", + "url" : "https://tomcat.apache.org/security-11.html", + "name" : "https://tomcat.apache.org/security-11.html" + }, { + "source" : "OSSIndex", + "url" : "https://tomcat.apache.org/security-9.html", + "name" : "https://tomcat.apache.org/security-9.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", + "name" : "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy" + }, { + "source" : "OSSIndex", + "url" : "https://tomcat.apache.org/security-8.html", + "name" : "https://tomcat.apache.org/security-8.html" + }, { + "source" : "MISC", + "url" : "https://security.gentoo.org/glsa/202305-37", + "name" : "https://security.gentoo.org/glsa/202305-37" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2023-24998?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2023-24998] CWE-770: Allocation of Resources Without Limits or Throttling" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0", + "versionEndExcluding" : "1.5" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-io-2.2.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-io/commons-io/2.2/commons-io-2.2.jar", + "md5" : "6ad49e3e16c2342e9ee9599ce04775e6", + "sha1" : "83b5b8a7ba1c08f9e8c8ff2373724e33d3c1e22a", + "sha256" : "675f60bd11a82d481736591fe4054c66471fa5463d45616652fd71585792ba87", + "description" : "\nThe Commons IO library contains utility classes, stream implementations, file filters, \nfile comparators, endian transformation classes, and much more.\n ", + "license" : "http://www.apache.org/licenses/LICENSE-2.0.txt", + "projectReferences" : [ "CVE-2013-2186:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/commons-fileupload/commons-fileupload@1.3" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-io" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "io" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "bundle-docurl", + "value" : "http://commons.apache.org/io/" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "bundle-symbolicname", + "value" : "org.apache.commons.io" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "implementation-build", + "value" : "tags/2.2-RC4@r1305376; 2012-03-26 10:58:33-0400" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-io" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-io" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "bayard@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "ggregory@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jeremias@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jochen.wiedmann@gmail.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "martinc@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "matth@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "nicolaken@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "roxspring@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sanders@apache.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "bayard" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "ggregory" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jeremias" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jochen" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jukka" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "martinc" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "matth" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "niallp" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "nicolaken" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "roxspring" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "sanders" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "scolebourne" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Gary Gregory" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Henri Yandell" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jeremias Maerki" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jochen Wiedmann" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jukka Zitting" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Martin Cooper" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Matthew Hawthorne" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Niall Pemberton" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Nicola Ken Barozzi" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Rob Oxspring" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Scott Sanders" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Stephen Colebourne" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-io" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Commons IO" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "commons-parent" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache.commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://commons.apache.org/io/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-io" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "io" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "bundle-docurl", + "value" : "http://commons.apache.org/io/" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Bundle-Name", + "value" : "Commons IO" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "bundle-symbolicname", + "value" : "org.apache.commons.io" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "implementation-build", + "value" : "tags/2.2-RC4@r1305376; 2012-03-26 10:58:33-0400" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "Commons IO" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Commons IO" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-io" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "bayard@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "ggregory@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jeremias@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jochen.wiedmann@gmail.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "martinc@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "matth@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "nicolaken@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "roxspring@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sanders@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "bayard" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "ggregory" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jeremias" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jochen" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jukka" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "martinc" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "matth" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "niallp" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "nicolaken" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "roxspring" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "sanders" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "scolebourne" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Gary Gregory" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Henri Yandell" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jeremias Maerki" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jochen Wiedmann" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jukka Zitting" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Martin Cooper" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Matthew Hawthorne" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Niall Pemberton" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Nicola Ken Barozzi" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Rob Oxspring" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Scott Sanders" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Stephen Colebourne" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-io" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Commons IO" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "commons-parent" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache.commons" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://commons.apache.org/io/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "2.2" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "2.2" + }, { + "type" : "version", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-version", + "value" : "2.2" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "2.2" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-io/commons-io@2.2", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-io/commons-io@2.2?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:commons_io:2.2:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_io&cpe_version=cpe%3A%2F%3Aapache%3Acommons_io%3A2.2" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2021-29425", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 5.8, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "4.9" + }, + "cvssv3" : { + "baseScore" : 4.8, + "attackVector" : "NETWORK", + "attackComplexity" : "HIGH", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "LOW", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "2.2", + "impactScore" : "2.5", + "version" : "3.1" + }, + "cwes" : [ "CWE-22" ], + "description" : "In Apache Commons IO before 2.7, When invoking the method FileNameUtils.normalize with an improper input string, like \"//../foo\", or \"\\\\..\\foo\", the result would be the same value, thus possibly providing access to files in the parent directory, but not further above (thus \"limited\" path traversal), if the calling code would use the result to construct a path value.", + "notes" : "", + "references" : [ { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r20416f39ca7f7344e7d76fe4d7063bb1d91ad106926626e7e83fb346@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r462db908acc1e37c455e11b1a25992b81efd18e641e7e0ceb1b6e046@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210901 [GitHub] [zookeeper] ztzg closed pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/raa053846cae9d497606027816ae87b4e002b2e0eb66cb0dee710e1f5@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210427 [jira] [Created] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rbebd3e19651baa7a4a5503a9901c95989df9d40602c8e35cb05d3eb5@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210518 [jira] [Assigned] (WHISKER-19) Update commons-io to fix CVE-2021-29425" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r0bfa8f7921abdfae788b1f076a12f73a92c93cc0a6e1083bce0027c5@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rfd01af05babc95b8949e6d8ea78d9834699e1b06981040dde419a330@%3Cdev.commons.apache.org%3E", + "name" : "[commons-dev] 20210414 Re: [all] OSS Fuzz" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8569a41d565ca880a4dee0e645dad1cd17ab4a92e68055ad9ebb7375@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210427 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc65f9bc679feffe4589ea0981ee98bc0af9139470f077a91580eeee0@%3Cpluto-dev.portals.apache.org%3E", + "name" : "[portals-pluto-dev] 20210714 [jira] [Closed] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/apache/commons-io/pull/52", + "name" : "https://github.com/apache/commons-io/pull/52" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r5149f78be265be69d34eacb4e4b0fc7c9c697bcdfa91a1c1658d717b@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20210901 [jira] [Resolved] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rfcd2c649c205f12b72dde044f905903460669a220a2eb7e12652d19d@%3Cdev.zookeeper.apache.org%3E", + "name" : "[zookeeper-dev] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r86528f4b7d222aed7891e7ac03d69a0db2a2dfa17b86ac3470d7f374@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] ztzg commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r4050f9f6b42ebfa47a98cbdee4aabed4bb5fb8093db7dbb88faceba2@%3Ccommits.zookeeper.apache.org%3E", + "name" : "[zookeeper-commits] 20210901 [zookeeper] branch master updated: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20220210-0004/", + "name" : "https://security.netapp.com/advisory/ntap-20220210-0004/" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.debian.org/debian-lts-announce/2021/08/msg00016.html", + "name" : "[debian-lts-announce] 20210812 [SECURITY] [DLA 2741-1] commons-io security update" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E", + "name" : "[kafka-users] 20210617 vulnerabilities" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8bfc7235e6b39d90e6f446325a5a44c3e9e50da18860fdabcee23e29@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20210805 [jira] [Updated] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r01b4a1fcdf3311c936ce33d75a9398b6c255f00c1a2f312ac21effe1@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar edited a comment on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/re41e9967bee064e7369411c28f0f5b2ad28b8334907c9c6208017279@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/IO-556", + "name" : "https://issues.apache.org/jira/browse/IO-556" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r92ea904f4bae190b03bd42a4355ce3c2fbe8f36ab673e03f6ca3f9fa@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg opened a new pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r477c285126ada5c3b47946bb702cb222ac4e7fd3100c8549bdd6d3b2@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20210805 [jira] [Created] (ZOOKEEPER-4343) OWASP Dependency-Check fails with CVE-2021-29425, commons-io-2.6" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2345b49dbffa8a5c3c589c082fe39228a2c1d14f11b96c523da701db@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210805 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rca71a10ca533eb9bfac2d590533f02e6fb9064d3b6aa3ec90fdc4f51@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] ztzg commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r345330b7858304938b7b8029d02537a116d75265a598c98fa333504a@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210621 [jira] [Commented] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/red3aea910403d8620c73e1c7b9c9b145798d0469eb3298a7be7891af@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210816 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2df50af2641d38f432ef025cd2ba5858215cc0cf3fc10396a674ad2e@%3Cpluto-scm.portals.apache.org%3E", + "name" : "[portals-pluto-scm] 20210714 [portals-pluto] branch master updated: PLUTO-789 Upgrade to commons-io-2.7 due to CVE-2021-29425" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2022.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2022.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rad4ae544747df32ccd58fff5a86cd556640396aeb161aa71dd3d192a@%3Cuser.commons.apache.org%3E", + "name" : "[commons-user] 20210709 commons-fileupload dependency and CVE" + }, { + "source" : "MISC", + "url" : "https://issues.apache.org/jira/browse/IO-556", + "name" : "https://issues.apache.org/jira/browse/IO-556" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2021-29425?component-type=maven&component-name=commons-io%2Fcommons-io&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2021-29425] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/rc359823b5500e9a9a2572678ddb8e01d3505a7ffcadfa8d13b8780ab%40%3Cuser.commons.apache.org%3E" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc5f3df5316c5237b78a3dff5ab95b311ad08e61d418cd992ca7e34ae@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210825 [GitHub] [zookeeper] eolivelli commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc2dd3204260e9227a67253ef68b6f1599446005bfa0e1ddce4573a80@%3Cpluto-dev.portals.apache.org%3E", + "name" : "[portals-pluto-dev] 20210714 [jira] [Created] (PLUTO-789) Upgrade to commons-io-2.7 due to CVE-2021-29425" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8efcbabde973ea72f5e0933adc48ef1425db5cde850bf641b3993f31@%3Cdev.commons.apache.org%3E", + "name" : "[commons-dev] 20210415 Re: [all] OSS Fuzz" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2bc986a070457daca457a54fe71ee09d2584c24dc262336ca32b6a19@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210518 [jira] [Updated] (WHISKER-19) Update commons-io to fix CVE-2021-29425" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r523a6ffad58f71c4f3761e3cee72df878e48cdc89ebdce933be1475c@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210518 [jira] [Commented] (WHISKER-19) Update commons-io to fix CVE-2021-29425" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r808be7d93b17a7055c1981a8453ae5f0d0fce5855407793c5d0ffffa@%3Cuser.commons.apache.org%3E", + "name" : "[commons-user] 20210709 Re: commons-fileupload dependency and CVE" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/IO-559", + "name" : "https://issues.apache.org/jira/browse/IO-559" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r47ab6f68cbba8e730f42c4ea752f3a44eb95fb09064070f2476bb401@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210427 [jira] [Closed] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r27b1eedda37468256c4bb768fde1e8b79b37ec975cbbfd0d65a7ac34@%3Cdev.myfaces.apache.org%3E", + "name" : "[myfaces-dev] 20210504 [GitHub] [myfaces-tobago] lofwyr14 opened a new pull request #808: build: CVE fix" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rfa2f08b7c0caf80ca9f4a18bd875918fdd4e894e2ea47942a4589b9c@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210427 [jira] [Updated] (RAT-281) Update commons-io to fix CVE-2021-29425 Moderate severity" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r0d73e2071d1f1afe1a15da14c5b6feb2cf17e3871168d5a3c8451436@%3Ccommits.pulsar.apache.org%3E", + "name" : "[pulsar-commits] 20210420 [GitHub] [pulsar] merlimat merged pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r873d5ddafc0a68fd999725e559776dc4971d1ab39c0f5cc81bd9bc04@%3Ccommits.pulsar.apache.org%3E", + "name" : "[pulsar-commits] 20210420 [GitHub] [pulsar] lhotari opened a new pull request #10287: [Security] Upgrade commons-io to address CVE-2021-29425" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r1c2f4683c35696cf6f863e3c107e37ec41305b1930dd40c17260de71@%3Ccommits.pulsar.apache.org%3E", + "name" : "[pulsar-commits] 20210429 [pulsar] branch branch-2.7 updated: [Security] Upgrade commons-io to address CVE-2021-29425 (#10287)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra8ef65aedc086d2d3d21492b4c08ae0eb8a3a42cc52e29ba1bc009d8@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210518 [jira] [Created] (WHISKER-19) Update commons-io to fix CVE-2021-29425" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd09d4ab3e32e4b3a480e2ff6ff118712981ca82e817f28f2a85652a6@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210813 [GitHub] [zookeeper] eolivelli commented on a change in pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.11 (avoids CVE-2021-29425)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc10fa20ef4d13cbf6ebe0b06b5edb95466a1424a9b7673074ed03260@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20210806 [GitHub] [zookeeper] nkalmar commented on pull request #1735: ZOOKEEPER-4343: Bump commons-io to version 2.7 (avoids CVE-2021-29425)" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_io:2.2:-:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_io:2.3:-:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_io:2.4:-:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_io:2.5:-:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_io:2.6:-:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:access_manager:11.1.2.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:access_manager:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:access_manager:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:application_performance_management:13.4.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:application_performance_management:13.5.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:18.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:18.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:17.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:18.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_managment:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "2.3.0", + "versionEndIncluding" : "2.4.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "2.3.0", + "versionEndIncluding" : "2.4.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "21.1.2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_application_session_controller:3.9.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_network_repository_function:1.14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_contacts_server:8.0.0.6.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_converged_application_server_-_service_controller:6.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_design_studio:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "7.4.0", + "versionEndIncluding" : "7.4.2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "8.0.0", + "versionEndIncluding" : "8.1.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_diameter_intelligence_hub:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "8.2.0", + "versionEndIncluding" : "8.2.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_interactive_session_recorder:6.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_order_and_service_management:7.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_order_and_service_management:7.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_policy_management:12.5.0.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_service_broker:6.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_communications_broker:3.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_session_border_controller:8.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_session_border_controller:9.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "8.0.7", + "versionEndIncluding" : "8.1.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_model_management_and_governance:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "8.0.8", + "versionEndIncluding" : "8.1.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:flexcube_core_banking:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "11.6.0", + "versionEndIncluding" : "11.8.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:flexcube_core_banking:5.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:flexcube_core_banking:11.10.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:health_sciences_data_management_workbench:2.5.2.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:health_sciences_data_management_workbench:3.0.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "3.0.1", + "versionEndIncluding" : "3.0.4" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_data_repository:8.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:helidon:1.4.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:helidon:2.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.2.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_rules_palette:11.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_rules_palette:11.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_rules_palette:11.2.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_rules_palette:11.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_rules_palette:11.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:oss_support_tools:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "2.12.42" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "17.7", + "versionEndIncluding" : "17.12" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:21.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:real_user_experience_insight:13.4.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:real_user_experience_insight:13.5.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:rest_data_services:*:*:*:*:-:*:*:*", + "versionEndExcluding" : "21.2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:rest_data_services:21.3:*:*:*:-:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_assortment_planning:16.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "16.0.1", + "versionEndIncluding" : "16.0.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:13.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:19.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:18.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:19.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_pricing:19.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "16.0.1", + "versionEndIncluding" : "16.0.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:19.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_size_profile_optimization:16.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:19.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:20.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:solaris_cluster:4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_testing_accelerator:6.0.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:webcenter_portal:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:webcenter_portal:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + } ] + } ] + } ] +} \ No newline at end of file diff --git a/CVE-2013-2186/scan-results/grype/grype-report.json b/CVE-2013-2186/scan-results/grype/grype-report.json new file mode 100644 index 0000000..babadf8 --- /dev/null +++ b/CVE-2013-2186/scan-results/grype/grype-report.json @@ -0,0 +1,722 @@ +{ + "matches": [ + { + "vulnerability": { + "id": "GHSA-7x9j-7223-rg5m", + "dataSource": "https://github.com/advisories/GHSA-7x9j-7223-rg5m", + "namespace": "github:language:java", + "severity": "Critical", + "urls": [ + "https://github.com/advisories/GHSA-7x9j-7223-rg5m" + ], + "description": "Improper Access Control in commons-fileupload", + "cvss": [], + "fix": { + "versions": [ + "1.3.3" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-1000031", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-1000031", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00036.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "http://www.securityfocus.com/bid/93604", + "http://www.zerodayinitiative.com/advisories/ZDI-16-570/", + "https://issues.apache.org/jira/browse/FILEUPLOAD-279", + "https://issues.apache.org/jira/browse/WW-4812", + "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E", + "https://lists.apache.org/thread.html/d66657323fd25e437face5e84899c8ca404ccd187e81c3f2fa8b6080@%3Cannounce.apache.org%3E", + "https://security.netapp.com/advisory/ntap-20190212-0001/", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://www.oracle.com/security-alerts/cpujan2020.html", + "https://www.oracle.com/security-alerts/cpujan2021.html", + "https://www.oracle.com/security-alerts/cpujul2020.html", + "https://www.oracle.com/security-alerts/cpujul2022.html", + "https://www.oracle.com/security-alerts/cpuoct2020.html", + "https://www.oracle.com/security-alerts/cpuoct2021.html", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "https://www.tenable.com/security/research/tra-2016-12", + "https://www.tenable.com/security/research/tra-2016-23", + "https://www.tenable.com/security/research/tra-2016-30" + ], + "description": "Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution", + "cvss": [ + { + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "java-matcher", + "searchedBy": { + "language": "java", + "namespace": "github:language:java", + "package": { + "name": "commons-fileupload", + "version": "1.3" + } + }, + "found": { + "versionConstraint": "<1.3.3 (unknown)", + "vulnerabilityID": "GHSA-7x9j-7223-rg5m" + } + } + ], + "artifact": { + "id": "361aa1f367cea139", + "name": "commons-fileupload", + "version": "1.3", + "type": "java-archive", + "locations": [ + { + "path": "/pom.xml" + } + ], + "language": "java", + "licenses": [], + "cpes": [ + "cpe:2.3:a:commons-fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons-fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons_fileupload:1.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:maven/commons-fileupload/commons-fileupload@1.3", + "upstreams": [], + "metadataType": "JavaMetadata", + "metadata": { + "virtualPath": "", + "pomArtifactID": "commons-fileupload", + "pomGroupID": "commons-fileupload", + "manifestName": "", + "archiveDigests": null + } + } + }, + { + "vulnerability": { + "id": "GHSA-xx68-jfcg-xmmf", + "dataSource": "https://github.com/advisories/GHSA-xx68-jfcg-xmmf", + "namespace": "github:language:java", + "severity": "High", + "urls": [ + "https://github.com/advisories/GHSA-xx68-jfcg-xmmf" + ], + "description": "High severity vulnerability that affects commons-fileupload:commons-fileupload", + "cvss": [], + "fix": { + "versions": [ + "1.3.1" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2014-0050", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2014-0050", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://advisories.mageia.org/MGASA-2014-0110.html", + "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html", + "http://jvn.jp/en/jp/JVN14876762/index.html", + "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017", + "http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E", + "http://marc.info/?l=bugtraq&m=143136844732487&w=2", + "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html", + "http://rhn.redhat.com/errata/RHSA-2014-0252.html", + "http://rhn.redhat.com/errata/RHSA-2014-0253.html", + "http://rhn.redhat.com/errata/RHSA-2014-0400.html", + "http://seclists.org/fulldisclosure/2014/Dec/23", + "http://svn.apache.org/r1565143", + "http://tomcat.apache.org/security-7.html", + "http://tomcat.apache.org/security-8.html", + "http://www-01.ibm.com/support/docview.wss?uid=swg21669554", + "http://www-01.ibm.com/support/docview.wss?uid=swg21675432", + "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", + "http://www-01.ibm.com/support/docview.wss?uid=swg21676092", + "http://www-01.ibm.com/support/docview.wss?uid=swg21676401", + "http://www-01.ibm.com/support/docview.wss?uid=swg21676403", + "http://www-01.ibm.com/support/docview.wss?uid=swg21676405", + "http://www-01.ibm.com/support/docview.wss?uid=swg21676410", + "http://www-01.ibm.com/support/docview.wss?uid=swg21676656", + "http://www-01.ibm.com/support/docview.wss?uid=swg21676853", + "http://www-01.ibm.com/support/docview.wss?uid=swg21677691", + "http://www-01.ibm.com/support/docview.wss?uid=swg21677724", + "http://www-01.ibm.com/support/docview.wss?uid=swg21681214", + "http://www.debian.org/security/2014/dsa-2856", + "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html", + "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html", + "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html", + "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm", + "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html", + "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", + "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", + "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", + "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", + "http://www.securityfocus.com/archive/1/532549/100/0/threaded", + "http://www.securityfocus.com/archive/1/534161/100/0/threaded", + "http://www.securityfocus.com/bid/65400", + "http://www.ubuntu.com/usn/USN-2130-1", + "http://www.vmware.com/security/advisories/VMSA-2014-0007.html", + "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", + "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", + "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", + "https://security.gentoo.org/glsa/202107-39" + ], + "description": "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.", + "cvss": [ + { + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "java-matcher", + "searchedBy": { + "language": "java", + "namespace": "github:language:java", + "package": { + "name": "commons-fileupload", + "version": "1.3" + } + }, + "found": { + "versionConstraint": "<1.3.1 (unknown)", + "vulnerabilityID": "GHSA-xx68-jfcg-xmmf" + } + } + ], + "artifact": { + "id": "361aa1f367cea139", + "name": "commons-fileupload", + "version": "1.3", + "type": "java-archive", + "locations": [ + { + "path": "/pom.xml" + } + ], + "language": "java", + "licenses": [], + "cpes": [ + "cpe:2.3:a:commons-fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons-fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons_fileupload:1.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:maven/commons-fileupload/commons-fileupload@1.3", + "upstreams": [], + "metadataType": "JavaMetadata", + "metadata": { + "virtualPath": "", + "pomArtifactID": "commons-fileupload", + "pomGroupID": "commons-fileupload", + "manifestName": "", + "archiveDigests": null + } + } + }, + { + "vulnerability": { + "id": "GHSA-qx6h-9567-5fqw", + "dataSource": "https://github.com/advisories/GHSA-qx6h-9567-5fqw", + "namespace": "github:language:java", + "severity": "High", + "urls": [ + "https://github.com/advisories/GHSA-qx6h-9567-5fqw" + ], + "description": "Arbitrary file write in Apache Commons Fileupload", + "cvss": [], + "fix": { + "versions": [ + "1.3.1" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2013-2186", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2013-2186", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00008.html", + "http://lists.opensuse.org/opensuse-updates/2013-10/msg00033.html", + "http://lists.opensuse.org/opensuse-updates/2013-10/msg00050.html", + "http://rhn.redhat.com/errata/RHSA-2013-1428.html", + "http://rhn.redhat.com/errata/RHSA-2013-1429.html", + "http://rhn.redhat.com/errata/RHSA-2013-1430.html", + "http://rhn.redhat.com/errata/RHSA-2013-1442.html", + "http://rhn.redhat.com/errata/RHSA-2013-1448.html", + "http://ubuntu.com/usn/usn-2029-1", + "http://www.debian.org/security/2013/dsa-2827", + "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", + "http://www.oracle.com/technetwork/topics/security/cpujul2015-2367936.html", + "http://www.securityfocus.com/bid/63174", + "https://access.redhat.com/errata/RHSA-2016:0070", + "https://exchange.xforce.ibmcloud.com/vulnerabilities/88133", + "https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-10-01", + "https://www.tenable.com/security/research/tra-2016-23" + ], + "description": "The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.", + "cvss": [ + { + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "java-matcher", + "searchedBy": { + "language": "java", + "namespace": "github:language:java", + "package": { + "name": "commons-fileupload", + "version": "1.3" + } + }, + "found": { + "versionConstraint": "<1.3.1 (unknown)", + "vulnerabilityID": "GHSA-qx6h-9567-5fqw" + } + } + ], + "artifact": { + "id": "361aa1f367cea139", + "name": "commons-fileupload", + "version": "1.3", + "type": "java-archive", + "locations": [ + { + "path": "/pom.xml" + } + ], + "language": "java", + "licenses": [], + "cpes": [ + "cpe:2.3:a:commons-fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons-fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons_fileupload:1.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:maven/commons-fileupload/commons-fileupload@1.3", + "upstreams": [], + "metadataType": "JavaMetadata", + "metadata": { + "virtualPath": "", + "pomArtifactID": "commons-fileupload", + "pomGroupID": "commons-fileupload", + "manifestName": "", + "archiveDigests": null + } + } + }, + { + "vulnerability": { + "id": "GHSA-hfrx-6qgj-fp6c", + "dataSource": "https://github.com/advisories/GHSA-hfrx-6qgj-fp6c", + "namespace": "github:language:java", + "severity": "High", + "urls": [ + "https://github.com/advisories/GHSA-hfrx-6qgj-fp6c" + ], + "description": "Apache Commons FileUpload denial of service vulnerability", + "cvss": [], + "fix": { + "versions": [ + "1.5" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2023-24998", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2023-24998", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy" + ], + "description": "Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads. Note that, like all of the file upload limits, the new configuration option (FileUploadBase#setFileCountMax) is not enabled by default and must be explicitly configured.", + "cvss": [ + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "java-matcher", + "searchedBy": { + "language": "java", + "namespace": "github:language:java", + "package": { + "name": "commons-fileupload", + "version": "1.3" + } + }, + "found": { + "versionConstraint": "<1.5 (unknown)", + "vulnerabilityID": "GHSA-hfrx-6qgj-fp6c" + } + } + ], + "artifact": { + "id": "361aa1f367cea139", + "name": "commons-fileupload", + "version": "1.3", + "type": "java-archive", + "locations": [ + { + "path": "/pom.xml" + } + ], + "language": "java", + "licenses": [], + "cpes": [ + "cpe:2.3:a:commons-fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons-fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons_fileupload:1.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:maven/commons-fileupload/commons-fileupload@1.3", + "upstreams": [], + "metadataType": "JavaMetadata", + "metadata": { + "virtualPath": "", + "pomArtifactID": "commons-fileupload", + "pomGroupID": "commons-fileupload", + "manifestName": "", + "archiveDigests": null + } + } + }, + { + "vulnerability": { + "id": "GHSA-fvm3-cfvj-gxqq", + "dataSource": "https://github.com/advisories/GHSA-fvm3-cfvj-gxqq", + "namespace": "github:language:java", + "severity": "High", + "urls": [ + "https://github.com/advisories/GHSA-fvm3-cfvj-gxqq" + ], + "description": "High severity vulnerability that affects commons-fileupload:commons-fileupload", + "cvss": [], + "fix": { + "versions": [ + "1.3.2" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2016-3092", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2016-3092", + "namespace": "nvd:cpe", + "severity": "High", + "urls": [ + "http://jvn.jp/en/jp/JVN89379547/index.html", + "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121", + "http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html", + "http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E", + "http://rhn.redhat.com/errata/RHSA-2016-2068.html", + "http://rhn.redhat.com/errata/RHSA-2016-2069.html", + "http://rhn.redhat.com/errata/RHSA-2016-2070.html", + "http://rhn.redhat.com/errata/RHSA-2016-2071.html", + "http://rhn.redhat.com/errata/RHSA-2016-2072.html", + "http://rhn.redhat.com/errata/RHSA-2016-2599.html", + "http://rhn.redhat.com/errata/RHSA-2016-2807.html", + "http://rhn.redhat.com/errata/RHSA-2016-2808.html", + "http://rhn.redhat.com/errata/RHSA-2017-0457.html", + "http://svn.apache.org/viewvc?view=revision&revision=1743480", + "http://svn.apache.org/viewvc?view=revision&revision=1743722", + "http://svn.apache.org/viewvc?view=revision&revision=1743738", + "http://svn.apache.org/viewvc?view=revision&revision=1743742", + "http://tomcat.apache.org/security-7.html", + "http://tomcat.apache.org/security-8.html", + "http://tomcat.apache.org/security-9.html", + "http://www.debian.org/security/2016/dsa-3609", + "http://www.debian.org/security/2016/dsa-3611", + "http://www.debian.org/security/2016/dsa-3614", + "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", + "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", + "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", + "http://www.securityfocus.com/bid/91453", + "http://www.securitytracker.com/id/1036427", + "http://www.securitytracker.com/id/1036900", + "http://www.securitytracker.com/id/1037029", + "http://www.securitytracker.com/id/1039606", + "http://www.ubuntu.com/usn/USN-3024-1", + "http://www.ubuntu.com/usn/USN-3027-1", + "https://access.redhat.com/errata/RHSA-2017:0455", + "https://access.redhat.com/errata/RHSA-2017:0456", + "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840", + "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759", + "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", + "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", + "https://security.gentoo.org/glsa/201705-09", + "https://security.gentoo.org/glsa/202107-39", + "https://security.netapp.com/advisory/ntap-20190212-0001/", + "https://www.oracle.com/security-alerts/cpuapr2020.html", + "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + ], + "description": "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.", + "cvss": [ + { + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:N/I:N/A:C", + "metrics": { + "baseScore": 7.8, + "exploitabilityScore": 10, + "impactScore": 6.9 + }, + "vendorMetadata": {} + }, + { + "version": "3.0", + "vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 3.9, + "impactScore": 3.6 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "java-matcher", + "searchedBy": { + "language": "java", + "namespace": "github:language:java", + "package": { + "name": "commons-fileupload", + "version": "1.3" + } + }, + "found": { + "versionConstraint": "<1.3.2 (unknown)", + "vulnerabilityID": "GHSA-fvm3-cfvj-gxqq" + } + } + ], + "artifact": { + "id": "361aa1f367cea139", + "name": "commons-fileupload", + "version": "1.3", + "type": "java-archive", + "locations": [ + { + "path": "/pom.xml" + } + ], + "language": "java", + "licenses": [], + "cpes": [ + "cpe:2.3:a:commons-fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons-fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons_fileupload:commons_fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons-fileupload:1.3:*:*:*:*:*:*:*", + "cpe:2.3:a:commons:commons_fileupload:1.3:*:*:*:*:*:*:*" + ], + "purl": "pkg:maven/commons-fileupload/commons-fileupload@1.3", + "upstreams": [], + "metadataType": "JavaMetadata", + "metadata": { + "virtualPath": "", + "pomArtifactID": "commons-fileupload", + "pomGroupID": "commons-fileupload", + "manifestName": "", + "archiveDigests": null + } + } + } + ], + "source": { + "type": "directory", + "target": "CVE-2013-2186/" + }, + "distro": { + "name": "", + "version": "", + "idLike": null + }, + "descriptor": { + "name": "", + "version": "", + "configuration": { + "output": [ + "json" + ], + "file": "CVE-2013-2186//scan-results/grype/grype-report.json", + "distro": "", + "add-cpes-if-none": false, + "output-template-file": "", + "check-for-app-update": false, + "only-fixed": false, + "only-notfixed": false, + "platform": "", + "search": { + "scope": "Squashed", + "unindexed-archives": false, + "indexed-archives": true + }, + "ignore": null, + "exclude": [], + "db": { + "cache-dir": "/home/wtwhite/.cache/grype/db", + "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", + "ca-cert": "", + "auto-update": false, + "validate-by-hash-on-start": false, + "validate-age": true, + "max-allowed-built-age": 3600000000000000000 + }, + "externalSources": { + "enable": false, + "maven": { + "searchUpstreamBySha1": true, + "baseUrl": "https://search.maven.org/solrsearch/select" + } + }, + "match": { + "java": { + "using-cpes": true + }, + "dotnet": { + "using-cpes": true + }, + "golang": { + "using-cpes": true + }, + "javascript": { + "using-cpes": true + }, + "python": { + "using-cpes": true + }, + "ruby": { + "using-cpes": true + }, + "stock": { + "using-cpes": true + } + }, + "fail-on-severity": "", + "registry": { + "insecure-skip-tls-verify": false, + "insecure-use-http": false, + "auth": null, + "ca-cert": "" + }, + "show-suppressed": false, + "by-cve": false, + "name": "", + "default-image-pull-source": "", + "vex-documents": [], + "vex-add": [] + }, + "db": { + "built": "2023-04-27T10:34:58Z", + "schemaVersion": 5, + "location": "/home/wtwhite/.cache/grype/db/5", + "checksum": "sha256:db85d95f6b5924c38d690f7b6a9743cc6ef58e7a100707749ab28792b573e9a9", + "error": null + }, + "timestamp": "2023-10-05T11:14:37.523752855+13:00" + } +} diff --git a/CVE-2013-2186/scan-results/snyk/snyk-report.json b/CVE-2013-2186/scan-results/snyk/snyk-report.json new file mode 100644 index 0000000..372447a --- /dev/null +++ b/CVE-2013-2186/scan-results/snyk/snyk-report.json @@ -0,0 +1,974 @@ +{ + "vulnerabilities": [ + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30080", + "title": "Arbitrary File Write", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,1.3.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/commit/163a6061fbc077d4b6e4787d26857c2baba495d1", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2013-2186", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2023-02-09T11:24:47.974398Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2023-04-01T14:50:20.293418Z" + } + ], + "description": "## Overview\n[`commons-fileupload:commons-fileupload`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-fileupload%22)\nAffected versions of this package are vulnerable to Arbitrary File Write.\n\n## Details\nThe DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.\n\n## References\n- [Redhat Security Advisory](https://access.redhat.com/security/cve/CVE-2013-2186)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186)\n", + "epssDetails": { + "percentile": "0.88946", + "probability": "0.02681", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2013-2186" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2016-12-25T16:51:48Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2013-06-16T16:51:48Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2013-06-16T16:51:48Z", + "modificationTime": "2023-04-01T14:50:20.293418Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-2186@1.0.0", + "commons-fileupload:commons-fileupload@1.3" + ], + "upgradePath": [ + false, + "commons-fileupload:commons-fileupload@1.3.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30081", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F", + "credit": [ + "Mark Thomas" + ], + "semver": { + "vulnerable": [ + "[,1.3.1)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "1.3.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E", + "title": "Apache Mailing list archives" + }, + { + "url": "http://svn.apache.org/viewvc?view=revision&revision=1565143", + "title": "Apache-SVN" + }, + { + "url": "https://www.exploit-db.com/exploits/31615", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L90", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/c61ff05b3241cb14d989b67209e57aa71540417a", + "title": "GitHub Commit" + }, + { + "url": "http://struts.apache.org/docs/s2-020.html", + "title": "Issue documentation" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050", + "title": "NVD" + }, + { + "url": "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html", + "title": "Oren Hafif Blog" + }, + { + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries/", + "title": "POC: Potential Exploit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2023-02-09T11:23:35.776405Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-02-09T11:24:59.734247Z" + } + ], + "description": "## Overview\n[`commons-fileupload:commons-fileupload`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-fileupload%22)\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks. An attacker may send a specially crafted `Content-Type` header that bypasses a loop's intended exit conditions, causing an infinite loop and high CPU consumption.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L90)\n- [Oren Hafif Blog](http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html)\n- [Apache-SVN](http://svn.apache.org/viewvc?view=revision&revision=1565143)\n- [Apache Mailing list archives](http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E)\n- [Issue documentation](http://struts.apache.org/docs/s2-020.html)\n", + "epssDetails": { + "percentile": "0.95131", + "probability": "0.15701", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-0050" + ], + "CWE": [ + "CWE-264" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2016-12-25T16:51:51Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-02-11T16:51:51Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2014-02-11T16:51:51Z", + "modificationTime": "2023-02-09T11:24:59.734247Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-2186@1.0.0", + "commons-fileupload:commons-fileupload@1.3" + ], + "upgradePath": [ + false, + "commons-fileupload:commons-fileupload@1.3.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30082", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "TERASOLUNA Framework Development Team" + ], + "semver": { + "vulnerable": [ + "[1.3,1.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E", + "title": "Apache Mail Archive" + }, + { + "url": "http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h", + "title": "Apache-SVN" + }, + { + "url": "https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092", + "title": "CVE Details" + }, + { + "url": "https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml%23L84", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/tomcat80/commit/d752a415a875e888d8c8d0988dfbde95c2c6fb1d", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/2c3553f3681baf775c50bb0b49ea61cb44ea914f", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/8999f8243197a5f8297d0cb1a0d86ed175678a77", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=1349475", + "title": "RedHat Bugzilla Bug" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-09-01T19:52:01.176252Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-01-03T17:47:04.615007Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-05-14T11:07:08.805951Z" + } + ], + "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). It allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.3.2 or higher.\n## References\n- [Apache Mail Archive](http://mail-archives.us.apache.org/mod_mbox/www-announce/201606.mbox/%3C6223ece6-2b41-ef4f-22f9-d3481e492832@apache.org%3E)\n- [Apache-SVN](http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/RELEASE-NOTES.txt?r1=1745717&r2=1749637&diff_format=h)\n- [CVE Details](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-3092)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml#L84)\n- [GitHub Commit](https://github.com/apache/tomcat80/commit/d752a415a875e888d8c8d0988dfbde95c2c6fb1d)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/2c3553f3681baf775c50bb0b49ea61cb44ea914f)\n- [GitHub Commit](https://github.com/apache/tomcat/commit/8999f8243197a5f8297d0cb1a0d86ed175678a77)\n- [RedHat Bugzilla Bug](https://bugzilla.redhat.com/show_bug.cgi?id=1349475)\n", + "epssDetails": { + "percentile": "0.88996", + "probability": "0.02707", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-3092" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2016-06-22T16:51:56Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2016-12-25T16:51:56Z", + "modificationTime": "2023-05-14T11:07:08.805951Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-2186@1.0.0", + "commons-fileupload:commons-fileupload@1.3" + ], + "upgradePath": [ + false, + "commons-fileupload:commons-fileupload@1.3.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30401", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[1.1,1.3.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[1.1,1.3.3)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/disk/DiskFileItem.java", + "className": "DiskFileItem", + "functionName": "readObject" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L65", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031", + "title": "NVD" + }, + { + "url": "http://www.tenable.com/security/research/tra-2016-12", + "title": "Tenable Security" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-07-26T01:11:38.227729Z" + }, + { + "assigner": "SUSE", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-05-04T00:43:11.123709Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2022-10-26T19:44:19.103303Z" + } + ], + "description": "## Overview\n[`commons-fileupload:commons-fileupload`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-fileupload%22)\nThe Apache Commons FileUpload library contains a Java Object that, upon deserialization, can be manipulated to write or copy files in arbitrary locations. If integrated with [`ysoserial`](https://github.com/frohoff/ysoserial), it is possible to upload and execute binaries in a single deserialization call.\n\n# Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n- Apache Blog\n\n## Remediation\nUpgrade `commons-fileupload` to version 1.3.3 or higher.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031)\n- [Tenable Security](http://www.tenable.com/security/research/tra-2016-12)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L65)\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c)\n", + "epssDetails": { + "percentile": "0.91021", + "probability": "0.04227", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-1000031" + ], + "CWE": [ + "CWE-284" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2017-02-22T07:28:18.753000Z", + "functions_new": [ + { + "version": [ + "[1.1,1.3.3)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.disk.DiskFileItem", + "functionName": "readObject" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-10-25T14:29:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2016-10-26T03:04:11.895000Z", + "modificationTime": "2022-10-26T19:44:19.103303Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-2186@1.0.0", + "commons-fileupload:commons-fileupload@1.3" + ], + "upgradePath": [ + false, + "commons-fileupload:commons-fileupload@1.3.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-31540", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,1.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [ + { + "version": [ + "[1.2.0 ,1.3.2)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUploadBase$FileItemIteratorImpl.java", + "className": "FileUploadBase$FileItemIteratorImpl", + "functionName": "" + } + }, + { + "version": [ + "[1.0-rc1,1.2.0)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUploadBase.java", + "className": "FileUploadBase", + "functionName": "parseRequest" + } + }, + { + "version": [ + "[,1.0-rc1)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUpload.java", + "className": "FileUpload", + "functionName": "parseRequest" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L56", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814", + "title": "GitHub Commit" + } + ], + "cvssDetails": [], + "description": "## Overview\r\n[`commons-fileupload:commons-fileupload`](https://commons.apache.org/proper/commons-fileupload/) provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\r\n\r\nAffected versions of the package are vulnerable to Information Disclosure because the `InputStream` is not closed on exception.\r\n\r\n## Remediation\r\nUpgrade `commons-fileupload` to version 1.3.2 or higher.\r\n\r\n## References\r\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L56)\r\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814)", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2017-10-01T08:05:48.497000Z", + "functions_new": [ + { + "version": [ + "[1.2.0 ,1.3.2)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl", + "functionName": "" + } + }, + { + "version": [ + "[1.0-rc1,1.2.0)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUploadBase", + "functionName": "parseRequest" + } + }, + { + "version": [ + "[,1.0-rc1)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUpload", + "functionName": "parseRequest" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2014-02-17T22:00:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2017-02-17T08:05:48Z", + "modificationTime": "2020-12-14T14:41:37.686165Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-2186@1.0.0", + "commons-fileupload:commons-fileupload@1.3" + ], + "upgradePath": [ + false, + "commons-fileupload:commons-fileupload@1.3.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[1.0-beta-1, 1.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", + "title": "Apache Mailing List" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e", + "title": "GitHub Commit (Tomcat)" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2023-02-28T14:13:08.790066Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-02T01:10:12.884606Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-11T11:02:24.927537Z" + } + ], + "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.\r\n\r\n**NOTE:** After upgrading to the fixed version, the `setFileCountMax()` must be explicitly set to avoid this vulnerability.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.5 or higher.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17)\n- [GitHub Commit (Tomcat)](https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e)\n", + "epssDetails": { + "percentile": "0.70204", + "probability": "0.00408", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-24998" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2023-02-21T08:19:49.294883Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-21T08:00:22Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2023-02-21T09:23:34.093821Z", + "modificationTime": "2023-03-11T11:02:24.927537Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-2186@1.0.0", + "commons-fileupload:commons-fileupload@1.3" + ], + "upgradePath": [ + false, + "commons-fileupload:commons-fileupload@1.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.3" + }, + { + "id": "SNYK-JAVA-COMMONSIO-1277109", + "title": "Directory Traversal", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:F", + "credit": [ + "Lukas Euler" + ], + "semver": { + "vulnerable": [ + "[0, 2.7)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "2.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-io:commons-io", + "references": [ + { + "url": "https://github.com/apache/commons-io/commit/fe7543eee5cd4b2f9e78aa44c31031b68eba204d", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/IO-556", + "title": "Jira Issue" + }, + { + "url": "https://github.com/AlAIAL90/CVE-2021-29425", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2022-05-03T22:22:20.737922Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2022-11-27T21:15:33.088611Z" + }, + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 4.8, + "modificationTime": "2022-10-28T01:10:29.412127Z" + } + ], + "description": "## Overview\n[commons-io:commons-io](https://search.maven.org/artifact/commons-io/commons-io) is a The Apache Commons IO library contains utility classes, stream implementations, file filters, file comparators, endian transformation classes, and much more.\n\nAffected versions of this package are vulnerable to Directory Traversal via calling the method FileNameUtils.normalize using an improper string like `//../foo` or `\\\\..\\foo`, which may allow access to files in the parent directory.\n\n## Details\n\nA Directory Traversal attack (also known as path traversal) aims to access files and directories that are stored outside the intended folder. By manipulating files with \"dot-dot-slash (../)\" sequences and its variations, or by using absolute file paths, it may be possible to access arbitrary files and directories stored on file system, including application source code, configuration, and other critical system files.\n\nDirectory Traversal vulnerabilities can be generally divided into two types:\n\n- **Information Disclosure**: Allows the attacker to gain information about the folder structure or read the contents of sensitive files on the system.\n\n`st` is a module for serving static files on web pages, and contains a [vulnerability of this type](https://snyk.io/vuln/npm:st:20140206). In our example, we will serve files from the `public` route.\n\nIf an attacker requests the following URL from our server, it will in turn leak the sensitive private key of the root user.\n\n```\ncurl http://localhost:8080/public/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/root/.ssh/id_rsa\n```\n**Note** `%2e` is the URL encoded version of `.` (dot).\n\n- **Writing arbitrary files**: Allows the attacker to create or replace existing files. This type of vulnerability is also known as `Zip-Slip`. \n\nOne way to achieve this is by using a malicious `zip` archive that holds path traversal filenames. When each filename in the zip archive gets concatenated to the target extraction folder, without validation, the final path ends up outside of the target folder. If an executable or a configuration file is overwritten with a file containing malicious code, the problem can turn into an arbitrary code execution issue quite easily.\n\nThe following is an example of a `zip` archive with one benign file and one malicious file. Extracting the malicious file will result in traversing out of the target folder, ending up in `/root/.ssh/` overwriting the `authorized_keys` file:\n\n```\n2018-04-15 22:04:29 ..... 19 19 good.txt\n2018-04-15 22:04:42 ..... 20 20 ../../../../../../root/.ssh/authorized_keys\n```\n\n## Remediation\nUpgrade `commons-io:commons-io` to version 2.7 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/commons-io/commit/fe7543eee5cd4b2f9e78aa44c31031b68eba204d)\n- [Jira Issue](https://issues.apache.org/jira/browse/IO-556)\n- [PoC](https://github.com/AlAIAL90/CVE-2021-29425)\n", + "epssDetails": { + "percentile": "0.57769", + "probability": "0.00210", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-29425" + ], + "CWE": [ + "CWE-22", + "CWE-20" + ], + "GHSA": [ + "GHSA-gwrp-pvrq-jmwv" + ] + }, + "packageName": "commons-io:commons-io", + "proprietary": false, + "creationTime": "2021-04-27T10:51:05.462338Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-04-26T16:04:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-io", + "artifactId": "commons-io" + }, + "publicationTime": "2021-04-27T14:26:12Z", + "modificationTime": "2022-11-27T21:15:33.088611Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-2186@1.0.0", + "commons-fileupload:commons-fileupload@1.3", + "commons-io:commons-io@2.2" + ], + "upgradePath": [ + false, + "commons-fileupload:commons-fileupload@1.5", + "commons-io:commons-io@2.11.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-io:commons-io", + "version": "2.2" + } + ], + "ok": false, + "dependencyCount": 2, + "org": "wtwhite", + "policy": "# Snyk (https://snyk.io) policy file, patches or ignores known vulnerabilities.\nversion: v1.25.1\nignore: {}\npatch: {}\n", + "isPrivate": true, + "licensesPolicy": { + "severities": {}, + "orgLicenseRules": { + "AGPL-1.0": { + "licenseType": "AGPL-1.0", + "severity": "high", + "instructions": "" + }, + "AGPL-3.0": { + "licenseType": "AGPL-3.0", + "severity": "high", + "instructions": "" + }, + "Artistic-1.0": { + "licenseType": "Artistic-1.0", + "severity": "medium", + "instructions": "" + }, + "Artistic-2.0": { + "licenseType": "Artistic-2.0", + "severity": "medium", + "instructions": "" + }, + "CDDL-1.0": { + "licenseType": "CDDL-1.0", + "severity": "medium", + "instructions": "" + }, + "CPOL-1.02": { + "licenseType": "CPOL-1.02", + "severity": "high", + "instructions": "" + }, + "EPL-1.0": { + "licenseType": "EPL-1.0", + "severity": "medium", + "instructions": "" + }, + "GPL-2.0": { + "licenseType": "GPL-2.0", + "severity": "high", + "instructions": "" + }, + "GPL-3.0": { + "licenseType": "GPL-3.0", + "severity": "high", + "instructions": "" + }, + "LGPL-2.0": { + "licenseType": "LGPL-2.0", + "severity": "medium", + "instructions": "" + }, + "LGPL-2.1": { + "licenseType": "LGPL-2.1", + "severity": "medium", + "instructions": "" + }, + "LGPL-3.0": { + "licenseType": "LGPL-3.0", + "severity": "medium", + "instructions": "" + }, + "MPL-1.1": { + "licenseType": "MPL-1.1", + "severity": "medium", + "instructions": "" + }, + "MPL-2.0": { + "licenseType": "MPL-2.0", + "severity": "medium", + "instructions": "" + }, + "MS-RL": { + "licenseType": "MS-RL", + "severity": "medium", + "instructions": "" + }, + "SimPL-2.0": { + "licenseType": "SimPL-2.0", + "severity": "high", + "instructions": "" + } + } + }, + "packageManager": "maven", + "ignoreSettings": { + "adminOnly": false, + "reasonRequired": false, + "disregardFilesystemIgnores": false + }, + "summary": "7 vulnerable dependency paths", + "remediation": { + "unresolved": [], + "upgrade": { + "commons-fileupload:commons-fileupload@1.3": { + "upgradeTo": "commons-fileupload:commons-fileupload@1.5", + "upgrades": [ + "commons-fileupload:commons-fileupload@1.3", + "commons-io:commons-io@2.2", + "commons-fileupload:commons-fileupload@1.3", + "commons-fileupload:commons-fileupload@1.3", + "commons-fileupload:commons-fileupload@1.3", + "commons-fileupload:commons-fileupload@1.3", + "commons-fileupload:commons-fileupload@1.3" + ], + "vulns": [ + "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", + "SNYK-JAVA-COMMONSIO-1277109", + "SNYK-JAVA-COMMONSFILEUPLOAD-30401", + "SNYK-JAVA-COMMONSFILEUPLOAD-30082", + "SNYK-JAVA-COMMONSFILEUPLOAD-31540", + "SNYK-JAVA-COMMONSFILEUPLOAD-30080", + "SNYK-JAVA-COMMONSFILEUPLOAD-30081" + ] + } + }, + "patch": {}, + "ignore": {}, + "pin": {} + }, + "filesystemPolicy": false, + "filtered": { + "ignore": [], + "patch": [] + }, + "uniqueCount": 7, + "projectName": "io.github.jensdietrich.xshady:CVE-2013-2186", + "displayTargetFile": "pom.xml", + "hasUnknownVersions": false, + "path": "/home/wtwhite/code/xshady/CVE-2013-2186" +} diff --git a/CVE-2013-2186/scan-results/steady/steady-report.json b/CVE-2013-2186/scan-results/steady/steady-report.json new file mode 100644 index 0000000..640f499 --- /dev/null +++ b/CVE-2013-2186/scan-results/steady/steady-report.json @@ -0,0 +1,58 @@ +{ + "vulasReport": { + "generatedAt": "05.10.2023 10:48 +1300", + "generatedFor": { + "space": "$space.getSpaceToken()", + "groupId": "io.github.jensdietrich.xshady", + "artifactId": "CVE-2013-2186", + "version": "1.0.0" + }, + "isAggregated": false, + + "aggregatedModules": [], + + "configuration": [ + { "name": "exceptionThreshold", + "value": "dependsOn" }, + { "name": "exemptScopes", + "value": "TEST, PROVIDED" }, + { "name": "exemptBugs", + "value": "" } + ], + + "vulnerabilities": [ + + { + + "bug":{ + "id":"CVE-2021-29425", + "cvssScore": "4.8" , + "cvssVersion": "3.1" + }, + "filename": "commons-io-2.2.jar", + "sha1": "83B5B8A7BA1C08F9E8C8FF2373724E33D3C1E22A", + + "modules": [ + + { + + "groupId": "io.github.jensdietrich.xshady", + "artifactId": "CVE-2013-2186", + "version": "1.0.0", + + "href": "http://localhost:8033/backend/../apps/#/$space.getSpaceToken()/io.github.jensdietrich.xshady/CVE-2013-2186/1.0.0", + + "scope": "COMPILE", + "isTransitive": true, + + "containsVulnerableCode": "unknown", + + "potentiallyExecutesVulnerableCode": "noLibraryCodeAtAll", + + "actuallyExecutesVulnerableCode": "noLibraryCodeAtAll" + } + ] + } + ] + } +} diff --git a/CVE-2013-5960/scan-results/dependency-check/dependency-check-report.json b/CVE-2013-5960/scan-results/dependency-check/dependency-check-report.json new file mode 100644 index 0000000..ec40803 --- /dev/null +++ b/CVE-2013-5960/scan-results/dependency-check/dependency-check-report.json @@ -0,0 +1,18346 @@ +{ + "reportSchema" : "1.1", + "scanInfo" : { + "engineVersion" : "8.2.1", + "dataSource" : [ { + "name" : "NVD CVE Checked", + "timestamp" : "2023-10-05T09:58:30" + }, { + "name" : "NVD CVE Modified", + "timestamp" : "2023-10-05T09:00:02" + }, { + "name" : "VersionCheckOn", + "timestamp" : "2023-10-04T16:15:34" + }, { + "name" : "kev.checked", + "timestamp" : "1696389337" + } ] + }, + "projectInfo" : { + "name" : "CVE-2013-5960", + "groupID" : "io.github.jensdietrich.xshady", + "artifactID" : "CVE-2013-5960", + "version" : "1.0.0", + "reportDate" : "2023-10-04T22:15:15.377321867Z", + "credits" : { + "NVD" : "This report contains data retrieved from the National Vulnerability Database: https://nvd.nist.gov", + "CISA" : "This report may contain data retrieved from the CISA Known Exploited Vulnerability Catalog: https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "NPM" : "This report may contain data retrieved from the Github Advisory Database (via NPM Audit API): https://github.com/advisories/", + "RETIREJS" : "This report may contain data retrieved from the RetireJS community: https://retirejs.github.io/retire.js/", + "OSSINDEX" : "This report may contain data retrieved from the Sonatype OSS Index: https://ossindex.sonatype.org" + } + }, + "dependencies" : [ { + "isVirtual" : false, + "fileName" : "antisamy-1.4.3.jar", + "filePath" : "/home/wtwhite/.m2/repository/org/owasp/antisamy/antisamy/1.4.3/antisamy-1.4.3.jar", + "md5" : "9c7777853e159535f4d510b4dc0a88a9", + "sha1" : "6bac1ebc43ac3db223f592ce904ac4c2f3ef26e5", + "sha256" : "a1e7e3cf60798f4b6024d68dec65baa52ec7ad09cff136c4d675a54c408db618", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "antisamy" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "antisamy" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "owasp" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "The Open Web Application Security Project (OWASP)" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.owasp.antisamy" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "antisamy" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "antisamy" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "org.owasp.antisamy" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "OWASP AntiSamy" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "antisamy-project" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "antisamy" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "antisamy" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "owasp" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "OWASP AntiSamy" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "antisamy" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "org.owasp.antisamy" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "OWASP AntiSamy" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "antisamy-project" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.4.3" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "1.4.3" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.4.3" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/org.owasp.antisamy/antisamy@1.4.3", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/org.owasp.antisamy/antisamy@1.4.3?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:antisamy_project:antisamy:1.4.3:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aantisamy_project&cpe_product=cpe%3A%2F%3Aantisamy_project%3Aantisamy&cpe_version=cpe%3A%2F%3Aantisamy_project%3Aantisamy%3A1.4.3" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2022-28366", + "severity" : "HIGH", + "cvssv2" : { + "score" : 5.0, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "PARTIAL", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "2.9" + }, + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "NVD-CWE-noinfo" ], + "description" : "Certain Neko-related HTML parsers allow a denial of service via crafted Processing Instruction (PI) input that causes excessive heap memory consumption. In particular, this issue exists in HtmlUnit-Neko through 2.26, and is fixed in 2.27. This issue also exists in CyberNeko HTML through 1.9.22 (also affecting OWASP AntiSamy before 1.6.6), but 1.9.22 is the last version of CyberNeko HTML. NOTE: this may be related to CVE-2022-24839.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.6", + "name" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.6" + }, { + "source" : "MISC", + "url" : "https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/", + "name" : "https://sourceforge.net/projects/htmlunit/files/htmlunit/2.27/" + }, { + "source" : "MISC", + "url" : "https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit", + "name" : "https://search.maven.org/artifact/net.sourceforge.htmlunit/neko-htmlunit" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "1.6.6" + } + }, { + "software" : { + "id" : "cpe:2.3:a:cyberneko_html_project:cyberneko_html:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "1.9.22" + } + }, { + "software" : { + "id" : "cpe:2.3:a:htmlunit_project:htmlunit:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "2.27" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2016-10006", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 4.3, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "2.9", + "userInteractionRequired" : "true" + }, + "cvssv3" : { + "baseScore" : 6.1, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "CHANGED", + "confidentialityImpact" : "LOW", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "2.8", + "impactScore" : "2.7", + "version" : "3.1" + }, + "cwes" : [ "CWE-79" ], + "description" : "In OWASP AntiSamy before 1.5.5, by submitting a specially crafted input (a tag that supports style with active content), you could bypass the library protections and supply executable code. The impact is XSS.", + "notes" : "", + "references" : [ { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/95101", + "name" : "95101" + }, { + "source" : "CONFIRM", + "url" : "https://github.com/nahsra/antisamy/issues/2", + "name" : "https://github.com/nahsra/antisamy/issues/2" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1037532", + "name" : "1037532" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "1.5.5" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2017-14735", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 4.3, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "2.9", + "userInteractionRequired" : "true" + }, + "cvssv3" : { + "baseScore" : 6.1, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "CHANGED", + "confidentialityImpact" : "LOW", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "2.8", + "impactScore" : "2.7", + "version" : "3.0" + }, + "cwes" : [ "CWE-79" ], + "description" : "OWASP AntiSamy before 1.5.7 allows XSS via HTML5 entities, as demonstrated by use of : to construct a javascript: URL.", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://github.com/nahsra/antisamy/issues/10", + "name" : "https://github.com/nahsra/antisamy/issues/10" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/105656", + "name" : "105656" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14735", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2017-14735" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + }, { + "source" : "CONFIRM", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, { + "source" : "CONFIRM", + "url" : "https://github.com/nahsra/antisamy/issues/10", + "name" : "https://github.com/nahsra/antisamy/issues/10" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com//security-alerts/cpujul2021.html", + "name" : "N/A" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2020.html" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name" : "N/A" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2017-14735?component-type=maven&component-name=org.owasp.antisamy%2Fantisamy&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2017-14735] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "1.5.7" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2021-35043", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 4.3, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "2.9", + "userInteractionRequired" : "true" + }, + "cvssv3" : { + "baseScore" : 6.1, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "CHANGED", + "confidentialityImpact" : "LOW", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "2.8", + "impactScore" : "2.7", + "version" : "3.1" + }, + "cwes" : [ "CWE-79" ], + "description" : "OWASP AntiSamy before 1.6.4 allows XSS via HTML attributes when using the HTML output serializer (XHTML is not affected). This was demonstrated by a javascript: URL with : as the replacement for the : character.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2022.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2022.html" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "MISC", + "url" : "https://github.com/nahsra/antisamy/pull/87", + "name" : "https://github.com/nahsra/antisamy/pull/87" + }, { + "source" : "MISC", + "url" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.4", + "name" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.4" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "1.6.4" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.6.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.10.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_management:2.12.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_enterprise_default_managment:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "2.3.0", + "versionEndIncluding" : "2.4.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "2.3.0", + "versionEndIncluding" : "2.4.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.6.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.2.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:11.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_back_office:14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_central_office:14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_returns_management:14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-28367", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 4.3, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "2.9", + "userInteractionRequired" : "true" + }, + "cvssv3" : { + "baseScore" : 6.1, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "CHANGED", + "confidentialityImpact" : "LOW", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "2.8", + "impactScore" : "2.7", + "version" : "3.1" + }, + "cwes" : [ "CWE-79" ], + "description" : "OWASP AntiSamy before 1.6.6 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content.", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://github.com/nahsra/antisamy/pull/162", + "name" : "https://github.com/nahsra/antisamy/pull/162" + }, { + "source" : "MISC", + "url" : "https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae", + "name" : "https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae" + }, { + "source" : "MISC", + "url" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.6", + "name" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.6" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-28367?component-type=maven&component-name=org.owasp.antisamy%2Fantisamy&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2022-28367] CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.6", + "name" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.6" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28367", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-28367" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "1.6.6" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-29577", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 4.3, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "2.9", + "userInteractionRequired" : "true" + }, + "cvssv3" : { + "baseScore" : 6.1, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "CHANGED", + "confidentialityImpact" : "LOW", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "2.8", + "impactScore" : "2.7", + "version" : "3.1" + }, + "cwes" : [ "CWE-79" ], + "description" : "OWASP AntiSamy before 1.6.7 allows XSS via HTML tag smuggling on STYLE content with crafted input. The output serializer does not properly encode the supposed Cascading Style Sheets (CSS) content. NOTE: this issue exists because of an incomplete fix for CVE-2022-28367.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0", + "name" : "https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0" + }, { + "source" : "MISC", + "url" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.7", + "name" : "https://github.com/nahsra/antisamy/releases/tag/v1.6.7" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:antisamy_project:antisamy:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "1.6.7" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "avalon-framework-4.1.3.jar", + "filePath" : "/home/wtwhite/.m2/repository/avalon-framework/avalon-framework/4.1.3/avalon-framework-4.1.3.jar", + "md5" : "bef9f9be8ba066273fdef72b3503a307", + "sha1" : "92315ee1c4a4c90bee05055713811f28f8509075", + "sha256" : "17731fe321a7a7cc3b56cb797634b8ec29fa0322004886a1523bbc7bc7eecf71", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "avalon-framework" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "avalon" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "framework" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "avalon-framework" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "avalon-framework" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "avalon-framework" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "avalon-framework" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "avalon-framework" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "avalon" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "framework" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "avalon-framework" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "avalon-framework" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "avalon-framework" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "4.1.3" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "4.1.3" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "4.1.3" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/avalon-framework/avalon-framework@4.1.3", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/avalon-framework/avalon-framework@4.1.3?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "batik-css-1.7.jar", + "filePath" : "/home/wtwhite/.m2/repository/org/apache/xmlgraphics/batik-css/1.7/batik-css-1.7.jar", + "md5" : "b0203e64b3c06729baa0ef84743ab119", + "sha1" : "e6bb5c85753331534593f33fb9236acb41a0ab79", + "sha256" : "91694732cee7c2b2b8bf6792842867407eaa816be065087f1f444fc06b46b578", + "license" : "The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "relatedDependencies" : [ { + "isVirtual" : false, + "fileName" : "batik-ext-1.7.jar", + "filePath" : "/home/wtwhite/.m2/repository/org/apache/xmlgraphics/batik-ext/1.7/batik-ext-1.7.jar", + "sha256" : "de85a6de7cdd36ee9ff28dfe7e03d515be92a702d61028f8928c0cd56f1ee375", + "sha1" : "4784302b44a0336166fef6153a5e3d73e861aecc", + "md5" : "080f3a49c658693dfbb4e48b0bfc8f07", + "packageIds" : [ { + "id" : "pkg:maven/org.apache.xmlgraphics/batik-ext@1.7", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/org.apache.xmlgraphics/batik-ext@1.7?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "batik-util-1.7.jar", + "filePath" : "/home/wtwhite/.m2/repository/org/apache/xmlgraphics/batik-util/1.7/batik-util-1.7.jar", + "sha256" : "9e3f1f53bfccdc942dbe2ceaa94ffe23c63ba3703e40941572205420dfcad81e", + "sha1" : "5c4dd0dd9a86a2fba2c6ea26fb62b32b21b2a61e", + "md5" : "99f99684b6df6200e529575dccce9970", + "packageIds" : [ { + "id" : "pkg:maven/org.apache.xmlgraphics/batik-util@1.7", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/org.apache.xmlgraphics/batik-util@1.7?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "batik-css" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "batik" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "css" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "engine" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "The Apache Software Foundation (http://xmlgraphics.apache.org/batik/)" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "batik-css" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "batik-css" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "org.apache.xmlgraphics" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Batik CSS engine" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "organization name", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "organization url", + "value" : "http://www.apache.org/" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://xmlgraphics.apache.org/batik/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "batik-css" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "batik" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "css" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "engine" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "Batik CSS engine" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "batik-css" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "org.apache.xmlgraphics" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Batik CSS engine" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization name", + "value" : "Apache Software Foundation" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization url", + "value" : "http://www.apache.org/" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://xmlgraphics.apache.org/batik/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.7" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.7" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/org.apache.xmlgraphics/batik-css@1.7", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/org.apache.xmlgraphics/batik-css@1.7?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:batik:1.7:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Abatik&cpe_version=cpe%3A%2F%3Aapache%3Abatik%3A1.7" + }, { + "id" : "cpe:2.3:a:apache:xml_graphics_batik:1.7:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Axml_graphics_batik&cpe_version=cpe%3A%2F%3Aapache%3Axml_graphics_batik%3A1.7" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2018-8013", + "severity" : "CRITICAL", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cvssv3" : { + "baseScore" : 9.8, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseSeverity" : "CRITICAL", + "exploitabilityScore" : "3.9", + "impactScore" : "5.9", + "version" : "3.0" + }, + "cwes" : [ "CWE-502" ], + "description" : "In Apache Batik 1.x before 1.10, when deserializing subclass of `AbstractDocument`, the class takes a string from the inputStream as the class name which then use it to call the no-arg constructor of the class. Fix was to check the class type before calling newInstance in deserialization.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2020.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, { + "source" : "MLIST", + "url" : "https://lists.debian.org/debian-lts-announce/2018/05/msg00016.html", + "name" : "[debian-lts-announce] 20180525 [SECURITY] [DLA 1385-1] batik security update" + }, { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2018/dsa-4215", + "name" : "DSA-4215" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujul2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujul2020.html" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1040995", + "name" : "1040995" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, { + "source" : "UBUNTU", + "url" : "https://usn.ubuntu.com/3661-1/", + "name" : "USN-3661-1" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/104252", + "name" : "104252" + }, { + "source" : "CONFIRM", + "url" : "https://xmlgraphics.apache.org/security.html", + "name" : "https://xmlgraphics.apache.org/security.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc0a31867796043fbe59113fb654fe8b13309fe04f8935acb8d0fab19@%3Ccommits.xmlgraphics.apache.org%3E", + "name" : "[xmlgraphics-commits] 20200615 svn commit: r1878850 - /xmlgraphics/site/trunk/content/security.mdtext" + }, { + "source" : "CONFIRM", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, { + "source" : "MLIST", + "url" : "https://mail-archives.apache.org/mod_mbox/xmlgraphics-batik-dev/201805.mbox/%3c000701d3f28f$d01860a0$704921e0$@gmail.com%3e", + "name" : "[xmlgraphics-batik-dev] 20180523 [CVE-2018-8013] Apache Batik information disclosure vulnerability" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r9e90b4d1cf6ea87a79bb506541140dfbf4801f4463a7cee08126ee44@%3Ccommits.xmlgraphics.apache.org%3E", + "name" : "[xmlgraphics-commits] 20200615 svn commit: r1878851 - /xmlgraphics/site/trunk/content/security.mdtext" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0", + "versionEndExcluding" : "1.10" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:11.1.1.7.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:11.1.1.9.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_diameter_signaling_router:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "8.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_webrtc_session_controller:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "7.2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_repository:12.1.3.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "7.3.3.0.0", + "versionEndIncluding" : "7.3.3.0.2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "8.0.0.0.0", + "versionEndIncluding" : "8.0.7.1.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_calculation_engine:10.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_calculation_engine:10.2.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration_j2ee:10.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_back_office:13.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_back_office:13.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_back_office:14:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:17.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:5.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:5.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_point-of-service:13.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_point-of-service:14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2020-11987", + "severity" : "HIGH", + "cvssv2" : { + "score" : 6.4, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "4.9" + }, + "cvssv3" : { + "baseScore" : 8.2, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "4.2", + "version" : "3.1" + }, + "cwes" : [ "CWE-20", "CWE-918" ], + "description" : "Apache Batik 1.13 is vulnerable to server-side request forgery, caused by improper input validation by the NodePickerPanel. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://xmlgraphics.apache.org/security.html", + "name" : "https://xmlgraphics.apache.org/security.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2877ae10e8be56a3c52d03e373512ddd32f16b863f24c2e22f5a5ba2@%3Cdev.poi.apache.org%3E", + "name" : "[poi-dev] 20210308 [Bug 65166] Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2022.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2022.html" + }, { + "source" : "FEDORA", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JEDID4DAVPECE6O4QQCSIS75BLLBUUAM/", + "name" : "FEDORA-2021-33a1b73e48" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r588d05a0790b40a0eb81088252e1e8c1efb99706631421f17038eb05@%3Cdev.poi.apache.org%3E", + "name" : "[poi-dev] 20210304 [Bug 65166] New: Apache Batik 1.13 vulnerabilities (CVE-2020-11987, CVE-2020-11988)" + }, { + "source" : "FEDORA", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/W7EAYO5XIHD6OIEA3HPK64UDDBSLNAC5/", + "name" : "FEDORA-2021-65ff5f10e2" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com//security-alerts/cpujul2021.html", + "name" : "N/A" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.13" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:18.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:19.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:19.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:20.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_apis:21.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:18.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:19.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:19.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:20.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_digital_experience:21.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:flexcube_universal_banking:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "14.1.0", + "versionEndIncluding" : "14.4.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:instantis_enterprisetrack:17.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:instantis_enterprisetrack:17.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:instantis_enterprisetrack:17.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_policy_administration:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "11.0", + "versionEndIncluding" : "11.3.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2019-17566", + "severity" : "HIGH", + "cvssv2" : { + "score" : 5.0, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "2.9" + }, + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "HIGH", + "availabilityImpact" : "NONE", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "CWE-918" ], + "description" : "Apache Batik is vulnerable to server-side request forgery, caused by improper input validation by the \"xlink:href\" attributes. By using a specially-crafted argument, an attacker could exploit this vulnerability to cause the underlying server to make arbitrary GET requests.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://xmlgraphics.apache.org/security.html", + "name" : "https://xmlgraphics.apache.org/security.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rcab14a9ec91aa4c151e0729966282920423eff50a22759fd21db6509@%3Ccommits.myfaces.apache.org%3E", + "name" : "[myfaces-commits] 20201211 [myfaces-tobago] 21/22: Update batik dependency from 1.9 to 1.13, because of CVE-2019-17566" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2021.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2021.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rab94fe68b180d2e2fba97abf6fe1ec83cff826be25f86cd90f047171@%3Ccommits.myfaces.apache.org%3E", + "name" : "[myfaces-commits] 20201120 [myfaces-tobago] branch tobago-2.x updated: Update batik dependency from 1.9 to 1.13, because of CVE-2019-17566" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2022.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2022.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com//security-alerts/cpujul2021.html", + "name" : "N/A" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "1.13" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:api_gateway:11.1.2.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:5.5.0.0.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_application_session_controller:3.9m0p2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_metasolv_solution:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "6.3.0", + "versionEndIncluding" : "6.3.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_repository:11.1.1.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "8.0.6", + "versionEndIncluding" : "8.1.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware_mapviewer:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hyperion_financial_reporting:11.1.2.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hyperion_financial_reporting:11.2.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:instantis_enterprisetrack:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "17.1", + "versionEndIncluding" : "17.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.2.4.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.4.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:15.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_broker:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_order_management_system_cloud_service:19.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-41704", + "severity" : "HIGH", + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "NONE", + "availabilityImpact" : "NONE", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "CWE-918" ], + "description" : "A vulnerability in Batik of Apache XML Graphics allows an attacker to run untrusted Java code from an SVG. This issue affects Apache XML Graphics prior to 1.16. It is recommended to update to version 1.16.", + "notes" : "", + "references" : [ { + "source" : "MLIST", + "url" : "https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html", + "name" : "[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf", + "name" : "https://lists.apache.org/thread/hplhx0o74jb7blj39fm4kw3otcnjd6xf" + }, { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2022/dsa-5264", + "name" : "DSA-5264" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/10/25/2", + "name" : "[oss-security] 20221025 [CVE-2022-41704] Apache Batik information disclosure vulnerability" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0", + "versionEndExcluding" : "1.16" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-42890", + "severity" : "HIGH", + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "NONE", + "availabilityImpact" : "NONE", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "CWE-918" ], + "description" : "A vulnerability in Batik of Apache XML Graphics allows an attacker to run Java code from untrusted SVG via JavaScript. This issue affects Apache XML Graphics prior to 1.16. Users are recommended to upgrade to version 1.16.", + "notes" : "", + "references" : [ { + "source" : "MLIST", + "url" : "https://lists.debian.org/debian-lts-announce/2022/10/msg00038.html", + "name" : "[debian-lts-announce] 20221029 [SECURITY] [DLA 3169-1] batik security update" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly", + "name" : "https://lists.apache.org/thread/pkvhy0nsj1h1mlon008wtzhosbtxjwly" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/10/25/3", + "name" : "[oss-security] 20221025 [CVE-2022-42890] Apache Batik information disclosure vulnerability" + }, { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2022/dsa-5264", + "name" : "DSA-5264" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0", + "versionEndExcluding" : "1.16" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2017-5662", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.9, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "SINGLE", + "confidentialImpact" : "COMPLETE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "6.8", + "impactScore" : "9.2", + "userInteractionRequired" : "true" + }, + "cvssv3" : { + "baseScore" : 7.3, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "LOW", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "2.1", + "impactScore" : "5.2", + "version" : "3.0" + }, + "cwes" : [ "CWE-611" ], + "description" : "In Apache Batik before 1.9, files lying on the filesystem of the server which uses batik can be revealed to arbitrary users who send maliciously formed SVG files. The file types that can be shown depend on the user context in which the exploitable application is running. If the user is root a full compromise of the server - including confidential or sensitive files - would be possible. XXE can also be used to attack the availability of the server via denial of service as the references within a xml document can trivially trigger an amplification attack.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2020.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2017:2546", + "name" : "RHSA-2017:2546" + }, { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2018/dsa-4215", + "name" : "DSA-4215" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, { + "source" : "CONFIRM", + "url" : "https://xmlgraphics.apache.org/security.html", + "name" : "https://xmlgraphics.apache.org/security.html" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2017:2547", + "name" : "RHSA-2017:2547" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1038334", + "name" : "1038334" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/97948", + "name" : "97948" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:0319", + "name" : "RHSA-2018:0319" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.8" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-44729", + "severity" : "HIGH", + "cvssv3" : { + "baseScore" : 7.1, + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "1.8", + "impactScore" : "5.2", + "version" : "3.1" + }, + "cwes" : [ "CWE-918" ], + "description" : "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nOn version 1.16, a malicious SVG could trigger loading external resources by default, causing resource consumption or in some cases even information disclosure. Users are recommended to upgrade to version 1.17 or later.\n\n", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://xmlgraphics.apache.org/security.html", + "name" : "https://xmlgraphics.apache.org/security.html" + }, { + "source" : "MISC", + "url" : "http://www.openwall.com/lists/oss-security/2023/08/22/2", + "name" : "http://www.openwall.com/lists/oss-security/2023/08/22/2" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2", + "name" : "https://lists.apache.org/thread/hco2nw1typoorz33qzs0fcdx0ws6d6j2" + }, { + "source" : "MISC", + "url" : "http://www.openwall.com/lists/oss-security/2023/08/22/4", + "name" : "http://www.openwall.com/lists/oss-security/2023/08/22/4" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:xml_graphics_batik:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0", + "versionEndIncluding" : "1.16" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2015-0250", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 6.4, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "NONE", + "availabilityImpact" : "PARTIAL", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "4.9" + }, + "cwes" : [ "NVD-CWE-Other" ], + "description" : "XML external entity (XXE) vulnerability in the SVG to (1) PNG and (2) JPG conversion classes in Apache Batik 1.x before 1.8 allows remote attackers to read arbitrary files or cause a denial of service via a crafted SVG file.", + "notes" : "", + "references" : [ { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-0042.html", + "name" : "RHSA-2016:0042" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2015/dsa-3205", + "name" : "DSA-3205" + }, { + "source" : "MISC", + "url" : "http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html", + "name" : "http://packetstormsecurity.com/files/130964/Apache-Batik-XXE-Injection.html" + }, { + "source" : "MANDRIVA", + "url" : "http://www.mandriva.com/security/advisories?name=MDVSA-2015:203", + "name" : "MDVSA-2015:203" + }, { + "source" : "CONFIRM", + "url" : "http://xmlgraphics.apache.org/security.html", + "name" : "http://xmlgraphics.apache.org/security.html" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1032781", + "name" : "1032781" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-2548-1", + "name" : "USN-2548-1" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-0041.html", + "name" : "RHSA-2016:0041" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21963275", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21963275" + }, { + "source" : "FULLDISC", + "url" : "http://seclists.org/fulldisclosure/2015/Mar/142", + "name" : "20150322 [CVE-2015-0250] Apache Batik Information Disclosure Vulnerability (XXE Injection)" + }, { + "source" : "CONFIRM", + "url" : "http://advisories.mageia.org/MGASA-2015-0138.html", + "name" : "http://advisories.mageia.org/MGASA-2015-0138.html" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:batik:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.7" + } + }, { + "software" : { + "id" : "cpe:2.3:a:redhat:jboss_enterprise_brms_platform:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "6.1.2" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-44730", + "severity" : "MEDIUM", + "cvssv3" : { + "baseScore" : 4.4, + "attackVector" : "LOCAL", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "LOW", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "1.8", + "impactScore" : "2.5", + "version" : "3.1" + }, + "cwes" : [ "CWE-918" ], + "description" : "Server-Side Request Forgery (SSRF) vulnerability in Apache Software Foundation Apache XML Graphics Batik.This issue affects Apache XML Graphics Batik: 1.16.\n\nA malicious SVG can probe user profile / data and send it directly as parameter to a URL.\n\n", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://xmlgraphics.apache.org/security.html", + "name" : "https://xmlgraphics.apache.org/security.html" + }, { + "source" : "MISC", + "url" : "http://www.openwall.com/lists/oss-security/2023/08/22/3", + "name" : "http://www.openwall.com/lists/oss-security/2023/08/22/3" + }, { + "source" : "MISC", + "url" : "http://www.openwall.com/lists/oss-security/2023/08/22/5", + "name" : "http://www.openwall.com/lists/oss-security/2023/08/22/5" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0", + "name" : "https://lists.apache.org/thread/58m5817jr059f4v1zogh0fngj9pwjyj0" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:xml_graphics_batik:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0", + "versionEndIncluding" : "1.16" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "bsh-core-2.0b4.jar", + "filePath" : "/home/wtwhite/.m2/repository/org/beanshell/bsh-core/2.0b4/bsh-core-2.0b4.jar", + "md5" : "bab431f0908fde87034f0c34c6cf1e30", + "sha1" : "495e25a99e29970ffe8ba0b1d551e1d1a9991fc1", + "sha256" : "d7cfeb28b2af7b53ef570dd742b8731ed7f71a938e6e9a73384940f4c818d069", + "description" : "BeanShell core", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "bsh-core" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "hint analyzer", + "name" : "vendor", + "value" : "beanshell_project" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "bsh" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Pat Niemeyer (pat@pat.net)" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "http://www.beanshell.org/" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "bsh-core" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "bsh-core" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "org.beanshell" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "BeanShell core" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "beanshell" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "bsh-core" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "hint analyzer", + "name" : "product", + "value" : "beanshell" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "bsh" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "BeanShell core" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "bsh-core" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "org.beanshell" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "BeanShell core" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "beanshell" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "2.0b4" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/org.beanshell/bsh-core@2.0b4", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/org.beanshell/bsh-core@2.0b4?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:beanshell:beanshell:2.0:b4:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Abeanshell&cpe_product=cpe%3A%2F%3Abeanshell%3Abeanshell&cpe_version=cpe%3A%2F%3Abeanshell%3Abeanshell%3A2.0" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2016-2510", + "severity" : "HIGH", + "cvssv2" : { + "score" : 6.8, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "6.4" + }, + "cvssv3" : { + "baseScore" : 8.1, + "attackVector" : "NETWORK", + "attackComplexity" : "HIGH", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "2.2", + "impactScore" : "5.9", + "version" : "3.1" + }, + "cwes" : [ "CWE-19" ], + "description" : "BeanShell (bsh) before 2.0b6, when included on the classpath by an application that uses Java serialization or XStream, allows remote attackers to execute arbitrary code via crafted serialized data, related to XThis.Handler.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2020.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00078.html", + "name" : "openSUSE-SU-2016:0833" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2016:1376", + "name" : "RHSA-2016:1376" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2016-2510?component-type=maven&component-name=org.beanshell%2Fbsh-core&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2016-2510] CWE-19" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2035.html", + "name" : "RHSA-2016:2035" + }, { + "source" : "CONFIRM", + "url" : "https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced", + "name" : "https://github.com/beanshell/beanshell/commit/1ccc66bb693d4e46a34a904db8eeff07808d2ced" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2016-03/msg00056.html", + "name" : "openSUSE-SU-2016:0788" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2510", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-2510" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/201607-17", + "name" : "GLSA-201607-17" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1035440", + "name" : "1035440" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-0539.html", + "name" : "RHSA-2016:0539" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-2923-1", + "name" : "USN-2923-1" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2016/dsa-3504", + "name" : "DSA-3504" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/beanshell/beanshell/releases/tag/2.0b6", + "name" : "https://github.com/beanshell/beanshell/releases/tag/2.0b6" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/84139", + "name" : "84139" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-0540.html", + "name" : "RHSA-2016:0540" + }, { + "source" : "MISC", + "url" : "https://github.com/frohoff/ysoserial/pull/13", + "name" : "https://github.com/frohoff/ysoserial/pull/13" + }, { + "source" : "CONFIRM", + "url" : "https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49", + "name" : "https://github.com/beanshell/beanshell/commit/7c68fde2d6fc65e362f20863d868c112a90a9b49" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2016:1135", + "name" : "RHSA-2016:1135" + }, { + "source" : "CONFIRM", + "url" : "https://github.com/beanshell/beanshell/releases/tag/2.0b6", + "name" : "https://github.com/beanshell/beanshell/releases/tag/2.0b6" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2019:1545", + "name" : "RHSA-2019:1545" + }, { + "source" : "MISC", + "url" : "https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf", + "name" : "https://www.rsaconference.com/writable/presentations/file_upload/asd-f03-serial-killer-silently-pwning-your-java-endpoints.pdf" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:beanshell:beanshell:1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:beanshell:beanshell:2.0:beta1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:beanshell:beanshell:2.0:beta4:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + }, { + "software" : { + "id" : "cpe:2.3:a:beanshell:beanshell:2.0:beta5:*:*:*:*:*:*" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-beanutils-1.7.0.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar", + "md5" : "0f18acf5fa857f9959675e14d901a7ce", + "sha1" : "5675fd96b29656504b86029551973d60fb41339b", + "sha256" : "24bcaa20ccbdc7c856ce0c0aea144566943403e2e9f27bd9779cda1d76823ef4", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-beanutils" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "beanutils" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "org.apache.commons.beanutils" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-beanutils" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-beanutils" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-beanutils" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-beanutils" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "beanutils" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "org.apache.commons.beanutils" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "org.apache.commons.beanutils" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Jakarta Commons Beanutils" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-beanutils" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-beanutils" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.7.0" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.7.0" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-beanutils/commons-beanutils@1.7.0", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-beanutils/commons-beanutils@1.7.0?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:commons_beanutils:1.7.0:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_beanutils&cpe_version=cpe%3A%2F%3Aapache%3Acommons_beanutils%3A1.7.0" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2014-0114", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cwes" : [ "CWE-20" ], + "description" : "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" + }, { + "source" : "MLIST", + "url" : "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", + "name" : "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + }, { + "source" : "CONFIRM", + "url" : "http://advisories.mageia.org/MGASA-2014-0219.html", + "name" : "http://advisories.mageia.org/MGASA-2014-0219.html" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/201607-09", + "name" : "GLSA-201607-09" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59430", + "name" : "59430" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675972" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E" + }, { + "source" : "FEDORA", + "url" : "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", + "name" : "FEDORA-2014-9380" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676110" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59245", + "name" : "59245" + }, { + "source" : "CONFIRM", + "url" : "https://access.redhat.com/solutions/869353", + "name" : "https://access.redhat.com/solutions/869353" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2014/dsa-2940", + "name" : "DSA-2940" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674812" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674128" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2014-0114?component-type=maven&component-name=commons-beanutils%2Fcommons-beanutils&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2014-0114] CWE-20: Improper Input Validation" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg27042296" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675387" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675266" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59704", + "name" : "59704" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676303" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59480", + "name" : "59480" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/BEANUTILS-463", + "name" : "https://issues.apache.org/jira/browse/BEANUTILS-463" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59479", + "name" : "59479" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=141451023707502&w=2", + "name" : "HPSBST03160" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676375" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=140801096002766&w=2", + "name" : "HPSBMU03090" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59228", + "name" : "59228" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675898" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59246", + "name" : "59246" + }, { + "source" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1091938" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E" + }, { + "source" : "MLIST", + "url" : "http://openwall.com/lists/oss-security/2014/07/08/1", + "name" : "[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20140911-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20140911-0001/" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58851", + "name" : "58851" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59718", + "name" : "59718" + }, { + "source" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1116665" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677110" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=140119284401582&w=2", + "name" : "HPSBGN03041" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" + }, { + "source" : "FULLDISC", + "url" : "http://seclists.org/fulldisclosure/2014/Dec/23", + "name" : "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/57477", + "name" : "57477" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E" + }, { + "source" : "OSSIndex", + "url" : "http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader", + "name" : "http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/60177", + "name" : "60177" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59014", + "name" : "59014" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", + "name" : "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2019:2995", + "name" : "RHSA-2019:2995" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/60703", + "name" : "60703" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58947", + "name" : "58947" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59118", + "name" : "59118" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20180629-0006/", + "name" : "https://security.netapp.com/advisory/ntap-20180629-0006/" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59464", + "name" : "59464" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.ibm.com/support/docview.wss?uid=swg21675496", + "name" : "http://www.ibm.com/support/docview.wss?uid=swg21675496" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675689" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" + }, { + "source" : "CONFIRM", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E" + }, { + "source" : "MANDRIVA", + "url" : "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", + "name" : "MDVSA-2014:095" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58710", + "name" : "58710" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/67121", + "name" : "67121" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676931" + }, { + "source" : "BUGTRAQ", + "url" : "http://www.securityfocus.com/archive/1/534161/100/0/threaded", + "name" : "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, { + "source" : "MLIST", + "url" : "http://openwall.com/lists/oss-security/2014/06/15/10", + "name" : "[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:2669", + "name" : "RHSA-2018:2669" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/BEANUTILS-463", + "name" : "https://issues.apache.org/jira/browse/BEANUTILS-463" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.9.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2019-10086", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cvssv3" : { + "baseScore" : 7.3, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "LOW", + "integrityImpact" : "LOW", + "availabilityImpact" : "LOW", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.4", + "version" : "3.1" + }, + "cwes" : [ "CWE-502" ], + "description" : "In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/re2028d4d76ba1db3e3c3a722d6c6034e801cc3b309f69cc166eaa32b@%3Ccommits.nifi.apache.org%3E", + "name" : "[nifi-commits] 20210907 [nifi] branch main updated: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 NIFI-9170 Add two more 1.9.4 references to close out the few things identified by the Maven dependency plugin." + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2021.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2021.html" + }, { + "source" : "FEDORA", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/", + "name" : "FEDORA-2019-79b5790566" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0805", + "name" : "RHSA-2020:0805" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r6194ced4828deb32023cd314e31f41c61d388b58935d102c7de91f58@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210907 [GitHub] [nifi] MikeThomsen commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rae81e0c8ebdf47ffaa85a01240836bfece8a990c48f55c7933162b5c@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201022 [jira] [Created] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra41fd0ad4b7e1d675c03a5081a16a6603085a4e37d30b866067566fe@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210907 [GitHub] [nifi] asfgit closed pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191105 [jira] [Resolved] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E", + "name" : "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." + }, { + "source" : "MLIST", + "url" : "http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e", + "name" : "[www-announce] 20190815 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191001 [jira] [Updated] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201022 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201026 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r46e536fc98942dce99fadd2e313aeefe90c1a769c5cd85d98df9d098@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210827 [GitHub] [nifi] naddym opened a new pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210827 [jira] [Created] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0811", + "name" : "RHSA-2020:0811" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2022.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2022.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujul2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujul2020.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/re3cd7cb641d7fc6684e4fc3c336a8bad4a01434bb5625a06e3600fd1@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210907 [jira] [Commented] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html", + "name" : "openSUSE-SU-2019:2058" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0057", + "name" : "RHSA-2020:0057" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0804", + "name" : "RHSA-2020:0804" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r513a7a21c422170318115463b399dd58ab447fe0990b13e5884f0825@%3Ccommits.dolphinscheduler.apache.org%3E", + "name" : "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] lgcareer commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/02094ad226dbc17a2368beaf27e61d8b1432f5baf77d0ca995bb78bc@%3Cissues.commons.apache.org%3E", + "name" : "[commons-issues] 20190925 [GitHub] [commons-validator] jeff-schram opened a new pull request #18: Update pom.xml" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r43de02fd4a4f52c4bdeff8c02f09625d83cd047498009c1cdab857db@%3Cdev.rocketmq.apache.org%3E", + "name" : "[rocketmq-dev] 20201223 [GitHub] [rocketmq] crazywen opened a new pull request #2515: Update pom.xml" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E", + "name" : "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rb8dac04cb7e9cc5dedee8dabaa1c92614f590642e5ebf02a145915ba@%3Ccommits.atlas.apache.org%3E", + "name" : "[atlas-commits] 20201023 [atlas] 01/05: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201023 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0806", + "name" : "RHSA-2020:0806" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/c94bc9649d5109a663b2129371dc45753fbdeacd340105548bbe93c3@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191001 [jira] [Commented] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com//security-alerts/cpujul2021.html", + "name" : "N/A" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2020.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E", + "name" : "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125@%3Ccommits.tinkerpop.apache.org%3E", + "name" : "[tinkerpop-commits] 20190829 [tinkerpop] branch master updated: Bump commons-beanutils to 1.9.4 for CVE-2019-10086 - CTR" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/racd3e7b2149fa2f255f016bd6bffab0fea77b6fb81c50db9a17f78e6@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rb1f76c2c0a4d6efb8a3523974f9d085d5838b73e7bffdf9a8f212997@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210915 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0194", + "name" : "RHSA-2020:0194" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191023 [jira] [Assigned] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r18d8b4f9263e5cad3bbaef0cdba0e2ccdf9201316ac4b85e23eb7ee4@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201023 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rcc029be4edaaf5b8bb85818aab494e16f312fced07a0f4a202771ba2@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210827 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd2d2493f4f1af6980d265b8d84c857e2b7ab80a46e1423710c448957@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210908 [GitHub] [nifi] naddym commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c@%3Ccommits.dolphinscheduler.apache.org%3E", + "name" : "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/2fd61dc89df9aeab738d2b49f48d42c76f7d53b980ba04e1d48bce48@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191001 [jira] [Created] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fiix" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", + "name" : "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2019:4317", + "name" : "RHSA-2019:4317" + }, { + "source" : "MLIST", + "url" : "https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html", + "name" : "[debian-lts-announce] 20190824 [SECURITY] [DLA 1896-1] commons-beanutils security update" + }, { + "source" : "FEDORA", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF/", + "name" : "FEDORA-2019-bcad44b5d6" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0", + "versionEndIncluding" : "1.9.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:nifi:1.14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:nifi:1.15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.5:*:*:*:*:e-business_suite:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.5:*:*:*:*:sap:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:e-business_suite:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:sap:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "21.1.2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3.0.9:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.6.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_design_studio:7.3.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_design_studio:7.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_performance_intelligence_center:10.4.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.4.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware:11.1.1.9:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:7.1.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:7.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:8.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_data_gateway:1.0.2.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.2.5.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2.5.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.2.5.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.56:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "16.2.0", + "versionEndIncluding" : "16.2.11" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "17.12.0", + "versionEndIncluding" : "17.12.6" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:real-time_decisions_solutions:3.2.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_invoice_matching:16.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_merchandising_system:5.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_price_management:14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_price_management:14.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_price_management:15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_price_management:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:service_bus:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:solaris_cluster:4.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:time_and_labor:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "12.2.6", + "versionEndIncluding" : "12.2.11" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "4.3.0.1.0", + "versionEndIncluding" : "4.3.0.6.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-beanutils-core-1.7.0.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-beanutils/commons-beanutils-core/1.7.0/commons-beanutils-core-1.7.0.jar", + "md5" : "458b500e7283d295f69a93ffc4a15293", + "sha1" : "52f7701e1e9fd1d2b93379503c0bc839d2caf68d", + "sha256" : "dbdac3b81a1c22a1d09b8c4a1c55b00af4767bd068838651c04c2f130172a207", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-beanutils-core" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "beanutils" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "org.apache.commons.beanutils" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-beanutils-core" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-beanutils-core" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-beanutils" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-beanutils-core" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "beanutils" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "org.apache.commons.beanutils" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "org.apache.commons.beanutils" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Jakarta Commons Beanutils" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-beanutils-core" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-beanutils" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.7.0" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.7.0" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-beanutils/commons-beanutils-core@1.7.0", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-beanutils/commons-beanutils-core@1.7.0?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:commons_beanutils:1.7.0:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_beanutils&cpe_version=cpe%3A%2F%3Aapache%3Acommons_beanutils%3A1.7.0" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2014-0114", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cwes" : [ "CWE-20" ], + "description" : "Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to \"manipulate\" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/42ad6326d62ea8453d0d0ce12eff39bbb7c5b4fca9639da007291346%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" + }, { + "source" : "MLIST", + "url" : "http://apache-ignite-developers.2346864.n4.nabble.com/CVE-2014-0114-Apache-Ignite-is-vulnerable-to-existing-CVE-2014-0114-td31205.html", + "name" : "[apache-ignite-developers] 20180601 [CVE-2014-0114]: Apache Ignite is vulnerable to existing CVE-2014-0114" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + }, { + "source" : "CONFIRM", + "url" : "http://advisories.mageia.org/MGASA-2014-0219.html", + "name" : "http://advisories.mageia.org/MGASA-2014-0219.html" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/201607-09", + "name" : "GLSA-201607-09" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/6afe2f935493e69a332b9c5a4f23cafe95c15ede1591a492cf612293%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59430", + "name" : "59430" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675972", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675972" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/9317fd092b257a0815434b116a8af8daea6e920b6673f4fd5583d5fe%40%3Ccommits.druid.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/fda473f46e51019a78ab217a7a3a3d48dafd90846e75bd5536ef72f3%40%3Cnotifications.commons.apache.org%3E" + }, { + "source" : "FEDORA", + "url" : "http://lists.fedoraproject.org/pipermail/package-announce/2014-August/136958.html", + "name" : "FEDORA-2014-9380" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676110", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676110" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59245", + "name" : "59245" + }, { + "source" : "CONFIRM", + "url" : "https://access.redhat.com/solutions/869353", + "name" : "https://access.redhat.com/solutions/869353" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2014/dsa-2940", + "name" : "DSA-2940" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674812", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674812" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/r458d61eaeadecaad04382ebe583230bc027f48d9e85e4731bc573477%40%3Ccommits.dolphinscheduler.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674128", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674128" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg27042296", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg27042296" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675387", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675387" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675266", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675266" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59704", + "name" : "59704" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676303", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676303" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/aa4ca069c7aea5b1d7329bc21576c44a39bcc4eb7bb2760c4b16f2f6%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/f3682772e62926b5c009eed63c62767021be6da0bb7427610751809f%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/c7e31c3c90b292e0bafccc4e1b19c9afc1503a65d82cb7833dfd7478%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59480", + "name" : "59480" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/BEANUTILS-463", + "name" : "https://issues.apache.org/jira/browse/BEANUTILS-463" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59479", + "name" : "59479" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/ffde3f266d3bde190b54c9202169e7918a92de7e7e0337d792dc7263%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=141451023707502&w=2", + "name" : "HPSBST03160" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676375", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676375" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=140801096002766&w=2", + "name" : "HPSBMU03090" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59228", + "name" : "59228" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/c70da3cb6e3f03e0ad8013e38b6959419d866c4a7c80fdd34b73f25c%40%3Ccommits.pulsar.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/65b39fa6d700e511927e5668a4038127432178a210aff81500eb36e5%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675898", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675898" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/15fcdf27fa060de276edc0b4098526afc21c236852eb3de9be9594f3%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/ebc4f019798f6ce2a39f3e0c26a9068563a9ba092cdf3ece398d4e2f%40%3Cnotifications.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59246", + "name" : "59246" + }, { + "source" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1091938", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1091938" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/2454e058fd05ba30ca29442fdeb7ea47505d47a888fbc9f3a53f31d0%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/rf5230a049d989dbfdd404b4320a265dceeeba459a4d04ec21873bd55%40%3Csolr-user.lucene.apache.org%3E" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2014-0114?component-type=maven&component-name=commons-beanutils%2Fcommons-beanutils-core&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2014-0114] CWE-20: Improper Input Validation" + }, { + "source" : "MLIST", + "url" : "http://openwall.com/lists/oss-security/2014/07/08/1", + "name" : "[oss-security] 20140707 Re: CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20140911-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20140911-0001/" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58851", + "name" : "58851" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59718", + "name" : "59718" + }, { + "source" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1116665", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1116665" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/88c497eead24ed517a2bb3159d3dc48725c215e97fe7a98b2cf3ea25%40%3Cdev.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677110", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677110" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=140119284401582&w=2", + "name" : "HPSBGN03041" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" + }, { + "source" : "FULLDISC", + "url" : "http://seclists.org/fulldisclosure/2014/Dec/23", + "name" : "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/97fc033dad4233a5d82fcb75521eabdd23dd99ef32eb96f407f96a1a%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/869c08899f34c1a70c9fb42f92ac0d043c98781317e0c19d7ba3f5e3%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/df1c385f2112edffeff57a6b21d12e8d24031a9f578cb8ba22a947a8%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/3f500972dceb48e3cb351f58565aecf6728b1ea7a69593af86c30b30%40%3Cissues.activemq.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/6b30629b32d020c40d537f00b004d281c37528d471de15ca8aec2cd4%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/0a35108a56e2d575e3b3985588794e39fbf264097aba66f4c5569e4f%40%3Cuser.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/57477", + "name" : "57477" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/0efed939139f5b9dcd62b8acf7cb8a9789227d14abdc0c6f141c4a4c%40%3Cissues.activemq.apache.org%3E" + }, { + "source" : "OSSIndex", + "url" : "http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader", + "name" : "http://www.rapid7.com/db/modules/exploit/multi/http/struts_code_exec_classloader" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/60177", + "name" : "60177" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/084ae814e69178d2ce174cfdf149bc6e46d7524f3308c08d3adb43cb%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/cee6b1c4533be1a753614f6a7d7c533c42091e7cafd7053b8f62792a%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59014", + "name" : "59014" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/918ec15a80fc766ff46c5d769cb8efc88fed6674faadd61a7105166b%40%3Cannounce.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/080af531a9113e29d3f6a060e3f992dc9f40315ec7234e15c3b339e3%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt", + "name" : "http://commons.apache.org/proper/commons-beanutils/javadocs/v1.9.2/RELEASE-NOTES.txt" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/2ba22f2e3de945039db735cf6cbf7f8be901ab2537337c7b1dd6a0f0%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/df093c662b5e49fe9e38ef91f78ffab09d0839dea7df69a747dffa86%40%3Cdev.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/37e1ed724a1b0e5d191d98c822c426670bdfde83804567131847d2a3%40%3Cdevnull.infra.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2019:2995", + "name" : "RHSA-2019:2995" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/9b5505632f5683ee17bda4f7878525e672226c7807d57709283ffa64%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/4c3fd707a049bfe0577dba8fc9c4868ffcdabe68ad86586a0a49242e%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/60703", + "name" : "60703" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58947", + "name" : "58947" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59118", + "name" : "59118" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20180629-0006/", + "name" : "https://security.netapp.com/advisory/ntap-20180629-0006/" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/098e9aae118ac5c06998a9ba4544ab2475162981d290fdef88e6f883%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59464", + "name" : "59464" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/31f9dc2c9cb68e390634a4202f84b8569f64b6569bfcce46348fd9fd%40%3Ccommits.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.ibm.com/support/docview.wss?uid=swg21675496", + "name" : "http://www.ibm.com/support/docview.wss?uid=swg21675496" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675689", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675689" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujan2018-3236628.html" + }, { + "source" : "CONFIRM", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/0340493a1ddf3660dee09a5c503449cdac5bec48cdc478de65858859%40%3Cdev.commons.apache.org%3E" + }, { + "source" : "MANDRIVA", + "url" : "http://www.mandriva.com/security/advisories?name=MDVSA-2014:095", + "name" : "MDVSA-2014:095" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/66176fa3caeca77058d9f5b0316419a43b4c3fa2b572e05b87132226%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0114" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58710", + "name" : "58710" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/1565e8b786dff4cb3b48ecc8381222c462c92076c9e41408158797b5%40%3Ccommits.commons.apache.org%3E" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/67121", + "name" : "67121" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/c24c0b931632a397142882ba248b7bd440027960f22845c6f664c639%40%3Ccommits.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/8e2bdfabd5b14836aa3cf900aa0a62ff9f4e22a518bb4e553ebcf55f%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/d27c51b3c933f885460aa6d3004eb228916615caaaddbb8e8bfeeb40%40%3Cgitbox.activemq.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/09981ae3df188a2ad1ce20f62ef76a5b2d27cf6b9ebab366cf1d6cc6%40%3Cissues.commons.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676931", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676931" + }, { + "source" : "BUGTRAQ", + "url" : "http://www.securityfocus.com/archive/1/534161/100/0/threaded", + "name" : "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, { + "source" : "MLIST", + "url" : "http://openwall.com/lists/oss-security/2014/06/15/10", + "name" : "[oss-security] 20140616 CVE request for commons-beanutils: 'class' property is exposed, potentially leading to RCE" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:2669", + "name" : "RHSA-2018:2669" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/40fc236a35801a535cd49cf1979dbeab034b833c63a284941bce5bf1%40%3Cdev.commons.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/r75d67108e557bb5d4c4318435067714a0180de525314b7e8dab9d04e%40%3Cissues.activemq.apache.org%3E" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/BEANUTILS-463", + "name" : "https://issues.apache.org/jira/browse/BEANUTILS-463" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.9.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:b1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:b2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:b3:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:rc1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.1:rc2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.2.9:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.3.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.3.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:struts:1.3.10:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2019-10086", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cvssv3" : { + "baseScore" : 7.3, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "LOW", + "integrityImpact" : "LOW", + "availabilityImpact" : "LOW", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.4", + "version" : "3.1" + }, + "cwes" : [ "CWE-502" ], + "description" : "In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/re2028d4d76ba1db3e3c3a722d6c6034e801cc3b309f69cc166eaa32b@%3Ccommits.nifi.apache.org%3E", + "name" : "[nifi-commits] 20210907 [nifi] branch main updated: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086 NIFI-9170 Add two more 1.9.4 references to close out the few things identified by the Maven dependency plugin." + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2021.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2021.html" + }, { + "source" : "FEDORA", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/JIUYSL2RSIWZVNSUIXJTIFPIPIF6OAIO/", + "name" : "FEDORA-2019-79b5790566" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0805", + "name" : "RHSA-2020:0805" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r6194ced4828deb32023cd314e31f41c61d388b58935d102c7de91f58@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2d5f1d88c39bd615271abda63964a0bee9b2b57fef1f84cb4c43032e@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210907 [GitHub] [nifi] MikeThomsen commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rae81e0c8ebdf47ffaa85a01240836bfece8a990c48f55c7933162b5c@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201022 [jira] [Created] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra41fd0ad4b7e1d675c03a5081a16a6603085a4e37d30b866067566fe@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210907 [GitHub] [nifi] asfgit closed pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/a684107d3a78e431cf0fbb90629e8559a36ff8fe94c3a76e620b39fa@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191105 [jira] [Resolved] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/956995acee0d8bc046f1df0a55b7fbeb65dd2f82864e5de1078bacb0@%3Cissues.commons.apache.org%3E", + "name" : "[commons-issues] 20190906 [jira] [Updated] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." + }, { + "source" : "MLIST", + "url" : "http://mail-archives.apache.org/mod_mbox/www-announce/201908.mbox/%3cC628798F-315D-4428-8CB1-4ED1ECC958E4@apache.org%3e", + "name" : "[www-announce] 20190815 [SECURITY] CVE-2019-10086. Apache Commons Beanutils does not suppresses the class property in PropertyUtilsBean by default." + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/d6ca9439c53374b597f33b7ec180001625597db48ea30356af01145f@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191001 [jira] [Updated] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/reee57101464cf7622d640ae013b2162eb864f603ec4093de8240bb8f@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201022 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r306c0322aa5c0da731e03f3ce9f07f4745c052c6b73f4e78faf232ca@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201026 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r46e536fc98942dce99fadd2e313aeefe90c1a769c5cd85d98df9d098@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210827 [GitHub] [nifi] naddym opened a new pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rec74f3a94dd850259c730b4ba6f7b6211222b58900ec088754aa0534@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210827 [jira] [Created] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0811", + "name" : "RHSA-2020:0811" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2022.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2022.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujul2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujul2020.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/re3cd7cb641d7fc6684e4fc3c336a8bad4a01434bb5625a06e3600fd1@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210907 [jira] [Commented] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-09/msg00007.html", + "name" : "openSUSE-SU-2019:2058" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0057", + "name" : "RHSA-2020:0057" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0804", + "name" : "RHSA-2020:0804" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r513a7a21c422170318115463b399dd58ab447fe0990b13e5884f0825@%3Ccommits.dolphinscheduler.apache.org%3E", + "name" : "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] lgcareer commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/02094ad226dbc17a2368beaf27e61d8b1432f5baf77d0ca995bb78bc@%3Cissues.commons.apache.org%3E", + "name" : "[commons-issues] 20190925 [GitHub] [commons-validator] jeff-schram opened a new pull request #18: Update pom.xml" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r43de02fd4a4f52c4bdeff8c02f09625d83cd047498009c1cdab857db@%3Cdev.rocketmq.apache.org%3E", + "name" : "[rocketmq-dev] 20201223 [GitHub] [rocketmq] crazywen opened a new pull request #2515: Update pom.xml" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/1f78f1e32cc5614ec0c5b822ba4bd7fc8e8b5c46c8e038b6bd609cb5@%3Cissues.commons.apache.org%3E", + "name" : "[commons-issues] 20190906 [jira] [Closed] (CONFIGURATION-755) [CVE-2014-0114] Update Apache Commons BeanUtils from 1.9.3 to 1.9.4." + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rb8dac04cb7e9cc5dedee8dabaa1c92614f590642e5ebf02a145915ba@%3Ccommits.atlas.apache.org%3E", + "name" : "[atlas-commits] 20201023 [atlas] 01/05: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra87ac17410a62e813cba901fdd4e9a674dd53daaf714870f28e905f1@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201023 [jira] [Updated] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0806", + "name" : "RHSA-2020:0806" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/c94bc9649d5109a663b2129371dc45753fbdeacd340105548bbe93c3@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191001 [jira] [Commented] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com//security-alerts/cpujul2021.html", + "name" : "N/A" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2020.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r967953a14e05016bc4bcae9ef3dd92e770181158b4246976ed8295c9@%3Cdev.brooklyn.apache.org%3E", + "name" : "[brooklyn-dev] 20200420 [GitHub] [brooklyn-server] duncangrant opened a new pull request #1091: Update library versions due to CVEs" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/3d1ed1a1596c08c4d5fea97b36c651ce167b773f1afc75251ce7a125@%3Ccommits.tinkerpop.apache.org%3E", + "name" : "[tinkerpop-commits] 20190829 [tinkerpop] branch master updated: Bump commons-beanutils to 1.9.4 for CVE-2019-10086 - CTR" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/racd3e7b2149fa2f255f016bd6bffab0fea77b6fb81c50db9a17f78e6@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201023 [jira] [Commented] (ATLAS-4002) Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rb1f76c2c0a4d6efb8a3523974f9d085d5838b73e7bffdf9a8f212997@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210915 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2020:0194", + "name" : "RHSA-2020:0194" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/5261066cd7adee081ee05c8bf0e96cf0b2eeaced391e19117ae4daa6@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191023 [jira] [Assigned] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fix" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r18d8b4f9263e5cad3bbaef0cdba0e2ccdf9201316ac4b85e23eb7ee4@%3Cdev.atlas.apache.org%3E", + "name" : "[atlas-dev] 20201023 Re: Review Request 72983: ATLAS-4002 : Upgrade commons-beanutils to 1.9.4 due to CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rcc029be4edaaf5b8bb85818aab494e16f312fced07a0f4a202771ba2@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210827 [jira] [Updated] (NIFI-9170) Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd2d2493f4f1af6980d265b8d84c857e2b7ab80a46e1423710c448957@%3Cissues.nifi.apache.org%3E", + "name" : "[nifi-issues] 20210908 [GitHub] [nifi] naddym commented on pull request #5351: NIFI-9170 Upgrade commons-beanutils to 1.9.4 to mitigate CVE-2019-10086" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra9a139fdc0999750dcd519e81384bc1fe3946f311b1796221205f51c@%3Ccommits.dolphinscheduler.apache.org%3E", + "name" : "[dolphinscheduler-commits] 20210121 [GitHub] [incubator-dolphinscheduler] c-f-cooper commented on pull request #4525: [Improvement-4506][LICENSE] upgrade the version of the commons-beanutils" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/2fd61dc89df9aeab738d2b49f48d42c76f7d53b980ba04e1d48bce48@%3Cdev.shiro.apache.org%3E", + "name" : "[shiro-dev] 20191001 [jira] [Created] (SHIRO-723) Provide Minor Shiro Release that includes CVE-2019-10086 Fiix" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc@%3Cissues.drill.apache.org%3E", + "name" : "[drill-issues] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2019:4317", + "name" : "RHSA-2019:4317" + }, { + "source" : "MLIST", + "url" : "https://lists.debian.org/debian-lts-announce/2019/08/msg00030.html", + "name" : "[debian-lts-announce] 20190824 [SECURITY] [DLA 1896-1] commons-beanutils security update" + }, { + "source" : "FEDORA", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/message/4APPGLBWMFAS4WHNLR4LIJ65DJGPV7TF/", + "name" : "FEDORA-2019-bcad44b5d6" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_beanutils:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0", + "versionEndIncluding" : "1.9.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:nifi:1.14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:nifi:1.15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_plm:9.3.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_plm:9.3.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.5:*:*:*:*:e-business_suite:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.5:*:*:*:*:sap:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:e-business_suite:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_product_lifecycle_management_integration_pack:3.6:*:*:*:*:sap:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_platform:2.9.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:blockchain_platform:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "21.1.2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management:7.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management:12.0.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:11.3.0.9:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_billing_and_revenue_management_elastic_charging_engine:12.0.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_console:1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_policy:1.9.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_unified_data_repository:1.6.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_convergence:3.0.2.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_design_studio:7.3.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_design_studio:7.3.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_design_studio:7.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_evolved_communications_application_server:7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_metasolv_solution:6.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_performance_intelligence_center:10.4.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_pricing_design_center:12.0.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.3.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:customer_management_and_segmentation_foundation:18.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_for_virtualization:13.4.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:flexcube_private_banking:12.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:flexcube_private_banking:12.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware:11.1.1.9:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:fusion_middleware:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:7.1.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:7.2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:7.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:7.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:8.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hospitality_opera_5:5.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hospitality_opera_5:5.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hospitality_reporting_and_analytics:9.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:insurance_data_gateway:1.0.2.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.2.5.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:9.2.5.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.2.5.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:9.2.5.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.56:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.56:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "16.2.0", + "versionEndIncluding" : "16.2.11" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "17.12.0", + "versionEndIncluding" : "17.12.6" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:real-time_decisions_solutions:3.2.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_advanced_inventory_planning:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_back_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_central_office:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_invoice_matching:16.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_merchandising_system:5.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_point-of-service:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_predictive_application_server:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_price_management:14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_price_management:14.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_price_management:15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_price_management:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_returns_management:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:17.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_xstore_point_of_service:18.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:service_bus:11.1.1.9.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:service_bus:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:service_bus:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:solaris_cluster:4.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:time_and_labor:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "12.2.6", + "versionEndIncluding" : "12.2.11" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "4.3.0.1.0", + "versionEndIncluding" : "4.3.0.6.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.2.0.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.2.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.4.0.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.4.0.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:utilities_framework:4.4.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:redhat:jboss_enterprise_application_platform:7.2.0:*:*:*:*:*:*:*" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-codec-1.2.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-codec/commons-codec/1.2/commons-codec-1.2.jar", + "md5" : "2617b220009f952bb9542af167d040cf", + "sha1" : "397f4731a9f9b6eb1907e224911c77ea3aa27a8b", + "sha256" : "9898a3b3857676128987b975d0b0f035becf3da5cf677266a34d6636f2b80542", + "description" : "The codec package contains simple encoder and decoders for\n various formats such as Base64 and Hexadecimal. In addition to these\n widely used encoders and decoders, the codec package also maintains a\n collection of phonetic encoding utilities.", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-codec" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "codec" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "encoder" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "org.apache.commons.codec.*" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-codec" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-codec" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "bayard@generationjava.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dgraham@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "ggregory@seagullsw.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jon@collab.net" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rwaldhoff@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sanders@totalsync.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "tobrien@apache.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "bayard" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dgraham" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "ggregory" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jon" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rwaldhoff" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "sanders" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "tobrien" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "David Graham" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Gary D. Gregory" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Henri Yandell" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jon S. Stevens" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Rodney Waldhoff" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Scott Sanders" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Tim OBrien" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "SEAGULL Software" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-codec" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Codec" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-codec" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "codec" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "encoder" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "org.apache.commons.codec.*" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "org.apache.commons.codec.*" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Jakarta Commons Codec" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-codec" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "bayard@generationjava.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dgraham@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "ggregory@seagullsw.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jon@collab.net" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rwaldhoff@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sanders@totalsync.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "tobrien@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "bayard" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dgraham" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "ggregory" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jon" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rwaldhoff" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "sanders" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "tobrien" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "David Graham" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Gary D. Gregory" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Henri Yandell" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jon S. Stevens" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Rodney Waldhoff" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Scott Sanders" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Tim OBrien" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "SEAGULL Software" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-codec" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Codec" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.2" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "1.2" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.2" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-codec/commons-codec@1.2", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-codec/commons-codec@1.2?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-collections-3.2.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar", + "md5" : "7b9216b608d550787bdf43a63d88bf3b", + "sha1" : "f951934aa5ae5a88d7e6dfaa6d32307d834a88be", + "sha256" : "093fea360752de55afcb80cf713403eb1a66cb7dc0d529955b6f4a96f975df5c", + "description" : "Types that extend and augment the Java Collections Framework.", + "license" : "The Apache Software License, Version 2.0: /LICENSE.txt", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-collections" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "collections" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "commons-collections" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-collections" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-collections" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "amamment" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "bayard" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "craigmcc" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "geirm" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jcarman" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "matth" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "morgand" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "psteitz" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rwaldhoff" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "scolebourne" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Arun M. Thomas" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Craig McClanahan" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Geir Magnusson" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Henri Yandell" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "James Carman" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Matthew Hawthorne" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Morgan Delagrange" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Phil Steitz" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Rodney Waldhoff" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Stephen Colebourne" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-collections" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Collections" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/collections/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-collections" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "collections" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "commons-collections" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "Commons Collections" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Commons Collections" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-collections" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "amamment" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "bayard" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "craigmcc" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "geirm" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jcarman" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "matth" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "morgand" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "psteitz" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rwaldhoff" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "scolebourne" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Arun M. Thomas" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Craig McClanahan" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Geir Magnusson" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Henri Yandell" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "James Carman" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Matthew Hawthorne" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Morgan Delagrange" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Phil Steitz" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Rodney Waldhoff" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Stephen Colebourne" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-collections" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Collections" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/collections/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "3.2" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "3.2" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "3.2" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-collections/commons-collections@3.2", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-collections/commons-collections@3.2?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:commons_collections:3.2:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_collections&cpe_version=cpe%3A%2F%3Aapache%3Acommons_collections%3A3.2" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2015-6420", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cwes" : [ "CWE-502" ], + "description" : "Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.", + "notes" : "", + "references" : [ { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/78872", + "name" : "78872" + }, { + "source" : "CISCO", + "url" : "http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20151209-java-deserialization", + "name" : "20151209 Vulnerability in Java Deserialization Affecting Cisco Products" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" + }, { + "source" : "MISC", + "url" : "https://www.tenable.com/security/research/tra-2017-14", + "name" : "https://www.tenable.com/security/research/tra-2017-14" + }, { + "source" : "CERT-VN", + "url" : "https://www.kb.cert.org/vuls/id/581311", + "name" : "VU#581311" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r352e40ca9874d1beb4ad95403792adca7eb295e6bc3bd7b65fabcc21@%3Ccommits.samza.apache.org%3E", + "name" : "[samza-commits] 20210310 [GitHub] [samza] Telesia opened a new pull request #1471: SAMZA-2630: Upgrade dependencies for security fixes" + }, { + "source" : "MISC", + "url" : "https://www.tenable.com/security/research/tra-2017-23", + "name" : "https://www.tenable.com/security/research/tra-2017-23" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_collections:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "3.2.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_collections:4.0:*:*:*:*:*:*:*" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-configuration-1.5.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-configuration/commons-configuration/1.5/commons-configuration-1.5.jar", + "md5" : "2c0b8b3c029982639c2ee8c951831b16", + "sha1" : "d891c003b41adc63ab99e5f697e04d633568965a", + "sha256" : "e5c824dd43b40517a111da36887c2b1233a1128f0a8fa464f6b32e5b78163998", + "description" : "Tools to assist in the reading of configuration/preferences files in\n various formats", + "license" : "The Apache Software License, Version 2.0: /LICENSE.txt", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-configuration" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "configuration" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "commons-configuration" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-configuration" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-configuration" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "bdunbar@dunbarconsulting.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion@multitask.com.au" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "ebourg@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "epugh@upstate.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "hps@intermeta.de" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jason@zenplex.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "joerg.schaible@gmx.de" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "mpoeschl@marmot.at" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "oheger@apache.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "bdunbar" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "ebourg" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "epugh" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "henning" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "joehni" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jvanzyl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "mpoeschl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "oheger" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Brian E. Dunbar" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Emmanuel Bourg" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Eric Pugh" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Henning P. Schmiedehausen" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "J?rg Schaible" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jason van Zyl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Martin Poeschl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Oliver Heger" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Agfa HealthCare" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Ariane Software" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "CollabNet, Inc." + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "dunbarconsulting.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "INTERMETA - Gesellschaft fuer Mehrwertdienste mbH" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Multitask Consulting" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "tucana.at" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "upstate.com" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Zenplex" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-configuration" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Commons Configuration" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "organization url", + "value" : "http://commons.apache.org/" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://commons.apache.org/${pom.artifactId.substring(8)}/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-configuration" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "configuration" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "commons-configuration" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "org.apache.commons.configuration" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Common Configuration" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-configuration" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "bdunbar@dunbarconsulting.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion@multitask.com.au" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "ebourg@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "epugh@upstate.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "hps@intermeta.de" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jason@zenplex.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "joerg.schaible@gmx.de" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "mpoeschl@marmot.at" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "oheger@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "bdunbar" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "ebourg" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "epugh" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "henning" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "joehni" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jvanzyl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "mpoeschl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "oheger" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Brian E. Dunbar" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Emmanuel Bourg" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Eric Pugh" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Henning P. Schmiedehausen" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "J?rg Schaible" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jason van Zyl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Martin Poeschl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Oliver Heger" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Agfa HealthCare" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Ariane Software" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "CollabNet, Inc." + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "dunbarconsulting.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "INTERMETA - Gesellschaft fuer Mehrwertdienste mbH" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Multitask Consulting" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "tucana.at" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "upstate.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Zenplex" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-configuration" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Commons Configuration" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization url", + "value" : "http://commons.apache.org/" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://commons.apache.org/${pom.artifactId.substring(8)}/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.5" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "1.5" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.5" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-configuration/commons-configuration@1.5", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-configuration/commons-configuration@1.5?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:commons_configuration:1.5:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_configuration&cpe_version=cpe%3A%2F%3Aapache%3Acommons_configuration%3A1.5" + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-digester-1.8.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-digester/commons-digester/1.8/commons-digester-1.8.jar", + "md5" : "cf89c593f0378e9509a06fce7030aeba", + "sha1" : "dc6a73fdbd1fa3f0944e8497c6c872fa21dca37e", + "sha256" : "05662373044f3dff112567b7bb5dfa1174e91e074c0c727b4412788013f49d56", + "description" : "The Digester package lets you configure an XML->Java object mapping module\n which triggers certain actions called rules whenever a particular \n pattern of nested XML elements is recognized.", + "license" : "The Apache Software License, Version 2.0: /LICENSE.txt", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-digester" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "digester" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "rules" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "commons-digester" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-digester" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-digester" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "craigmcc@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jfarcand@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jstrachan@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jvanzyl@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rahul AT apache DOT org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sanders@totalsync.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "skitching@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "tobrien@apache.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "craigmcc" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jfarcand" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jstrachan" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jvanzyl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rahul" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "sanders" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "skitching" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "tobrien" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Craig McClanahan" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "James Strachan" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jason van Zyl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jean-Francois Arcand" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Rahul Akolkar" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Scott Sanders" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Simon Kitching" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Tim OBrien" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Sun Microsystems" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-digester" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Digester" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/digester/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-digester" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "digester" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "rule" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "rules" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "commons-digester" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "org.apache.commons.digester" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Rule based XML->Java object mapping module" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-digester" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "craigmcc@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jfarcand@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jstrachan@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jvanzyl@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rahul AT apache DOT org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sanders@totalsync.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "skitching@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "tobrien@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "craigmcc" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jfarcand" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jstrachan" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jvanzyl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rahul" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "sanders" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "skitching" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "tobrien" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Craig McClanahan" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "James Strachan" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jason van Zyl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jean-Francois Arcand" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Rahul Akolkar" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Scott Sanders" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Simon Kitching" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Tim OBrien" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Sun Microsystems" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-digester" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Digester" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/digester/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.8" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "1.8" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.8" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-digester/commons-digester@1.8", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-digester/commons-digester@1.8?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-fileupload-1.2.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-fileupload/commons-fileupload/1.2/commons-fileupload-1.2.jar", + "md5" : "c9021a6ed3d7d399ca96a7d9d9c84bb1", + "sha1" : "a10c06183fe21f3bb3dda3b5946b93db6e2ad5cc", + "sha256" : "b570cacc936c8b6ed4b7741219de8782a6a796c6f929e97625a888847a8df1f3", + "description" : "\n The FileUpload component provides a simple yet flexible means of adding support for multipart\n file upload functionality to servlets and web applications.\n ", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-fileupload" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "fileupload" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-fileupload" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-fileupload" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jason@zenplex.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jmcnally@collab.net" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jochen.wiedmann@gmail.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "martinc@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sean |at| seansullivan |dot| com" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jmcnally" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jochen" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jvanzyl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "martinc" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "sullis" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jason van Zyl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jochen Wiedmann" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "John McNally" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Martin Cooper" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Sean C. Sullivan" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "CollabNet" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "EMC" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Multitask Consulting" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Zenplex" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-fileupload" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "FileUpload" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "commons-parent" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache.commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/fileupload/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-fileupload" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "fileupload" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "Commons FileUpload" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Commons FileUpload" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-fileupload" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jason@zenplex.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jmcnally@collab.net" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jochen.wiedmann@gmail.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "martinc@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sean |at| seansullivan |dot| com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jmcnally" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jochen" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jvanzyl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "martinc" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "sullis" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jason van Zyl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jochen Wiedmann" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "John McNally" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Martin Cooper" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Sean C. Sullivan" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "CollabNet" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "EMC" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Multitask Consulting" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Zenplex" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-fileupload" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "FileUpload" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "commons-parent" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache.commons" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/fileupload/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.2" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "specification-version", + "value" : "1.2" + }, { + "type" : "version", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-version", + "value" : "1.2" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.2" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-fileupload/commons-fileupload@1.2", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-fileupload/commons-fileupload@1.2?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons_fileupload&cpe_version=cpe%3A%2F%3Aapache%3Acommons_fileupload%3A1.2" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2016-1000031", + "severity" : "CRITICAL", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4", + "acInsufInfo" : "true" + }, + "cvssv3" : { + "baseScore" : 9.8, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseSeverity" : "CRITICAL", + "exploitabilityScore" : "3.9", + "impactScore" : "5.9", + "version" : "3.0" + }, + "cwes" : [ "CWE-284" ], + "description" : "Apache Commons FileUpload before 1.3.3 DiskFileItem File Manipulation Remote Code Execution", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2020.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2020.html" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2016-1000031?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2016-1000031] CWE-284: Improper Access Control" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20190212-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20190212-0001/" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E", + "name" : "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujul2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujul2020.html" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2019-05/msg00036.html", + "name" : "openSUSE-SU-2019:1399" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/d66657323fd25e437face5e84899c8ca404ccd187e81c3f2fa8b6080@%3Cannounce.apache.org%3E", + "name" : "[announce] 20181105 [SECURITY] Immediately upgrade commons-fileupload to version 1.3.3 when running Struts 2.3.36 or prior" + }, { + "source" : "MISC", + "url" : "https://www.tenable.com/security/research/tra-2016-30", + "name" : "https://www.tenable.com/security/research/tra-2016-30" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/FILEUPLOAD-279", + "name" : "https://issues.apache.org/jira/browse/FILEUPLOAD-279" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujul2019-5072835.html" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/FILEUPLOAD-279", + "name" : "https://issues.apache.org/jira/browse/FILEUPLOAD-279" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2021.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2021.html" + }, { + "source" : "OSSIndex", + "url" : "http://www.tenable.com/security/research/tra-2016-12", + "name" : "http://www.tenable.com/security/research/tra-2016-12" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, { + "source" : "MISC", + "url" : "https://www.tenable.com/security/research/tra-2016-23", + "name" : "https://www.tenable.com/security/research/tra-2016-23" + }, { + "source" : "MISC", + "url" : "https://www.tenable.com/security/research/tra-2016-12", + "name" : "https://www.tenable.com/security/research/tra-2016-12" + }, { + "source" : "CONFIRM", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpujan2019-5072801.html" + }, { + "source" : "MISC", + "url" : "http://www.zerodayinitiative.com/advisories/ZDI-16-570/", + "name" : "http://www.zerodayinitiative.com/advisories/ZDI-16-570/" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2020.html" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name" : "N/A" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/93604", + "name" : "93604" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuoct2019-5072832.html" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/WW-4812", + "name" : "https://issues.apache.org/jira/browse/WW-4812" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2018-4428296.html" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.3.2" + } + } ] + }, { + "source" : "OSSINDEX", + "name" : "CVE-2013-2186", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "N", + "accessComplexity" : "L", + "authenticationr" : "N", + "confidentialImpact" : "P", + "integrityImpact" : "P", + "availabilityImpact" : "P", + "severity" : "HIGH" + }, + "cwes" : [ "CWE-20" ], + "description" : "The DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/", + "name" : "https://securityblog.redhat.com/2013/11/20/java-deserialization-flaws-part-1-binary-deserialization/" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2186", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-2186" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2013-2186?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2013-2186] CWE-20: Improper Input Validation" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:commons-fileupload:commons-fileupload:1.2:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2014-0050", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cwes" : [ "CWE-264" ], + "description" : "MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions.", + "notes" : "", + "references" : [ { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05376917" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-0252.html", + "name" : "RHSA-2014:0252" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2014-0050?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2014-0050] CWE-264: Permissions, Privileges, and Access Controls" + }, { + "source" : "FULLDISC", + "url" : "http://seclists.org/fulldisclosure/2014/Dec/23", + "name" : "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59500", + "name" : "59500" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58075", + "name" : "58075" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + }, { + "source" : "JVN", + "url" : "http://jvn.jp/en/jp/JVN14876762/index.html", + "name" : "JVN#14876762" + }, { + "source" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1062337", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1062337" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59232", + "name" : "59232" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-7.html", + "name" : "http://tomcat.apache.org/security-7.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677724", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677724" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59399", + "name" : "59399" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0007.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0007.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html", + "name" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-017/index.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676092", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676092" + }, { + "source" : "OSSIndex", + "url" : "http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E", + "name" : "http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59185", + "name" : "59185" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59187", + "name" : "59187" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2014/dsa-2856", + "name" : "DSA-2856" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-2130-1", + "name" : "USN-2130-1" + }, { + "source" : "MISC", + "url" : "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html", + "name" : "http://packetstormsecurity.com/files/127215/VMware-Security-Advisory-2014-0007.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujan2015-1972971.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21669554", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21669554" + }, { + "source" : "MISC", + "url" : "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html", + "name" : "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59183", + "name" : "59183" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676853", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676853" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpuapr2015-2365600.html" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=143136844732487&w=2", + "name" : "HPSBGN03329" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59039", + "name" : "59039" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05390722" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2016-2881722.html" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/65400", + "name" : "65400" + }, { + "source" : "CONFIRM", + "url" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html", + "name" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-015/index.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21681214", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21681214" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0012.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0012.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676410", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676410" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/60475", + "name" : "60475" + }, { + "source" : "OSSIndex", + "url" : "https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/", + "name" : "https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-0253.html", + "name" : "RHSA-2014:0253" + }, { + "source" : "MLIST", + "url" : "http://mail-archives.apache.org/mod_mbox/commons-dev/201402.mbox/%3C52F373FC.9030907@apache.org%3E", + "name" : "[commons-dev] 20140206 [SECURITY] CVE-2014-0050 Apache Commons FileUpload and Apache Tomcat DoS" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujul2014-1972956.html" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-0400.html", + "name" : "RHSA-2014:0400" + }, { + "source" : "CONFIRM", + "url" : "http://www.vmware.com/security/advisories/VMSA-2014-0008.html", + "name" : "http://www.vmware.com/security/advisories/VMSA-2014-0008.html" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-8.html", + "name" : "http://tomcat.apache.org/security-8.html" + }, { + "source" : "OSSIndex", + "url" : "http://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos", + "name" : "http://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/58976", + "name" : "58976" + }, { + "source" : "CONFIRM", + "url" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html", + "name" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS14-016/index.html" + }, { + "source" : "MANDRIVA", + "url" : "http://www.mandriva.com/security/advisories?name=MDVSA-2015:084", + "name" : "MDVSA-2015:084" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpuoct2015-2367953.html" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/202107-39", + "name" : "GLSA-202107-39" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59184", + "name" : "59184" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59041", + "name" : "59041" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/57915", + "name" : "57915" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676405", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676405" + }, { + "source" : "CONFIRM", + "url" : "http://advisories.mageia.org/MGASA-2014-0110.html", + "name" : "http://advisories.mageia.org/MGASA-2014-0110.html" + }, { + "source" : "JVNDB", + "url" : "http://jvndb.jvn.jp/jvndb/JVNDB-2014-000017", + "name" : "JVNDB-2014-000017" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59492", + "name" : "59492" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675432", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21675432" + }, { + "source" : "BUGTRAQ", + "url" : "http://www.securityfocus.com/archive/1/532549/100/0/threaded", + "name" : "20140625 NEW VMSA-2014-0007 - VMware product updates address security vulnerabilities in Apache Struts library" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpuoct2014-1972960.html" + }, { + "source" : "BUGTRAQ", + "url" : "http://www.securityfocus.com/archive/1/534161/100/0/threaded", + "name" : "20141205 NEW: VMSA-2014-0012 - VMware vSphere product updates address security vulnerabilities" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677691", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677691" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676401", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676401" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/60753", + "name" : "60753" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/r1565143", + "name" : "http://svn.apache.org/r1565143" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59725", + "name" : "59725" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676656", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676656" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676403", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676403" + }, { + "source" : "CONFIRM", + "url" : "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm", + "name" : "http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-350733.htm" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676091", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676091" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.9:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.13:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.15:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.17:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.18:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.24:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.31:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.36:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.38:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.43:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.44:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.45:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.46:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.48:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.49:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:12.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:12.0in:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:13.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_applications:14.0:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2016-3092", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.8, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.9" + }, + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.0" + }, + "cwes" : [ "CWE-20" ], + "description" : "The MultipartStream class in Apache Commons Fileupload before 1.3.2, as used in Apache Tomcat 7.x before 7.0.70, 8.x before 8.0.36, 8.5.x before 8.5.3, and 9.x before 9.0.0.M7 and other products, allows remote attackers to cause a denial of service (CPU consumption) via a long boundary string.", + "notes" : "", + "references" : [ { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2016/dsa-3609", + "name" : "DSA-3609" + }, { + "source" : "JVN", + "url" : "http://jvn.jp/en/jp/JVN89379547/index.html", + "name" : "JVN#89379547" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2071.html", + "name" : "RHSA-2016:2071" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujul2018-4258247.html" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20190212-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20190212-0001/" + }, { + "source" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1349468", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1349468" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc?view=revision&revision=1743738", + "name" : "http://svn.apache.org/viewvc?view=revision&revision=1743738" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpujul2017-3236622.html" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-3024-1", + "name" : "USN-3024-1" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2017:0455", + "name" : "RHSA-2017:0455" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2808.html", + "name" : "RHSA-2016:2808" + }, { + "source" : "MLIST", + "url" : "http://mail-archives.apache.org/mod_mbox/commons-dev/201606.mbox/%3CCAF8HOZ%2BPq2QH8RnxBuJyoK1dOz6jrTiQypAC%2BH8g6oZkBg%2BCxg%40mail.gmail.com%3E", + "name" : "[dev] 20160621 CVE-2016-3092: Apache Commons Fileupload information disclosure vulnerability" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1036427", + "name" : "1036427" + }, { + "source" : "OSSIndex", + "url" : "http://mail-archives.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E", + "name" : "http://mail-archives.apache.org/mod_mbox/www-announce/201606.mbox/%3C45A20804-ABFF-4FED-A297-69AC95AB9A3F@apache.org%3E" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/201705-09", + "name" : "GLSA-201705-09" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1037029", + "name" : "1037029" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-7.html", + "name" : "http://tomcat.apache.org/security-7.html" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2016/dsa-3614", + "name" : "DSA-3614" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2016-3092?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2016-3092] CWE-20: Improper Input Validation" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-9.html", + "name" : "http://tomcat.apache.org/security-9.html" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324759" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2069.html", + "name" : "RHSA-2016:2069" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1036900", + "name" : "1036900" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r9136ff5b13e4f1941360b5a309efee2c114a14855578c3a2cbe5d19c@%3Cdev.tomcat.apache.org%3E", + "name" : "[tomcat-dev] 20200213 svn commit: r1873980 [27/34] - /tomcat/site/trunk/docs/" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2072.html", + "name" : "RHSA-2016:2072" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1039606", + "name" : "1039606" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2599.html", + "name" : "RHSA-2016:2599" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-3027-1", + "name" : "USN-3027-1" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05289840" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2017:0456", + "name" : "RHSA-2017:0456" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2068.html", + "name" : "RHSA-2016:2068" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc?view=revision&revision=1743480", + "name" : "http://svn.apache.org/viewvc?view=revision&revision=1743480" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/343558d982879bf88ec20dbf707f8c11255f8e219e81d45c4f8d0551@%3Cdev.tomcat.apache.org%3E", + "name" : "[tomcat-dev] 20190319 svn commit: r1855831 [25/30] - in /tomcat/site/trunk: ./ docs/ xdocs/" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2017-0457.html", + "name" : "RHSA-2017:0457" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3092", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-3092" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html", + "name" : "http://www.oracle.com/technetwork/topics/security/bulletinjul2016-3090568.html" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2070.html", + "name" : "RHSA-2016:2070" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, { + "source" : "CONFIRM", + "url" : "http://tomcat.apache.org/security-8.html", + "name" : "http://tomcat.apache.org/security-8.html" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05204371" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/91453", + "name" : "91453" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-updates/2016-09/msg00025.html", + "name" : "openSUSE-SU-2016:2252" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/202107-39", + "name" : "GLSA-202107-39" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc?view=revision&revision=1743722", + "name" : "http://svn.apache.org/viewvc?view=revision&revision=1743722" + }, { + "source" : "JVNDB", + "url" : "http://jvndb.jvn.jp/jvndb/JVNDB-2016-000121", + "name" : "JVNDB-2016-000121" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc?view=revision&revision=1743742", + "name" : "http://svn.apache.org/viewvc?view=revision&revision=1743742" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2016/dsa-3611", + "name" : "DSA-3611" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/388a323769f1dff84c9ec905455aa73fbcb20338e3c7eb131457f708@%3Cdev.tomcat.apache.org%3E", + "name" : "[tomcat-dev] 20190325 svn commit: r1856174 [22/29] - in /tomcat/site/trunk: docs/ xdocs/ xdocs/stylesheets/" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2016-2807.html", + "name" : "RHSA-2016:2807" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.3.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.0:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.2:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.4:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.5:beta:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.10:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.11:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.14:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.16:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.19:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.20:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.21:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.22:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.23:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.25:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.26:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.27:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.28:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.29:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.30:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.32:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.33:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.34:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.35:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.37:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.39:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.40:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.41:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.42:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.47:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.50:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.52:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.53:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.54:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.55:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.56:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.57:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.59:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.61:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.62:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.63:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.64:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.65:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.67:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.68:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:7.0.69:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc10:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.0:rc5:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.11:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.14:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.15:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.17:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.18:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.20:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.21:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.22:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.23:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.24:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.26:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.27:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.28:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.29:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.30:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.32:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.33:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.0.35:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:8.5.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:9.0.0:m1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:9.0.0:m3:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:9.0.0:m4:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:tomcat:9.0.0:m6:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:hp:icewall_identity_manager:5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:hp:icewall_sso_agent_option:10.0:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2023-24998", + "severity" : "HIGH", + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "CWE-770" ], + "description" : "Apache Commons FileUpload before 1.5 does not limit the number of request parts to be processed resulting in the possibility of an attacker triggering a DoS with a malicious upload or series of uploads.\n\n\n\n\nNote that, like all of the file upload limits, the\n new configuration option (FileUploadBase#setFileCountMax) is not\n enabled by default and must be explicitly configured.\n\n\n", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0", + "name" : "https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0" + }, { + "source" : "OSSIndex", + "url" : "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", + "name" : "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy" + }, { + "source" : "MISC", + "url" : "http://www.openwall.com/lists/oss-security/2023/05/22/1", + "name" : "http://www.openwall.com/lists/oss-security/2023/05/22/1" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/apache/commons-fileupload/pull/185", + "name" : "https://github.com/apache/commons-fileupload/pull/185" + }, { + "source" : "OSSIndex", + "url" : "https://tomcat.apache.org/security-10.html", + "name" : "https://tomcat.apache.org/security-10.html" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24998", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-24998" + }, { + "source" : "OSSIndex", + "url" : "https://tomcat.apache.org/security-11.html", + "name" : "https://tomcat.apache.org/security-11.html" + }, { + "source" : "OSSIndex", + "url" : "https://tomcat.apache.org/security-9.html", + "name" : "https://tomcat.apache.org/security-9.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", + "name" : "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy" + }, { + "source" : "OSSIndex", + "url" : "https://tomcat.apache.org/security-8.html", + "name" : "https://tomcat.apache.org/security-8.html" + }, { + "source" : "MISC", + "url" : "https://security.gentoo.org/glsa/202305-37", + "name" : "https://security.gentoo.org/glsa/202305-37" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2023-24998?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2023-24998] CWE-770: Allocation of Resources Without Limits or Throttling" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0", + "versionEndExcluding" : "1.5" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.0:beta:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2013-0248", + "severity" : "LOW", + "cvssv2" : { + "score" : 3.3, + "accessVector" : "LOCAL", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "LOW", + "version" : "2.0", + "exploitabilityScore" : "3.4", + "impactScore" : "4.9" + }, + "cwes" : [ "CWE-264" ], + "description" : "The default configuration of javax.servlet.context.tempdir in Apache Commons FileUpload 1.0 through 1.2.2 uses the /tmp directory for uploaded files, which allows local users to overwrite arbitrary files via an unspecified symlink attack.", + "notes" : "", + "references" : [ { + "source" : "OSVDB", + "url" : "http://www.osvdb.org/90906", + "name" : "90906" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=144050155601375&w=2", + "name" : "HPSBMU03409" + }, { + "source" : "OSSIndex", + "url" : "http://securitytracker.com/id/1028252", + "name" : "http://securitytracker.com/id/1028252" + }, { + "source" : "BUGTRAQ", + "url" : "http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html", + "name" : "20130306 [SECURITY] CVE-2013-0248 Apache Commons FileUpload - Insecure examples" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2013-0248?component-type=maven&component-name=commons-fileupload%2Fcommons-fileupload&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2013-0248] CWE-264: Permissions, Privileges, and Access Controls" + }, { + "source" : "OSSIndex", + "url" : "http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html", + "name" : "http://archives.neohapsis.com/archives/bugtraq/2013-03/0035.html" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/58326", + "name" : "58326" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-0248" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/202107-39", + "name" : "GLSA-202107-39" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:commons_fileupload:1.2.2:*:*:*:*:*:*:*" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-httpclient-3.1.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-httpclient/commons-httpclient/3.1/commons-httpclient-3.1.jar", + "md5" : "8ad8c9229ef2d59ab9f59f7050e846a5", + "sha1" : "964cd74171f427720480efdec40a7c7f6e58426a", + "sha256" : "dbd4953d013e10e7c1cc3701a3e6ccd8c950c892f08d804fabfac21705930443", + "description" : "The HttpClient component supports the client-side of RFC 1945 (HTTP/1.0) and RFC 2616 (HTTP/1.1) , several related specifications (RFC 2109 (Cookies) , RFC 2617 (HTTP Authentication) , etc.), and provides a framework by which new request types (methods) or HTTP extensions can be created easily.", + "license" : "Apache License: http://www.apache.org/licenses/LICENSE-2.0", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-httpclient" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "httpclient" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "methods" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/commons/httpclient", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-httpclient" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-httpclient" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "adrian.sutton -at- ephox.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion -at- apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jericho -at- apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jsdever -at- apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "mbecke -at- apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "oglueck -at- apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "olegk -at- apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rwaldhoff -at- apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sullis -at- apache.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "adrian" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jericho" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jsdever" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "mbecke" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "oglueck" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "olegk" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rwaldhoff" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "sullis" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Adrian Sutton" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jeff Dever" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Michael Becke" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Oleg Kalnichevski" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Ortwin Glueck" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Rodney Waldhoff" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Sean C. Sullivan" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Sung-Gu" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Britannica" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Independent consultant" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Intencha" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Multitask Consulting" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-httpclient" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "HttpClient" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "organization name", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org/" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/httpcomponents/httpclient-3.x/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-httpclient" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "httpclient" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "methods" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/commons/httpclient", + "name" : "Implementation-Title", + "value" : "org.apache.commons.httpclient" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/commons/httpclient", + "name" : "Specification-Title", + "value" : "Jakarta Commons HttpClient" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-httpclient" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "adrian.sutton -at- ephox.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dion -at- apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jericho -at- apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jsdever -at- apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "mbecke -at- apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "oglueck -at- apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "olegk -at- apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rwaldhoff -at- apache" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sullis -at- apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "adrian" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dion" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jericho" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jsdever" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "mbecke" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "oglueck" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "olegk" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rwaldhoff" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "sullis" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Adrian Sutton" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "dIon Gillard" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jeff Dever" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Michael Becke" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Oleg Kalnichevski" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Ortwin Glueck" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Rodney Waldhoff" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Sean C. Sullivan" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Sung-Gu" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Britannica" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Independent consultant" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Intencha" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Multitask Consulting" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-httpclient" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "HttpClient" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization name", + "value" : "Apache Software Foundation" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org/" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/httpcomponents/httpclient-3.x/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "3.1" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/commons/httpclient", + "name" : "Implementation-Version", + "value" : "3.1" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "3.1" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-httpclient/commons-httpclient@3.1", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-httpclient/commons-httpclient@3.1?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:commons-httpclient:3.1:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Acommons-httpclient&cpe_version=cpe%3A%2F%3Aapache%3Acommons-httpclient%3A3.1" + }, { + "id" : "cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Ahttpclient&cpe_version=cpe%3A%2F%3Aapache%3Ahttpclient%3A3.1" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2012-5783", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 5.8, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "4.9" + }, + "cwes" : [ "CWE-295" ], + "description" : "Apache Commons HttpClient 3.x, as used in Amazon Flexible Payments Service (FPS) merchant Java SDK and other products, does not verify that the server hostname matches a domain name in the subject's Common Name (CN) or subjectAltName field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.", + "notes" : "", + "references" : [ { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-1147.html", + "name" : "RHSA-2013:1147" + }, { + "source" : "OSSIndex", + "url" : "https://exchange.xforce.ibmcloud.com/#/vulnerabilities/79984", + "name" : "https://exchange.xforce.ibmcloud.com/#/vulnerabilities/79984" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-1853.html", + "name" : "RHSA-2013:1853" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-updates/2013-02/msg00078.html", + "name" : "openSUSE-SU-2013:0354" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-0682.html", + "name" : "RHSA-2013:0682" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-5783" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/HTTPCLIENT-613", + "name" : "https://issues.apache.org/jira/browse/HTTPCLIENT-613" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-0680.html", + "name" : "RHSA-2013:0680" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-0679.html", + "name" : "RHSA-2013:0679" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-updates/2013-04/msg00053.html", + "name" : "openSUSE-SU-2013:0638" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2012-5783?component-type=maven&component-name=commons-httpclient%2Fcommons-httpclient&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2012-5783] CWE-295: Improper Certificate Validation" + }, { + "source" : "MISC", + "url" : "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf", + "name" : "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-updates/2013-04/msg00041.html", + "name" : "openSUSE-SU-2013:0623" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-2769-1", + "name" : "USN-2769-1" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-0270.html", + "name" : "RHSA-2013:0270" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/58073", + "name" : "58073" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-0224.html", + "name" : "RHSA-2014:0224" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2017:0868", + "name" : "RHSA-2017:0868" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-updates/2013-04/msg00040.html", + "name" : "openSUSE-SU-2013:0622" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/HTTPCLIENT-1265", + "name" : "https://issues.apache.org/jira/browse/HTTPCLIENT-1265" + }, { + "source" : "OSSIndex", + "url" : "https://rhn.redhat.com/errata/RHSA-2013-0681.html", + "name" : "https://rhn.redhat.com/errata/RHSA-2013-0681.html" + }, { + "source" : "XF", + "url" : "https://exchange.xforce.ibmcloud.com/vulnerabilities/79984", + "name" : "apache-commons-ssl-spoofing(79984)" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-0681.html", + "name" : "RHSA-2013:0681" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:httpclient:3.1:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2020-13956", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 5.0, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "NONE", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "2.9" + }, + "cvssv3" : { + "baseScore" : 5.3, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "LOW", + "availabilityImpact" : "NONE", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "3.9", + "impactScore" : "1.4", + "version" : "3.1" + }, + "cwes" : [ "NVD-CWE-noinfo" ], + "description" : "Apache HttpClient versions prior to version 4.5.13 and 5.0.3 can misinterpret malformed authority component in request URIs passed to the library as java.net.URI object and pick the wrong target host for request execution.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r06cf3ca5c8ceb94b39cd24a73d4e96153b485a7dac88444dd876accb@%3Cissues.drill.apache.org%3E", + "name" : "[drill-issues] 20210604 [jira] [Commented] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r87ddc09295c27f25471269ad0a79433a91224045988b88f0413a97ec@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20210914 [GitHub] [bookkeeper] nicoloboschi opened a new pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2dc7930b43eadc78220d269b79e13ecd387e4bee52db67b2f47d4303@%3Cgitbox.hive.apache.org%3E", + "name" : "[hive-gitbox] 20210301 [GitHub] [hive] hsnusonic opened a new pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r34efec51cb817397ccf9f86e25a75676d435ba5f83ee7b2eabdad707@%3Ccommits.creadur.apache.org%3E", + "name" : "[creadur-commits] 20210608 [jira] [Created] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rcd9ad5dda60c82ab0d0c9bd3e9cb1dc740804451fc20c7f451ef5cc4@%3Cgitbox.hive.apache.org%3E", + "name" : "[hive-gitbox] 20210302 [GitHub] [hive] hsnusonic closed pull request #2032: HIVE-24837 Upgrade httpclient to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r03bbc318c81be21f5c8a9b85e34f2ecc741aa804a8e43b0ef2c37749@%3Cissues.maven.apache.org%3E", + "name" : "[maven-issues] 20210530 [jira] [Updated] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r3cecd59fba74404cbf4eb430135e1080897fb376f111406a78bed13a@%3Cissues.lucene.apache.org%3E", + "name" : "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r63296c45d5d84447babaf39bd1487329d8a80d8d563e67a4b6f3d8a7@%3Cdev.ranger.apache.org%3E", + "name" : "[ranger-dev] 20201215 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r5de3d3808e7b5028df966e45115e006456c4e8931dc1e29036f17927@%3Cissues.solr.apache.org%3E", + "name" : "[solr-issues] 20210316 [jira] [Created] (SOLR-15269) upgrade httpclient to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", + "name" : "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rea3dbf633dde5008d38bf6600a3738b9216e733e03f9ff7becf79625@%3Cissues.drill.apache.org%3E", + "name" : "[drill-issues] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r34178ab6ef106bc940665fd3f4ba5026fac3603b3fa2aefafa0b619d@%3Cdev.ranger.apache.org%3E", + "name" : "[ranger-dev] 20201216 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r3f740e4c38bba1face49078aa5cbeeb558c27be601cc9712ad2dcd1e@%3Ccommits.creadur.apache.org%3E", + "name" : "[creadur-commits] 20210608 [jira] [Work started] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rfc00884c7b7ca878297bffe45fcb742c362b00b26ba37070706d44c3@%3Cissues.hive.apache.org%3E", + "name" : "[hive-issues] 20210301 [jira] [Updated] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/re504acd4d63b8df2a7353658f45c9a3137e5f80e41cf7de50058b2c1@%3Cissues.solr.apache.org%3E", + "name" : "[solr-issues] 20210316 [jira] [Resolved] (SOLR-15270) upgrade httpclient to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r5fec9c1d67f928179adf484b01e7becd7c0a6fdfe3a08f92ea743b90@%3Cissues.hive.apache.org%3E", + "name" : "[hive-issues] 20210301 [jira] [Assigned] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rfb35f6db9ba1f1e061b63769a4eff5abadcc254ebfefc280e5a0dcf1@%3Ccommits.creadur.apache.org%3E", + "name" : "[creadur-commits] 20210608 [jira] [Resolved] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20220210-0002/", + "name" : "https://security.netapp.com/advisory/ntap-20220210-0002/" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r549ac8c159bf0c568c19670bedeb8d7c0074beded951d34b1c1d0d05@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc505fee574fe8d18f9b0c655a4d120b0ae21bb6a73b96003e1d9be35@%3Cissues.solr.apache.org%3E", + "name" : "[solr-issues] 20210623 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r6d672b46622842e565e00f6ef6bef83eb55d8792aac2bee75bff9a2a@%3Cissues.lucene.apache.org%3E", + "name" : "[lucene-issues] 20211007 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf43d17ed0d1fb4fb79036b582810ef60b18b1ef3add0d5dea825af1e@%3Cissues.lucene.apache.org%3E", + "name" : "[lucene-issues] 20210921 [GitHub] [lucene-solr] madrob commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra8bc6b61c5df301a6fe5a716315528ecd17ccb8a7f907e24a47a1a5e@%3Cissues.lucene.apache.org%3E", + "name" : "[lucene-issues] 20211011 [GitHub] [lucene-solr] madrob merged pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2a03dc210231d7e852ef73015f71792ac0fcaca6cccc024c522ef17d@%3Ccommits.creadur.apache.org%3E", + "name" : "[creadur-commits] 20210608 [jira] [Commented] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2835543ef0f91adcc47da72389b816e36936f584c7be584d2314fac3@%3Cissues.lucene.apache.org%3E", + "name" : "[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 opened a new pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf7ca60f78f05b772cc07d27e31bcd112f9910a05caf9095e38ee150f@%3Cdev.ranger.apache.org%3E", + "name" : "[ranger-dev] 20201204 [jira] [Assigned] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ree942561f4620313c75982a4e5f3b74fe6f7062b073210779648eec2@%3Cissues.lucene.apache.org%3E", + "name" : "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rb725052404fabffbe093c83b2c46f3f87e12c3193a82379afbc529f8@%3Csolr-user.lucene.apache.org%3E", + "name" : "[lucene-solr-user] 20201229 Upgrade httpclient version due to CVE-2020-13956?" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujan2022.html", + "name" : "https://www.oracle.com/security-alerts/cpujan2022.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rcced7ed3237c29cd19c1e9bf465d0038b8b2e967b99fc283db7ca553@%3Cdev.ranger.apache.org%3E", + "name" : "[ranger-dev] 20201204 [jira] [Updated] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rb4ba262d6f08ab9cf8b1ebbcd9b00b0368ffe90dad7ad7918b4b56fc@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20210604 [GitHub] [drill] luocooong opened a new pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r6a3cda38d050ebe13c1bc9a28d0a8ec38945095d07eca49046bcb89f@%3Cissues.solr.apache.org%3E", + "name" : "[solr-issues] 20210623 [jira] [Updated] (SOLR-15270) upgrade httpclient to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r9e52a6c72c8365000ecd035e48cc9fee5a677a150350d4420c46443d@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20210604 [GitHub] [drill] laurentgo merged pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd5ab56beb2ac6879f6ab427bc4e5f7691aed8362d17b713f61779858@%3Cissues.hive.apache.org%3E", + "name" : "[hive-issues] 20210301 [jira] [Work logged] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r132e4c6a560cfc519caa1aaee63bdd4036327610eadbd89f76dd5457@%3Cdev.creadur.apache.org%3E", + "name" : "[creadur-dev] 20210621 [jira] [Updated] (RAT-275) Update httpclient to fix CVE-2020-13956 once a new doxia-core release is available" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r12cb62751b35bdcda0ae2a08b67877d665a1f4d41eee0fa7367169e0@%3Cdev.ranger.apache.org%3E", + "name" : "[ranger-dev] 20201215 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r70c429923100c5a4fae8e5bc71c8a2d39af3de4888f50a0ac3755e6f@%3Ccommits.creadur.apache.org%3E", + "name" : "[creadur-commits] 20210608 [jira] [Assigned] (TENTACLES-13) Upgrade httpclient to circumvent CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra539f20ef0fb0c27ee39945b5f56bf162e5c13d1c60f7344dab8de3b@%3Cissues.maven.apache.org%3E", + "name" : "[maven-issues] 20210530 [jira] [Resolved] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r043a75acdeb52b15dd5e9524cdadef4202e6a5228644206acf9363f9@%3Cdev.hive.apache.org%3E", + "name" : "[hive-dev] 20210301 [jira] [Created] (HIVE-24837) Upgrade httpclient to 4.5.13+ due to CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8aa1e5c343b89aec5b69961471950e862f15246cb6392910161c389b@%3Cissues.maven.apache.org%3E", + "name" : "[maven-issues] 20210530 [jira] [Closed] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r4850b3fbaea02fde2886e461005e4af8d37c80a48b3ce2a6edca0e30@%3Cissues.solr.apache.org%3E", + "name" : "[solr-issues] 20211011 [jira] [Resolved] (SOLR-15269) upgrade httpclient to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc5c6ccb86d2afe46bbd4b71573f0448dc1f87bbcd5a0d8c7f8f904b2@%3Cissues.lucene.apache.org%3E", + "name" : "[lucene-issues] 20210921 [GitHub] [lucene-solr] ventry1990 commented on pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com//security-alerts/cpujul2021.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc0863892ccfd9fd0d0ae10091f24ee769fb39b8957fe4ebabfc11f17@%3Cdev.jackrabbit.apache.org%3E", + "name" : "[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke removed a comment on pull request #310: OAK-9482: upgrade httpclient to 4.5.13" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r6eb2dae157dbc9af1f30d1f64e9c60d4ebef618f3dce4a0e32d6ea4d@%3Ccommits.drill.apache.org%3E", + "name" : "[drill-commits] 20210604 [drill] branch master updated: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956 (#2250)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf4db88c22e1be9eb60c7dc623d0528642c045fb196a24774ac2fa3a3@%3Cissues.lucene.apache.org%3E", + "name" : "[lucene-issues] 20211009 [GitHub] [lucene-solr] ventry1990 closed pull request #2579: SOLR-15269: Upgrade Apache HttpComponents Client to 4.5.13 to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r0bebe6f9808ac7bdf572873b4fa96a29c6398c90dab29f131f3ebffe@%3Cissues.solr.apache.org%3E", + "name" : "[solr-issues] 20211011 [jira] [Commented] (SOLR-15269) upgrade httpclient to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rb33212dab7beccaf1ffef9b88610047c644f644c7a0ebdc44d77e381@%3Ccommits.turbine.apache.org%3E", + "name" : "[turbine-commits] 20210203 svn commit: r1886168 - in /turbine/core/trunk: ./ conf/ conf/test/ src/java/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/ src/test/org/apache/turbine/services/urlmapper/model/ xdocs/howto/" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rae14ae25ff4a60251e3ba2629c082c5ba3851dfd4d21218b99b56652@%3Cissues.solr.apache.org%3E", + "name" : "[solr-issues] 20210316 [jira] [Created] (SOLR-15270) upgrade httpclient to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r5b55f65c123a7481104d663a915ec45a0d103e6aaa03f42ed1c07a89@%3Cdev.jackrabbit.apache.org%3E", + "name" : "[jackrabbit-dev] 20210706 [GitHub] [jackrabbit-oak] reschke commented on pull request #310: OAK-9482: upgrade httpclient to 4.5.13" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf03228972e56cb4a03e6d9558188c2938078cf3ceb23a3fead87c9ca@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20210917 [GitHub] [bookkeeper] nicoloboschi commented on pull request #2793: Upgrade httpclient from 4.5.5 to 4.5.13 to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc3739e0ad4bcf1888c6925233bfc37dd71156bbc8416604833095c42@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20210604 [GitHub] [drill] cgivre commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rfbedcb586a1e7dfce87ee03c720e583fc2ceeafa05f35c542cecc624@%3Cissues.solr.apache.org%3E", + "name" : "[solr-issues] 20210912 [jira] [Updated] (SOLR-15269) upgrade httpclient to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rad6222134183046f3928f733bf680919e0c390739bfbfe6c90049673@%3Cissues.drill.apache.org%3E", + "name" : "[drill-issues] 20210604 [jira] [Resolved] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/r6dab7da30f8bf075f79ee189e33b45a197502e2676481bb8787fc0d7%40%3Cdev.hc.apache.org%3E" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r0a75b8f0f72f3e18442dc56d33f3827b905f2fe5b7ba48997436f5d1@%3Cissues.solr.apache.org%3E", + "name" : "[solr-issues] 20211019 [jira] [Closed] (SOLR-15269) upgrade httpclient to address CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r55b2a1d1e9b1ec9db792b93da8f0f99a4fd5a5310b02673359d9b4d1@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20210604 [jira] [Created] (DRILL-7946) Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc990e2462ec32b09523deafb2c73606208599e196fa2d7f50bdbc587@%3Cissues.maven.apache.org%3E", + "name" : "[maven-issues] 20210621 [jira] [Assigned] (DOXIA-615) Can you provide an updated version in order to fix CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/reef569c2419705754a3acf42b5f19b2a158153cef0e448158bc54917@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20210604 [GitHub] [drill] luocooong commented on pull request #2250: DRILL-7946: Bump HttpClient from 4.5.12 to 4.5.13 for CVE-2020-13956" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r69a94e2f302d1b778bdfefe90fcb4b8c50b226438c3c8c1d0de85a19@%3Cdev.ranger.apache.org%3E", + "name" : "[ranger-dev] 20211028 [jira] [Commented] (RANGER-3100) Upgrade httpclient version from 4.5.6 to 4.5.13+ due to CVE-2020-13956" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:httpclient:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "4.5.13" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:httpclient:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "5.0.0", + "versionEndExcluding" : "5.0.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:linux:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:snapcenter:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:commerce_guided_search:11.3.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_cloud_native_core_service_communication_proxy:1.14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:data_integrator:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:data_integrator:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_orchestrator:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.2.6.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jd_edwards_enterpriseone_tools:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.2.6.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:nosql_database:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "20.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.57:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.57:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.58:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_pt_peopletools:8.59:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "17.7", + "versionEndIncluding" : "17.12" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:16.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:16.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:18.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:19.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_unifier:20.12:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_customer_management_and_segmentation_foundation:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "16.0", + "versionEndIncluding" : "19.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:spatial_studio:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "20.1.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:sql_developer:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "20.4.1.407.0006" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:sql_developer:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "21.99" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:quarkus:quarkus:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "1.7.6" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-lang-2.3.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-lang/commons-lang/2.3/commons-lang-2.3.jar", + "md5" : "dcdcbb47176603907c9f79a1349193eb", + "sha1" : "0eecdac8c86bc84b4bdfc24371ba8c785a1fc552", + "sha256" : "069361c71f22f8d7fbd4c3a568c015e2809327fc2e68699aeb63a64178cde56f", + "description" : "Commons.Lang, a package of Java utility classes for the\n classes that are in java.lang's hierarchy, or are considered to be so\n standard as to justify existence in java.lang.", + "license" : "The Apache Software License, Version 2.0: /LICENSE.txt", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-lang" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "lang" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "commons-lang" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-lang" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-lang" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "bayard@generationjava.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "ggregory@seagullsw.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jcarman@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "phil@steitz.com" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "scolebourne@joda.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "stevencaswell@apache.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "bayard" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "fredrik" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "ggregory" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "jcarman" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "psteitz" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "scaswell" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "scolebourne" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Fredrik Westermarck" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Gary D. Gregory" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Henri Yandell" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "James Carman" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Phil Steitz" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Stephen Colebourne" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Steven Caswell" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Carman Consulting, Inc." + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "CollabNet, Inc." + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Seagull Software" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "SITA ATS Ltd" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-lang" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Lang" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/lang/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-lang" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "lang" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "commons-lang" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "Commons Lang" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Commons Lang" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-lang" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "bayard@generationjava.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dlr@finemaltcoding.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "ggregory@seagullsw.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "jcarman@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "phil@steitz.com" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "scolebourne@joda.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "stevencaswell@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "bayard" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dlr" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "fredrik" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "ggregory" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "jcarman" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "psteitz" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "scaswell" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "scolebourne" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Daniel Rall" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Fredrik Westermarck" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Gary D. Gregory" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Henri Yandell" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "James Carman" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Phil Steitz" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Stephen Colebourne" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Steven Caswell" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Carman Consulting, Inc." + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "CollabNet, Inc." + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Seagull Software" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "SITA ATS Ltd" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-lang" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Lang" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/lang/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "2.3" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "2.3" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "2.3" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-lang/commons-lang@2.3", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-lang/commons-lang@2.3?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "commons-logging-1.1.jar", + "filePath" : "/home/wtwhite/.m2/repository/commons-logging/commons-logging/1.1/commons-logging-1.1.jar", + "md5" : "6b62417e77b000a87de66ee3935edbf5", + "sha1" : "ba24d5de831911b684c92cd289ed5ff826271824", + "sha256" : "9e8d01f172301b966f1f404aa6fc0bdbec478ae9197256ad95bfcad1ef927601", + "description" : "Commons Logging is a thin adapter allowing configurable bridging to other,\n well known logging systems.", + "license" : "The Apache Software License, Version 2.0: /LICENSE.txt", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-logging" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "logging" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "org.apache.commons.logging" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-logging" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-logging" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "baliuka@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "costin at apache dot org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "craigmcc at apache org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dennisl@apache.org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "donaldp at apache dot org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "morgand at apache dot org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin at apache dot org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rsitze at apache dot org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rwaldhoff at apache org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sanders at apache dot org" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "skitching@apache.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "baliuka" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "bstansberry" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "costin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "craigmcc" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "dennisl" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "donaldp" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "morgand" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rsitze" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "rwaldhoff" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "sanders" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "skitching" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Brian Stansberry" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Costin Manolache" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Craig McClanahan" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Dennis Lundberg" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Juozas Baliuka" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Morgan Delagrange" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Peter Donald" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Richard Sitze" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Rodney Waldhoff" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Scott Sanders" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Simon Kitching" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Apache" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-logging" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Logging" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "commons-logging" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "commons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "logging" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "extension-name", + "value" : "org.apache.commons.logging" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "Jakarta Commons Logging" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "Jakarta Commons Logging" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "commons-logging" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "baliuka@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "costin at apache dot org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "craigmcc at apache org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "dennisl@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "donaldp at apache dot org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "morgand at apache dot org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rdonkin at apache dot org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rsitze at apache dot org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "rwaldhoff at apache org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "sanders at apache dot org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "skitching@apache.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "baliuka" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "bstansberry" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "costin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "craigmcc" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "dennisl" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "donaldp" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "morgand" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rdonkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rsitze" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "rwaldhoff" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "sanders" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "skitching" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Brian Stansberry" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Costin Manolache" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Craig McClanahan" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Dennis Lundberg" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Juozas Baliuka" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Morgan Delagrange" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Peter Donald" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Richard Sitze" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Robert Burrell Donkin" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Rodney Waldhoff" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Scott Sanders" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Simon Kitching" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Apache" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Apache Software Foundation" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "commons-logging" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Logging" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization name", + "value" : "The Apache Software Foundation" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization url", + "value" : "http://jakarta.apache.org" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://jakarta.apache.org/commons/${pom.artifactId.substring(8)}/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.1" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "1.1" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.1" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/commons-logging/commons-logging@1.1", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/commons-logging/commons-logging@1.1?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "esapi-2.1.0.jar", + "filePath" : "/home/wtwhite/.m2/repository/org/owasp/esapi/esapi/2.1.0/esapi-2.1.0.jar", + "md5" : "8f4181f64e43a73e396ed963cf23e427", + "sha1" : "1892f47602b211ec72abc45df93a69c953a7ffba", + "sha256" : "bbb1179323c7acad5f754191a5ae746f9819a62a4409f4e623102481038c1fa0", + "description" : "The Enterprise Security API (ESAPI) project is an OWASP project\n to create simple strong security controls for every web platform.\n Security controls are not simple to build. You can read about the\n hundreds of pitfalls for unwary developers on the OWASP web site. By\n providing developers with a set of strong controls, we aim to\n eliminate some of the complexity of creating secure web applications.\n This can result in significant cost savings across the SDLC.\n ", + "license" : "BSD: http://www.opensource.org/licenses/bsd-license.php\nCreative Commons 3.0 BY-SA: http://creativecommons.org/licenses/by-sa/3.0/", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/io.github.jensdietrich.xshady/CVE-2013-5960@1.0.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "esapi" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "esapi" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "owasp" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "The Open Web Application Security Project (OWASP)" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Implementation-Vendor-Id", + "value" : "org.owasp.esapi" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "The Open Web Application Security Project (OWASP)" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "esapi" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "esapi" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Chris Schmidt" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jeff Williams" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Jim Manico" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Kevin W. Wall" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Aspect Security" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Wells Fargo" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "org.owasp.esapi" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "ESAPI" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "organization name", + "value" : "The Open Web Application Security Project (OWASP)" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "organization url", + "value" : "http://www.owasp.org/index.php" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://www.esapi.org/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "esapi" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "esapi" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "owasp" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "ESAPI" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "ESAPI" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "esapi" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Chris Schmidt" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jeff Williams" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Jim Manico" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Kevin W. Wall" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Aspect Security" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Wells Fargo" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "org.owasp.esapi" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "ESAPI" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization name", + "value" : "The Open Web Application Security Project (OWASP)" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization url", + "value" : "http://www.owasp.org/index.php" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://www.esapi.org/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "2.1.0" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "2.1.0" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "2.1.0" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/org.owasp.esapi/esapi@2.1.0", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/org.owasp.esapi/esapi@2.1.0?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilities" : [ { + "source" : "OSSINDEX", + "name" : "CVE-2022-23457", + "severity" : "HIGH", + "cvssv2" : { + "score" : 9.8, + "accessVector" : "N", + "accessComplexity" : "L", + "authenticationr" : "$enc.json($vuln.cvssV2.authentication)", + "confidentialImpact" : "H", + "integrityImpact" : "H", + "availabilityImpact" : "H", + "severity" : "HIGH" + }, + "cwes" : [ "CWE-22" ], + "description" : "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt", + "name" : "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23457?component-type=maven&component-name=org.owasp.esapi%2Fesapi&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2022-23457] CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23457", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23457" + }, { + "source" : "OSSIndex", + "url" : "https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/", + "name" : "https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:org.owasp.esapi:esapi:2.1.0:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + } ] + }, { + "source" : "OSSINDEX", + "name" : "CVE-2022-24891", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 6.1, + "accessVector" : "N", + "accessComplexity" : "L", + "authenticationr" : "$enc.json($vuln.cvssV2.authentication)", + "confidentialImpact" : "L", + "integrityImpact" : "L", + "availabilityImpact" : "N", + "severity" : "MEDIUM" + }, + "cwes" : [ "CWE-Other" ], + "description" : "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for \"onsiteURL\" in the **antisamy-esapi.xml** configuration file that can cause \"javascript:\" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the \"onsiteURL\" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.", + "notes" : "", + "references" : [ { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-24891?component-type=maven&component-name=org.owasp.esapi%2Fesapi&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2022-24891] CWE-Other" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf", + "name" : "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24891", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24891" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q", + "name" : "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:org.owasp.esapi:esapi:2.1.0:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "log4j-1.2.16.jar", + "filePath" : "/home/wtwhite/.m2/repository/log4j/log4j/1.2.16/log4j-1.2.16.jar", + "md5" : "363678f015902bcc040308136f845a3f", + "sha1" : "7999a63bfccbc7c247a9aea10d83d4272bd492c6", + "sha256" : "7ae3fdde7ab0cae4735a2aec04381ad9b6e25c93d24205f3ed315d9866f12fe1", + "description" : "Apache Log4j 1.2", + "license" : "The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "log4j" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "log4j" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "bundle-docurl", + "value" : "http://logging.apache.org/log4j/1.2" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "bundle-symbolicname", + "value" : "log4j" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org.apache.log4j", + "name" : "Implementation-Vendor", + "value" : "\"Apache Software Foundation\"" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "log4j" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "log4j" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "log4j" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Apache Log4j" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "organization name", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "organization url", + "value" : "http://www.apache.org" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://logging.apache.org/log4j/1.2/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "log4j" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "log4j" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "bundle-docurl", + "value" : "http://logging.apache.org/log4j/1.2" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Bundle-Name", + "value" : "Apache Log4j" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "bundle-symbolicname", + "value" : "log4j" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org.apache.log4j", + "name" : "Implementation-Title", + "value" : "log4j" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "log4j" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "log4j" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Apache Log4j" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization name", + "value" : "Apache Software Foundation" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "organization url", + "value" : "http://www.apache.org" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://logging.apache.org/log4j/1.2/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.2.16" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Bundle-Version", + "value" : "1.2.16" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: org.apache.log4j", + "name" : "Implementation-Version", + "value" : "1.2.16" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.2.16" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/log4j/log4j@1.2.16", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/log4j/log4j@1.2.16?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:log4j:1.2.16:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Alog4j&cpe_version=cpe%3A%2F%3Aapache%3Alog4j%3A1.2.16" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2019-17571", + "severity" : "CRITICAL", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cvssv3" : { + "baseScore" : 9.8, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseSeverity" : "CRITICAL", + "exploitabilityScore" : "3.9", + "impactScore" : "5.9", + "version" : "3.1" + }, + "cwes" : [ "CWE-502" ], + "description" : "Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data. This affects Log4j versions up to 1.2 up to 1.2.17.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd882ab6b642fe59cbbe94dc02bd197342058208f482e57b537940a4b@%3Cpluto-dev.portals.apache.org%3E", + "name" : "[portals-pluto-dev] 20210629 [jira] [Updated] (PLUTO-787) Migrate from Log4j 1.x to Log4j 2.x due to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r696507338dd5f44efc23d98cafe30f217cf3ba78e77ed1324c7a5179@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200514 [GitHub] [kafka] jeffhuang26 commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd3a9511eebab60e23f224841390a3f8cd5358cff605c5f7042171e47@%3Cdev.tinkerpop.apache.org%3E", + "name" : "[tinkerpop-dev] 20210316 [jira] [Created] (TINKERPOP-2534) Log4j flagged as critical security violation" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2756fd570b6709d55a61831ca028405bcb3e312175a60bc5d911c81f@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200105 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rbdf18e39428b5c80fc35113470198b1fe53b287a76a46b0f8780b5fd@%3Cdev.zookeeper.apache.org%3E", + "name" : "[zookeeper-dev] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cusers.kafka.apache.org%3E", + "name" : "[kafka-users] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r6d34da5a0ca17ab08179a30c971446c7421af0e96f6d60867eabfc52@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211006 [GitHub] [bookkeeper] eolivelli commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rcd71280585425dad7e232f239c5709e425efdd0d3de4a92f808a4767@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211018 [GitHub] [bookkeeper] RaulGracia commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r909b8e3a36913944d3b7bafe9635d4ca84f8f0e2cd146a1784f667c2@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20200129 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra9611a8431cb62369bce8909d7645597e1dd45c24b448836b1e54940@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211017 [GitHub] [bookkeeper] zymap commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r4b25538be50126194cc646836c718b1a4d8f71bd9c912af5b59134ad@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20200115 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8e3f7da12bf5750b0a02e69a78a61073a2ac950eed7451ce70a65177@%3Ccommits.zookeeper.apache.org%3E", + "name" : "[zookeeper-commits] 20200118 [zookeeper] branch master updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "CONFIRM", + "url" : "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/564f03b4e9511fcba29c68fc0299372dadbdb002718fa8edcc4325e4@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r18f1c010b554a3a2d761e8ffffd8674fd4747bcbcf16c643d708318c@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200228 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r3bf7b982dfa0779f8a71f843d2aa6b4184a53e6be7f149ee079387fd@%3Cdev.kafka.apache.org%3E", + "name" : "[kafka-dev] 20210611 Re: [DISCUSS] KIP-719: Add Log4J2 Appender" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf2567488cfc9212b42e34c6393cfa1c14e30e4838b98dda84d71041f@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20200106 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2ff63f210842a3c5e42f03a35d8f3a345134d073c80a04077341c211@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r594411f4bddebaf48a4c70266d0b7849e0d82bb72826f61b3a35bba7@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211006 [GitHub] [bookkeeper] RaulGracia opened a new pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/479471e6debd608c837b9815b76eab24676657d4444fcfd5ef96d6e6@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20191230 [jira] [Created] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r6aec6b8f70167fa325fb98b3b5c9ce0ffaed026e697b69b85ac24628@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20200108 [jira] [Assigned] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8c6300245c0bcef095e9f07b48157e2c6471df0816db3408fcf1d748@%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "[hadoop-common-issues] 20200824 [jira] [Comment Edited] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Adress: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra54fa49be3e773d99ccc9c2a422311cf77e3ecd3b8594ee93043a6b1@%3Cdev.zookeeper.apache.org%3E", + "name" : "[zookeeper-dev] 20201103 [jira] [Created] (ZOOKEEPER-3990) Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r48d5019bd42e0770f7e5351e420a63a41ff1f16924942442c6aff6a8@%3Ccommits.zookeeper.apache.org%3E", + "name" : "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc1eaed7f7d774d5d02f66e49baced31e04827a1293d61a70bd003ca7@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20200108 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rec34b1cccf907898e7cb36051ffac3ccf1ea89d0b261a2a3b3fb267f@%3Ccommits.zookeeper.apache.org%3E", + "name" : "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rb3c94619728c8f8c176d8e175e0a1086ca737ecdfcd5a2214bb768bc@%3Ccommits.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-commits] 20211014 [bookkeeper] branch master updated: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571 (#2816)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2ce8d26154bea939536e6cf27ed02d3192bf5c5d04df885a80fe89b3@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200208 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf9c19bcc2f7a98a880fa3e3456c003d331812b55836b34ef648063c9@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200529 [GitHub] [kafka] ijuma commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujul2020.html", + "name" : "https://www.oracle.com/security-alerts/cpujul2020.html" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r9fb3238cfc3222f2392ca6517353aadae18f76866157318ac562e706@%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "[hadoop-common-issues] 20200824 [jira] [Comment Edited] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r1b103833cb5bc8466e24ff0ecc5e75b45a705334ab6a444e64e840a0@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20200729 [GitHub] [bookkeeper] padma81 opened a new issue #2387: Security vulnerabilities in the apache/bookkeeper-4.9.2 image" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r9d2e28e71f91ba0b6f4114c8ecd96e2b1f7e0d06bdf8eb768c183aa9@%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "[hadoop-common-issues] 20211006 [jira] [Commented] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r3543ead2317dcd3306f69ee37b07dd383dbba6e2f47ff11eb55879ad@%3Cusers.activemq.apache.org%3E", + "name" : "[activemq-users] 20210427 Re: Release date for ActiveMQ v5.16.2 to fix CVEs" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r9dc2505651788ac668299774d9e7af4dc616be2f56fdc684d1170882@%3Cusers.activemq.apache.org%3E", + "name" : "[activemq-users] 20210830 Security issues" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8890b8f18f1de821595792b58b968a89692a255bc20d86d395270740@%3Ccommits.druid.apache.org%3E", + "name" : "[druid-commits] 20200406 [GitHub] [druid] ccaominh commented on issue #9579: Add Apache Ranger Authorization" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r5c084578b3e3b40bd903c9d9e525097421bcd88178e672f612102eb2@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20210211 [GitHub] [kafka] ch4rl353y commented on pull request #7898: KAFKA-9366: Change log4j dependency into log4j2" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rbd19de368abf0764e4383ec44d527bc9870176f488a494f09a40500d@%3Ccommon-dev.hadoop.apache.org%3E", + "name" : "[hadoop-common-dev] 20200824 [jira] [Created] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd6254837403e8cbfc7018baa9be29705f3f06bd007c83708f9a97679@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20200118 [jira] [Resolved] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r6b45a2fcc8e98ac93a179183dbb7f340027bdb8e3ab393418076b153@%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "[hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r1b7734dfdfd938640f2f5fb6f4231a267145c71ed60cc7faa1cbac07@%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Adress: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8418a0dff1729f19cf1024937e23a2db4c0f94f2794a423f5c10e8e7@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211017 [GitHub] [bookkeeper] eolivelli commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd5dbeee4808c0f2b9b51479b50de3cc6adb1072c332a200d9107f13e@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, { + "source" : "OSSIndex", + "url" : "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/84cc4266238e057b95eb95dfd8b29d46a2592e7672c12c92f68b2917%40%3Cannounce.apache.org%3E" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r26244f9f7d9a8a27a092eb0b2a0ca9395e88fcde8b5edaeca7ce569c@%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "[hadoop-common-issues] 20200824 [jira] [Assigned] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rca24a281000fb681d7e26e5c031a21eb4b0593a7735f781b53dae4e2@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20200114 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r3784834e80df2f284577a5596340fb84346c91a2dea6a073e65e3397@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200730 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r90c23eb8c82835fa82df85ae5e88c81fd9241e20a22971b0fb8f2c34@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211013 [GitHub] [bookkeeper] eolivelli commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r3a85514a518f3080ab1fc2652cfe122c2ccf67cfb32356acb1b08fe8@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20200107 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r9d0d03f2e7d9e13c68b530f81d02b0fec33133edcf27330d8089fcfb@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20201103 [jira] [Created] (ZOOKEEPER-3990) Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r746fbc3fc13aee292ae6851f7a5080f592fa3a67b983c6887cdb1fc5@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20200111 [jira] [Closed] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, { + "source" : "OSSIndex", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1785616", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1785616" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r356d57d6225f91fdc30f8b0a2bed229d1ece55e16e552878c5fa809a@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20200108 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rbc45eb0f53fd6242af3e666c2189464f848a851d408289840cecc6e3@%3Ccommits.zookeeper.apache.org%3E", + "name" : "[zookeeper-commits] 20200504 [zookeeper] branch master updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r7a1acc95373105169bd44df710c2f462cad31fb805364d2958a5ee03@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200625 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.debian.org/debian-lts-announce/2020/01/msg00008.html", + "name" : "[debian-lts-announce] 20200112 [SECURITY] [DLA 2065-1] apache-log4j1.2 security update" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cusers.kafka.apache.org%3E", + "name" : "[kafka-users] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r944183c871594fe9a555b8519a7c945bbcf6714d72461aa6c929028f@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20200107 [jira] [Created] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf1b434e11834a4449cd7addb69ed0aef0923112b5938182b363a968c@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20200108 [GitHub] [zookeeper] eolivelli opened a new pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r4ac89cbecd9e298ae9fafb5afda6fa77ac75c78d1ac957837e066c4e@%3Cuser.zookeeper.apache.org%3E", + "name" : "[zookeeper-user] 20200201 Re: Zookeeper 3.5.6 supports log4j 2.x?" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r9a9e3b42cd5d1c4536a14ef04f75048dec8e2740ac6a138ea912177f@%3Cpluto-dev.portals.apache.org%3E", + "name" : "[portals-pluto-dev] 20210629 [jira] [Closed] (PLUTO-787) Migrate from Log4j 1.x to Log4j 2.x due to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/8ab32b4c9f1826f20add7c40be08909de9f58a89dc1de9c09953f5ac@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20191226 [jira] [Created] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rbf4ce74b0d1fa9810dec50ba3ace0caeea677af7c27a97111c06ccb7@%3Cdev.kafka.apache.org%3E", + "name" : "[kafka-dev] 20210901 Re: [EXTERNAL] Re: Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/6114ce566200d76e3cc45c521a62c2c5a4eac15738248f58a99f622c@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20191230 [jira] [Created] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r3d666e4e8905157f3c046d31398b04f2bfd4519e31f266de108c6919@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200122 [jira] [Resolved] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r61db8e7dcb56dc000a5387a88f7a473bacec5ee01b9ff3f55308aacc@%3Cdev.kafka.apache.org%3E", + "name" : "[kafka-dev] 20210831 Security vulnerabilities in kafka:2.13-2.6.0/2.7.0 docker image" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra38785cfc0e7f17f8e24bebf775dd032c033fadcaea29e5bc9fffc60@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20200111 Re: [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2019-17571?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2019-17571] CWE-502: Deserialization of Untrusted Data" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd0e44e8ef71eeaaa3cf3d1b8b41eb25894372e2995ec908ce7624d26@%3Ccommits.pulsar.apache.org%3E", + "name" : "[pulsar-commits] 20201215 [GitHub] [pulsar] yanshuchong opened a new issue #8967: CVSS issue list" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rda4849c6823dd3e83c7a356eb883180811d5c28359fe46865fd151c3@%3Cusers.kafka.apache.org%3E", + "name" : "[kafka-users] 20210210 Security: CVE-2019-17571 (log4j)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rb1b29aee737e1c37fe1d48528cb0febac4f5deed51f5412e6fdfe2bf@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200228 [jira] [Resolved] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpuapr2020.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8244fd0831db894d5e89911ded9c72196d395a90ae655414d23ed0dd@%3Cusers.activemq.apache.org%3E", + "name" : "[activemq-users] 20210427 Release date for ActiveMQ v5.16.2 to fix CVEs" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/ra18a903f785aed9403aea38bc6f36844a056283c00dcfc6936b6318c@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211007 [GitHub] [bookkeeper] RaulGracia commented on pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/277b4b5c2b0e06a825ccec565fa65bd671f35a4d58e3e2ec5d0618e1@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20191226 [jira] [Commented] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, { + "source" : "UBUNTU", + "url" : "https://usn.ubuntu.com/4495-1/", + "name" : "USN-4495-1" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2721aba31a8562639c4b937150897e24f78f747cdbda8641c0f659fe@%3Cusers.kafka.apache.org%3E", + "name" : "[kafka-users] 20210617 vulnerabilities" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r681b4432d0605f327b68b9f8a42662993e699d04614de4851c35ffd1@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20200110 [jira] [Commented] (TIKA-3019) [9.8] [CVE-2019-17571] [tika-app] [1.23]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r189aaeaad897f7d6b96f7c43a8ef2dfb9f6e9f8c1cc9ad182ce9b9ae@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200106 [jira] [Commented] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rdec0d8ac1f03e6905b0de2df1d5fcdb98b94556e4f6cccf7519fdb26@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20200111 [jira] [Resolved] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rd7805c1bf9388968508c6c8f84588773216e560055ddcc813d19f347@%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "[hadoop-common-issues] 20200824 [jira] [Updated] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc628307962ae1b8cc2d21b8e4b7dd6d7755b2dd52fa56a151a27e4fd@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20200108 [jira] [Updated] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8a1cfd4705258c106e488091fcec85f194c82f2bbde6bd151e201870@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200107 [jira] [Updated] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuApr2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuApr2021.html" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/LOG4J2-1863", + "name" : "https://issues.apache.org/jira/browse/LOG4J2-1863" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r107c8737db39ec9ec4f4e7147b249e29be79170b9ef4b80528105a2d@%3Cdev.zookeeper.apache.org%3E", + "name" : "[zookeeper-dev] 20200118 Build failed in Jenkins: zookeeper-master-maven-owasp #329" + }, { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2020/dsa-4686", + "name" : "DSA-4686" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r7bcdc710857725c311b856c0b82cee6207178af5dcde1bd43d289826@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200122 [jira] [Assigned] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/re8c21ed9dd218c217d242ffa90778428e446b082b5e1c29f567e8374@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200228 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r3cf50d05ce8cec8c09392624b7bae750e7643dae60ef2438641ee015@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20201103 [jira] [Resolved] (ZOOKEEPER-3990) Log4j 1.2.17 used by zookeeper 3.6.1 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r52a5129df402352adc34d052bab9234c8ef63596306506a89fdc7328@%3Cusers.activemq.apache.org%3E", + "name" : "[activemq-users] 20210831 RE: Security issues" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rc17d8491beee51607693019857e41e769795366b85be00aa2f4b3159@%3Cnotifications.zookeeper.apache.org%3E", + "name" : "[zookeeper-notifications] 20200118 [GitHub] [zookeeper] asfgit closed pull request #1209: ZOOKEEPER-3677 owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r61590890edcc64140e0c606954b29a063c3d08a2b41d447256d51a78@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200127 [jira] [Commented] (AMQ-7370) log4j 1.2 version used by AMQ 5.15.10 / 5.15.11 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/raedd12dc24412b3780432bf202a2618a21a727788543e5337a458ead@%3Cissues.activemq.apache.org%3E", + "name" : "[activemq-issues] 20200122 [jira] [Updated] (AMQ-7372) [9.8] [CVE-2019-17571] [activemq-all] [5.15.10]" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/re36da78e4f3955ba6c1c373a2ab85a4deb215ca74b85fcd66142fea1@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211006 [GitHub] [bookkeeper] RaulGracia opened a new issue #2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2020-01/msg00022.html", + "name" : "openSUSE-SU-2020:0051" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rdb7ddf28807e27c7801f6e56a0dfb31092d34c61bdd4fa2de9182119@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211007 [GitHub] [bookkeeper] RaulGracia commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r13d4b5c60ff63f3c4fab51d6ff266655be503b8a1884e2f2fab67c3a@%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "[hadoop-common-issues] 20200824 [jira] [Created] (HADOOP-17221) Upgrade log4j-1.2.17 to atlassian ( To Adress: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf53eeefb7e7e524deaacb9f8671cbf01b8a253e865fb94e7656722c0@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211007 [GitHub] [bookkeeper] eolivelli commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r48efc7cb5aeb4e1f67aaa06fb4b5479a5635d12f07d0b93fc2d08809@%3Ccommits.zookeeper.apache.org%3E", + "name" : "[zookeeper-commits] 20200504 [zookeeper] branch branch-3.6 updated: ZOOKEEPER-3817: suppress log4j SmtpAppender related CVE-2020-9488" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/752ec92cd1e334a639e79bfbd689a4ec2c6579ec5bb41b53ffdf358d@%3Cdev.kafka.apache.org%3E", + "name" : "[kafka-dev] 20200105 [jira] [Created] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8d78a0fbb56d505461e29868d1026e98c402e6a568c13a6da67896a2@%3Cdev.jena.apache.org%3E", + "name" : "[jena-dev] 20200318 Re: Logging (JENA-1005)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf77f79699c8d7e430c14cf480f12ed1297e6e8cf2ed379a425941e80@%3Cpluto-dev.portals.apache.org%3E", + "name" : "[portals-pluto-dev] 20210629 [jira] [Updated] (PLUTO-787) Migrate from Log4J and SLF4J dependencies due to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rdf2a0d94c3b5b523aeff7741ae71347415276062811b687f30ea6573@%3Ccommits.zookeeper.apache.org%3E", + "name" : "[zookeeper-commits] 20200118 [zookeeper] branch branch-3.5 updated: ZOOKEEPER-3677: owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r7f462c69d5ded4c0223e014d95a3496690423c5f6f05c09e2f2a407a@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200624 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r05755112a8c164abc1004bb44f198b1e3d8ca3d546a8f13ebd3aa05f@%3Cissues.zookeeper.apache.org%3E", + "name" : "[zookeeper-issues] 20200107 [jira] [Commented] (ZOOKEEPER-3677) owasp checker failing for - CVE-2019-17571 Apache Log4j 1.2 deserialization of untrusted data in SocketServer" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/44491fb9cc19acc901f7cff34acb7376619f15638439416e3e14761c@%3Cdev.tika.apache.org%3E", + "name" : "[tika-dev] 20191226 [jira] [Created] (TIKA-3018) log4j 1.2 version used by Apache Tika 1.23 is vulnerable to CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rf9fa47ab66495c78bb4120b0754dd9531ca2ff0430f6685ac9b07772@%3Cdev.mina.apache.org%3E", + "name" : "[mina-dev] 20210225 [jira] [Created] (FTPSERVER-500) Security vulnerability in common/lib/log4j-1.2.17.jar" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/rfdf65fa675c64a64459817344e0e6c44d51ee264beea6e5851fb60dc@%3Cissues.bookkeeper.apache.org%3E", + "name" : "[bookkeeper-issues] 20211016 [GitHub] [bookkeeper] pkumar-singh commented on a change in pull request #2816: Issue 2815: Upgrade to log4j2 to get rid of CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r6236b5f8646d48af8b66d5050f288304016840788e508c883356fe0e@%3Clog4j-user.logging.apache.org%3E", + "name" : "[logging-log4j-user] 20200224 Apache Log4j - Migration activity to 2.12.1 version - Request to support for the queries posted" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r3c575cabc7386e646fb12cb82b0b38ae5a6ade8a800f827107824495@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200106 [jira] [Assigned] (KAFKA-9366) please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/reaf6b996f74f12b4557bc221abe88f58270ac583942fa41293c61f94@%3Cpluto-scm.portals.apache.org%3E", + "name" : "[portals-pluto-scm] 20210629 [portals-pluto] branch master updated: PLUTO-787 Migrate from Log4j 1.x to Log4j 2.x due to CVE-2019-17571" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20200110-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20200110-0001/" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r8c392ca48bb7e50754e4bc05865e9731b23d568d18a520fe3d8c1f75@%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "[hadoop-common-issues] 20200824 [jira] [Commented] (HADOOP-17221) update log4j-1.2.17 to atlassian version( To Address: CVE-2019-17571)" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r71e26f9c2d5826c6f95ad60f7d052d75e1e70b0d2dd853db6fc26d5f@%3Cjira.kafka.apache.org%3E", + "name" : "[kafka-jira] 20200602 [GitHub] [kafka] dongjinleekr commented on pull request #7898: KAFKA-9366: please consider upgrade log4j to log4j2 due to critical security problem CVE-2019-17571" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:bookkeeper:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "4.14.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "1.2.17" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:oncommand_system_manager:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "3.0", + "versionEndIncluding" : "3.1.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:oncommand_workflow_automation:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:application_testing_suite:13.3.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_network_integrity:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "7.3.2", + "versionEndIncluding" : "7.3.6" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:endeca_information_discovery_studio:3.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_lending_and_leasing:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "14.1.0", + "versionEndIncluding" : "14.8.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_lending_and_leasing:12.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "8.0.29" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "16.2", + "versionEndIncluding" : "16.2.11" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "17.12.0", + "versionEndIncluding" : "17.12.7" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:rapid_planning:12.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:rapid_planning:12.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_extract_transform_and_load:19.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:14.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:10.3.6.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.1.3.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2020-9493", + "severity" : "CRITICAL", + "cvssv2" : { + "score" : 6.8, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "6.4" + }, + "cvssv3" : { + "baseScore" : 9.8, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseSeverity" : "CRITICAL", + "exploitabilityScore" : "3.9", + "impactScore" : "5.9", + "version" : "3.1" + }, + "cwes" : [ "CWE-502" ], + "description" : "A deserialization flaw was found in Apache Chainsaw versions prior to 2.1.0 which could lead to malicious code execution.", + "notes" : "", + "references" : [ { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/01/18/5", + "name" : "[oss-security] 20220118 CVE-2022-23307: Apache Log4j 1.x: A deserialization flaw in the Chainsaw component of Log4j 1 can lead to malicious code execution." + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2021/06/16/1", + "name" : "[oss-security] 20210615 CVE-2020-9493: Apache Chainsaw: Java deserialization in Chainsaw" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r50d389c613ba6062a26aa57e163c09bfee4ff2d95d67331d75265b83@%3Cannounce.apache.org%3E", + "name" : "[announce] 20210615 CVE-2020-9493: Apache Chainsaw: Java deserialization in Chainsaw" + }, { + "source" : "MISC", + "url" : "https://www.openwall.com/lists/oss-security/2021/06/16/1", + "name" : "https://www.openwall.com/lists/oss-security/2021/06/16/1" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:chainsaw:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "2.1.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.2", + "versionEndExcluding" : "2.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "1.2.18.1" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-23305", + "severity" : "CRITICAL", + "cvssv2" : { + "score" : 6.8, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "6.4" + }, + "cvssv3" : { + "baseScore" : 9.8, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseSeverity" : "CRITICAL", + "exploitabilityScore" : "3.9", + "impactScore" : "5.9", + "version" : "3.1" + }, + "cwes" : [ "CWE-89" ], + "description" : "By design, the JDBCAppender in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from PatternLayout. The message converter, %m, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed. Note this issue only affects Log4j 1.x when specifically configured to use the JDBCAppender, which is not the default. Beginning in version 2.0-beta8, the JDBCAppender was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", + "notes" : "", + "references" : [ { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/01/18/4", + "name" : "[oss-security] 20220118 CVE-2022-23305: SQL injection in JDBC Appender in Apache Log4j V1" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", + "name" : "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y" + }, { + "source" : "OSSIndex", + "url" : "https://logging.apache.org/log4j/1.2/index.html", + "name" : "https://logging.apache.org/log4j/1.2/index.html" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23305", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23305" + }, { + "source" : "OSSIndex", + "url" : "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", + "name" : "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y" + }, { + "source" : "OSSIndex", + "url" : "https://logging.apache.org/log4j/2.x/security.html", + "name" : "https://logging.apache.org/log4j/2.x/security.html" + }, { + "source" : "MISC", + "url" : "https://logging.apache.org/log4j/1.2/index.html", + "name" : "https://logging.apache.org/log4j/1.2/index.html" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23305?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2022-23305] CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20220217-0007/", + "name" : "https://security.netapp.com/advisory/ntap-20220217-0007/" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.2", + "versionEndIncluding" : "1.2.17" + } + }, { + "software" : { + "id" : "cpe:2.3:a:broadcom:brocade_sannav:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "12.0.0.4.4" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "2.2.1.1.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:e-business_suite_information_discovery:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "12.2.3", + "versionEndIncluding" : "12.2.11" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "11.2.8.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "11.2.8.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "8.0.29" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "1.2.18.2" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-23302", + "severity" : "HIGH", + "cvssv2" : { + "score" : 6.0, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "SINGLE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "6.8", + "impactScore" : "6.4" + }, + "cvssv3" : { + "baseScore" : 8.8, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "LOW", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "2.8", + "impactScore" : "5.9", + "version" : "3.1" + }, + "cwes" : [ "CWE-502" ], + "description" : "JMSSink in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a TopicConnectionFactoryBindingName configuration causing JMSSink to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-4104. Note this issue only affects Log4j 1.x when specifically configured to use JMSSink, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", + "name" : "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20220217-0006/", + "name" : "https://security.netapp.com/advisory/ntap-20220217-0006/" + }, { + "source" : "OSSIndex", + "url" : "https://logging.apache.org/log4j/1.2/index.html", + "name" : "https://logging.apache.org/log4j/1.2/index.html" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23302", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23302" + }, { + "source" : "OSSIndex", + "url" : "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", + "name" : "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w" + }, { + "source" : "MISC", + "url" : "https://logging.apache.org/log4j/1.2/index.html", + "name" : "https://logging.apache.org/log4j/1.2/index.html" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/01/18/3", + "name" : "[oss-security] 20220118 CVE-2022-23302: Deserialization of untrusted data in JMSSink in Apache Log4j 1.x" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23302?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2022-23302] CWE-502: Deserialization of Untrusted Data" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0.1", + "versionEndIncluding" : "1.2.17" + } + }, { + "software" : { + "id" : "cpe:2.3:a:broadcom:brocade_sannav:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:oracle:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:snapmanager:-:*:*:*:*:sap:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "12.0.0.4.4" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "2.2.1.1.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "11.2.8.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "11.2.8.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "8.0.29" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "1.2.18.1" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-23307", + "severity" : "HIGH", + "cvssv2" : { + "score" : 9.0, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "SINGLE", + "confidentialImpact" : "COMPLETE", + "integrityImpact" : "COMPLETE", + "availabilityImpact" : "COMPLETE", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "8.0", + "impactScore" : "10.0" + }, + "cvssv3" : { + "baseScore" : 8.8, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "LOW", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "HIGH", + "integrityImpact" : "HIGH", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "2.8", + "impactScore" : "5.9", + "version" : "3.1" + }, + "cwes" : [ "CWE-502" ], + "description" : "CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "OSSIndex", + "url" : "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", + "name" : "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" + }, { + "source" : "OSSIndex", + "url" : "https://logging.apache.org/log4j/1.2/index.html", + "name" : "https://logging.apache.org/log4j/1.2/index.html" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23307?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2022-23307] CWE-502: Deserialization of Untrusted Data" + }, { + "source" : "OSSIndex", + "url" : "https://logging.apache.org/log4j/2.x/security.html", + "name" : "https://logging.apache.org/log4j/2.x/security.html" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", + "name" : "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh" + }, { + "source" : "MISC", + "url" : "https://logging.apache.org/log4j/1.2/index.html", + "name" : "https://logging.apache.org/log4j/1.2/index.html" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23307", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23307" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:chainsaw:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "2.1.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.2", + "versionEndExcluding" : "2.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:advanced_supply_chain_planning:12.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:5.9.0.0.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.3.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_intelligence:12.2.1.4.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:business_process_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_eagle_ftp_table_base_retrieval:4.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_instant_messaging_server:10.0.1.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_messaging_server:8.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_network_integrity:7.3.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_offline_mediation_controller:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "12.0.0.4.4" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_offline_mediation_controller:12.0.0.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_unified_inventory_management:7.4.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "2.2.1.1.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:e-business_suite_cloud_manager_and_cloud_backup_module:2.2.1.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.4.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:enterprise_manager_base_platform:13.5.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.7.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_revenue_management_and_billing_analytics:2.8.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:healthcare_foundation:8.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hyperion_data_relationship_management:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "11.2.8.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:hyperion_infrastructure_technology:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "11.2.8.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:identity_management_suite:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:identity_management_suite:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:identity_manager_connector:11.1.1.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdeveloper:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:middleware_common_libraries_and_tools:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:mysql_enterprise_monitor:*:*:*:*:*:*:*:*", + "versionEndIncluding" : "8.0.29" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:tuxedo:12.2.2.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:qos:reload4j:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "1.2.18.1" + } + } ] + }, { + "source" : "OSSINDEX", + "name" : "CVE-2021-4104", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "N", + "accessComplexity" : "H", + "authenticationr" : "$enc.json($vuln.cvssV2.authentication)", + "confidentialImpact" : "H", + "integrityImpact" : "H", + "availabilityImpact" : "H", + "severity" : "HIGH" + }, + "cwes" : [ "CWE-502" ], + "description" : "JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration. The attacker can provide TopicBindingName and TopicConnectionFactoryBindingName configurations causing JMSAppender to perform JNDI requests that result in remote code execution in a similar fashion to CVE-2021-44228. Note this issue only affects Log4j 1.2 when specifically configured to use JMSAppender, which is not the default. Apache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.\n\nSonatype's research suggests that this CVE's details differ from those defined at NVD. See https://ossindex.sonatype.org/vulnerability/CVE-2021-4104 for details", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126", + "name" : "https://github.com/apache/logging-log4j2/pull/608#issuecomment-990494126" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-4104" + }, { + "source" : "OSSIndex", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2031667", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=2031667" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2021-4104?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2021-4104] CWE-502: Deserialization of Untrusted Data" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:log4j:log4j:1.2.16:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2023-26464", + "severity" : "HIGH", + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "CWE-502" ], + "description" : "** UNSUPPORTED WHEN ASSIGNED **\n\nWhen using the Chainsaw or SocketAppender components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted (ie, deeply nested) \nhashmap or hashtable (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve Denial of Service when the object is deserialized.\n\nThis issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x.\n\nNOTE: This vulnerability only affects products that are no longer supported by the maintainer.\n\n\n\n\n", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://security.netapp.com/advisory/ntap-20230505-0008/", + "name" : "https://security.netapp.com/advisory/ntap-20230505-0008/" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26464", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2023-26464" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2023-26464?component-type=maven&component-name=log4j%2Flog4j&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2023-26464] CWE-502: Deserialization of Untrusted Data" + }, { + "source" : "OSSIndex", + "url" : "https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t", + "name" : "https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t", + "name" : "https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/advisories/GHSA-vp98-w2p3-mv35", + "name" : "https://github.com/advisories/GHSA-vp98-w2p3-mv35" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:log4j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "1.0.4", + "versionEndExcluding" : "2.0" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "logkit-1.0.1.jar", + "filePath" : "/home/wtwhite/.m2/repository/logkit/logkit/1.0.1/logkit-1.0.1.jar", + "md5" : "32240100a5c15d53f00392fae4b0aab7", + "sha1" : "aaf5649b523c5ffc925e746074979150bb74bfdc", + "sha256" : "7ea93b4fc21f3d05ed224b168a025f864db75ddfddc2343e1ec29a386d7501e0", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "logkit" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "jar", + "name" : "package name", + "value" : "log" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "logkit" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "jar", + "name" : "package name", + "value" : "output" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "logkit" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "logkit" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "logkit" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "logkit" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "jar", + "name" : "package name", + "value" : "log" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "logkit" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "jar", + "name" : "package name", + "value" : "output" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "logkit" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "logkit" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.0.1" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.0.1" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/logkit/logkit@1.0.1", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/logkit/logkit@1.0.1?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "nekohtml-1.9.12.jar", + "filePath" : "/home/wtwhite/.m2/repository/net/sourceforge/nekohtml/nekohtml/1.9.12/nekohtml-1.9.12.jar", + "md5" : "0e5bd4ce84fab674dbc0c95c4bd193d0", + "sha1" : "6b58cfa01218d900a5c5996b82b52cffab981c0a", + "sha256" : "7580bbf927c939ffb81139ec42fec395f7228c1d81ca8757261e119e7876cc80", + "license" : "The Apache Software License, Version 2.0: http://www.apache.org/licenses/LICENSE-2.0.txt", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "nekohtml" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "html" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/cyberneko/html/", + "name" : "Implementation-Vendor", + "value" : "Andy Clark" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "nekohtml" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "nekohtml" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "net.sourceforge.nekohtml" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Neko HTML" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://nekohtml.sourceforge.net/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "nekohtml" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "cyberneko" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "html" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/cyberneko/html/", + "name" : "Implementation-Title", + "value" : "CyberNeko HTML Parser" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/cyberneko/html/", + "name" : "Specification-Title", + "value" : "Hyper-Text Markup Language (HTML)" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "nekohtml" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "net.sourceforge.nekohtml" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Neko HTML" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://nekohtml.sourceforge.net/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.9.12" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: org/cyberneko/html/", + "name" : "Implementation-Version", + "value" : "1.9.12" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.9.12" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/net.sourceforge.nekohtml/nekohtml@1.9.12", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/net.sourceforge.nekohtml/nekohtml@1.9.12?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:nekohtml_project:nekohtml:1.9.12:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Anekohtml_project&cpe_product=cpe%3A%2F%3Anekohtml_project%3Anekohtml&cpe_version=cpe%3A%2F%3Anekohtml_project%3Anekohtml%3A1.9.12" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2022-24839", + "severity" : "HIGH", + "cvssv2" : { + "score" : 5.0, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "PARTIAL", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "2.9" + }, + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "CWE-400" ], + "description" : "org.cyberneko.html is an html parser written in Java. The fork of `org.cyberneko.html` used by Nokogiri (Rubygem) raises a `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup. Users are advised to upgrade to `>= 1.9.22.noko2`. Note: The upstream library `org.cyberneko.html` is no longer maintained. Nokogiri uses its own fork of this library located at https://github.com/sparklemotion/nekohtml and this CVE applies only to that fork. Other forks of nekohtml may have a similar vulnerability.", + "notes" : "", + "references" : [ { + "source" : "CONFIRM", + "url" : "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv", + "name" : "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "MISC", + "url" : "https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d", + "name" : "https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv", + "name" : "https://github.com/sparklemotion/nekohtml/security/advisories/GHSA-9849-p7jc-9rmv" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-24839?component-type=maven&component-name=net.sourceforge.nekohtml%2Fnekohtml&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2022-24839] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24839", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-24839" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:nekohtml_project:nekohtml:*:*:*:*:*:nokogiri:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "1.9.22.noko2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "servlet-api-2.3.jar", + "filePath" : "/home/wtwhite/.m2/repository/javax/servlet/servlet-api/2.3/servlet-api-2.3.jar", + "md5" : "c097f777c6fd453277c6891b3bb4dc09", + "sha1" : "0137a24e9f62973f01f16dd23fc1b5a9964fd9ef", + "sha256" : "8478b902d0815ed066db860fb14cc5d404548d4b6348ab930b46270fcddeba68", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "servlet-api" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "javax" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "jar", + "name" : "package name", + "value" : "javax" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "servlet" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "jar", + "name" : "package name", + "value" : "servlet" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "servlet-api" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "servlet-api" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "javax.servlet" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "servlet-api" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "javax" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "servlet" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "jar", + "name" : "package name", + "value" : "servlet" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "servlet-api" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "javax.servlet" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "2.3" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "2.3" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/javax.servlet/servlet-api@2.3", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/javax.servlet/servlet-api@2.3?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "xalan-2.7.0.jar", + "filePath" : "/home/wtwhite/.m2/repository/xalan/xalan/2.7.0/xalan-2.7.0.jar", + "md5" : "a018d032c21a873225e702b36b171a10", + "sha1" : "a33c0097f1c70b20fa7ded220ea317eb3500515e", + "sha256" : "bf1f065efd6e3d5cb964db4130815752015873338999d23dcafc2dbc89fc7d9b", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xalan" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xalan" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: java_cup/runtime/", + "name" : "Implementation-Vendor", + "value" : "Princeton University" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xalan/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xalan/xsltc/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xml/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xpath/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xalan" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "xalan" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xalan" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xalan" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "runtime" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xalan" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xml" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xpath" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xsltc" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: java_cup/runtime/", + "name" : "Implementation-Title", + "value" : "runtime" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: java_cup/runtime/", + "name" : "Specification-Title", + "value" : "Runtime component of JCup" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xalan/", + "name" : "Implementation-Title", + "value" : "org.apache.xalan" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xalan/", + "name" : "Specification-Title", + "value" : "Java API for XML Processing" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xalan/xsltc/", + "name" : "Implementation-Title", + "value" : "org.apache.xalan.xsltc" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xalan/xsltc/", + "name" : "Specification-Title", + "value" : "Java API for XML Processing" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xml/", + "name" : "Implementation-Title", + "value" : "org.apache.xml" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xpath/", + "name" : "Implementation-Title", + "value" : "org.apache.xpath" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xalan" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xalan" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "2.7.0" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: java_cup/runtime/", + "name" : "Implementation-Version", + "value" : "2.7.0" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xalan/", + "name" : "Implementation-Version", + "value" : "2.7.0" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xalan/xsltc/", + "name" : "Implementation-Version", + "value" : "2.7.0" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xml/", + "name" : "Implementation-Version", + "value" : "2.7.0" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xpath/", + "name" : "Implementation-Version", + "value" : "2.7.0" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "2.7.0" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/xalan/xalan@2.7.0", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/xalan/xalan@2.7.0?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:xalan-java:2.7.0:*:*:*:*:*:*:*", + "confidence" : "HIGHEST", + "url" : "https://nvd.nist.gov/vuln/search/results?form_type=Advanced&results_type=overview&search_type=all&cpe_vendor=cpe%3A%2F%3Aapache&cpe_product=cpe%3A%2F%3Aapache%3Axalan-java&cpe_version=cpe%3A%2F%3Aapache%3Axalan-java%3A2.7.0" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2014-0107", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.5, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "PARTIAL", + "integrityImpact" : "PARTIAL", + "availabilityImpact" : "PARTIAL", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.4" + }, + "cwes" : [ "CWE-264" ], + "description" : "The TransformerFactory in Apache Xalan-Java before 2.7.2 does not properly restrict access to certain properties when FEATURE_SECURE_PROCESSING is enabled, which allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources via a crafted (1) xalan:content-header, (2) xalan:entities, (3) xslt:content-header, or (4) xslt:entities property, or a Java property that is bound to the XSLT 1.0 system-property function.", + "notes" : "", + "references" : [ { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59369", + "name" : "59369" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59711", + "name" : "59711" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/201604-02", + "name" : "GLSA-201604-02" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r2900489bc665a2e32d021bb21f6ce2cb8e6bb5973490eebb9a346bca@%3Cdev.tomcat.apache.org%3E", + "name" : "[tomcat-dev] 20210823 [Bug 65516] upgrade to xalan 2.7.2 to address CVE-2014-0107" + }, { + "source" : "CONFIRM", + "url" : "https://www.tenable.com/security/tns-2018-15", + "name" : "https://www.tenable.com/security/tns-2018-15" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20191021 [jira] [Created] (DRILL-7416) Updates required to dependencies to resolve potential security vulnerabilities" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1034716", + "name" : "1034716" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/XALANJ-2435", + "name" : "https://issues.apache.org/jira/browse/XALANJ-2435" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59247", + "name" : "59247" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/XALANJ-2435", + "name" : "https://issues.apache.org/jira/browse/XALANJ-2435" + }, { + "source" : "CONFIRM", + "url" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755", + "name" : "https://h20566.www2.hpe.com/portal/site/hpsc/public/kb/docDisplay?docId=emr_na-c05324755" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21680703", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21680703" + }, { + "source" : "DEBIAN", + "url" : "http://www.debian.org/security/2014/dsa-2886", + "name" : "DSA-2886" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc?view=revision&revision=1581058", + "name" : "http://svn.apache.org/viewvc?view=revision&revision=1581058" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/57563", + "name" : "57563" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2015-1888.html", + "name" : "RHSA-2015:1888" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html", + "name" : "https://www.oracle.com/technetwork/security-advisory/cpuapr2019-5072813.html" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/66397", + "name" : "66397" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59036", + "name" : "59036" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-0348.html", + "name" : "RHSA-2014:0348" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com//security-alerts/cpujul2021.html", + "name" : "N/A" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1034711", + "name" : "1034711" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677145", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21677145" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59151", + "name" : "59151" + }, { + "source" : "MISC", + "url" : "http://www.ocert.org/advisories/ocert-2014-002.html", + "name" : "http://www.ocert.org/advisories/ocert-2014-002.html" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676093", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21676093" + }, { + "source" : "CONFIRM", + "url" : "http://www.ibm.com/support/docview.wss?uid=swg21677967", + "name" : "http://www.ibm.com/support/docview.wss?uid=swg21677967" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0107", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0107" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674334", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21674334" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59291", + "name" : "59291" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuoct2021.html", + "name" : "https://www.oracle.com/security-alerts/cpuoct2021.html" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2014-0107?component-type=maven&component-name=xalan%2Fxalan&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2014-0107] CWE-264: Permissions, Privileges, and Access Controls" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21681933", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21681933" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59290", + "name" : "59290" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442@%3Cdev.drill.apache.org%3E", + "name" : "[drill-dev] 20191017 Dependencies used by Drill contain known vulnerabilities" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/59515", + "name" : "59515" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r0c00afcab8f238562e27b3ae7b8af1913c62bc60838fb8b34c19e26b@%3Cdev.tomcat.apache.org%3E", + "name" : "[tomcat-dev] 20210823 [Bug 65516] New: upgrade to xalan 2.7.2 to address CVE-2014-0107" + }, { + "source" : "XF", + "url" : "https://exchange.xforce.ibmcloud.com/vulnerabilities/92023", + "name" : "apache-xalanjava-cve20140107-sec-bypass(92023)" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuoct2017-3236626.html" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/60502", + "name" : "60502" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-1351.html", + "name" : "RHSA-2014:1351" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html", + "name" : "http://www.oracle.com/technetwork/topics/security/cpujan2016-2367955.html" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "2.7.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:1.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.4.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.5.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.5.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.6.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:2.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:webcenter_sites:7.6.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:webcenter_sites:11.1.1.8.0:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-34169", + "severity" : "HIGH", + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "HIGH", + "availabilityImpact" : "NONE", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "CWE-681" ], + "description" : "The Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets. This can be used to corrupt Java class files generated by the internal XSLTC compiler and execute arbitrary Java bytecode. Users are recommended to update to version 2.7.3 or later. Note: Java runtimes (such as OpenJDK) include repackaged copies of Xalan.", + "notes" : "", + "references" : [ { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2022/dsa-5188", + "name" : "DSA-5188" + }, { + "source" : "MISC", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/", + "name" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/L3XPOTPPBZIPFBZHQE5E7OW6PDACUMCJ/" + }, { + "source" : "MISC", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/", + "name" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/H4YNJSJ64NPCNKFPNBYITNZU5H3L4D6L/" + }, { + "source" : "MLIST", + "url" : "https://lists.debian.org/debian-lts-announce/2022/10/msg00024.html", + "name" : "[debian-lts-announce] 20221018 [SECURITY] [DLA 3155-1] bcel security update" + }, { + "source" : "OSSIndex", + "url" : "https://github.com/advisories/GHSA-9339-86wc-4qgf", + "name" : "https://github.com/advisories/GHSA-9339-86wc-4qgf" + }, { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2022/dsa-5256", + "name" : "DSA-5256" + }, { + "source" : "OSSIndex", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=2108554", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=2108554" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/07/20/2", + "name" : "[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/11/07/2", + "name" : "[oss-security] 20221107 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing" + }, { + "source" : "MISC", + "url" : "http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html", + "name" : "http://packetstormsecurity.com/files/168186/Xalan-J-XSLTC-Integer-Truncation.html" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-34169?component-type=maven&component-name=xalan%2Fxalan&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2022-34169] CWE-681: Incorrect Conversion between Numeric Types" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/07/19/5", + "name" : "[oss-security] 20220719 CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/10/18/2", + "name" : "[oss-security] 20221017 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34169", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-34169" + }, { + "source" : "OSSIndex", + "url" : "https://blog.noah.360.net/xalan-j-integer-truncation-reproduce-cve-2022-34169/", + "name" : "https://blog.noah.360.net/xalan-j-integer-truncation-reproduce-cve-2022-34169/" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/07/19/6", + "name" : "[oss-security] 20220719 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20220729-0009/", + "name" : "https://security.netapp.com/advisory/ntap-20220729-0009/" + }, { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2022/dsa-5192", + "name" : "DSA-5192" + }, { + "source" : "MISC", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/", + "name" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/YULPNO3PAWMEQQZV2C54I3H3ZOXFZUTB/" + }, { + "source" : "MISC", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/", + "name" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/KO3DXNKZ4EU3UZBT6AAR4XRKCD73KLMO/" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw", + "name" : "https://lists.apache.org/thread/12pxy4phsry6c34x2ol4fft6xlho4kyw" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "https://www.oracle.com/security-alerts/cpujul2022.html" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/07/20/3", + "name" : "[oss-security] 20220720 Re: CVE-2022-34169: Apache Xalan Java XSLT library is vulnerable to an integer truncation issue when processing malicious XSLT stylesheets" + }, { + "source" : "MISC", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/", + "name" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/I5OZNAZJ4YHLOKRRRZSWRT5OJ25E4XLM/" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/11/04/8", + "name" : "[oss-security] 20221104 Re: CVE-2022-42920: Apache Commons BCEL prior to 6.6.0 allows producing arbitrary bytecode via out-of-bounds writing" + }, { + "source" : "MISC", + "url" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/", + "name" : "https://lists.fedoraproject.org/archives/list/package-announce%40lists.fedoraproject.org/message/JN3EVGR7FD3ZLV5SBTJXUIDCMSK4QUE2/" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8", + "name" : "https://lists.apache.org/thread/2qvl7r43wb4t8p9dd9om1bnkssk07sn8" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:xalan-java:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "2.7.2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:azul:zulu:6.47:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:azul:zulu:7.54:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:azul:zulu:8.62:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:azul:zulu:11.56:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:azul:zulu:13.48:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:azul:zulu:15.40:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:azul:zulu:17.34:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:azul:zulu:18.30:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:7-mode_transition_tool:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:vmware_vsphere:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:cloud_insights_acquisition_unit:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:cloud_secure_agent:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:hci_management_node:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:oncommand_insight:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:solidfire:-:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:graalvm:20.3.6:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:graalvm:21.3.2:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:graalvm:22.1.0:*:*:*:enterprise:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:1.7.0:update343:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:1.8.0:update333:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:11.0.15.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:17.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:18.0.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:1.7.0:update343:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:1.8.0:update333:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:11.0.15.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:17.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:18.0.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "11", + "versionEndIncluding" : "11.0.15" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "13", + "versionEndIncluding" : "13.0.11" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "15", + "versionEndIncluding" : "15.0.7" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "17", + "versionEndIncluding" : "17.0.3" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:-:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update10:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update101:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update11:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update111:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update121:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update13:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update131:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update141:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update15:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update151:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update161:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update17:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update171:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update181:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update191:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update201:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update21:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update211:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update221:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update231:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update241:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update25:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update251:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update261:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update271:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update281:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update291:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update3:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update301:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update311:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update321:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update4:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update40:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update45:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update5:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update51:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update55:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update6:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update60:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update65:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update67:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update7:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update72:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update76:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update80:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update85:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update9:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update91:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update95:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update97:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:7:update99:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:-:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:milestone1:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:milestone2:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:milestone3:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:milestone4:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:milestone5:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:milestone6:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:milestone7:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:milestone8:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:milestone9:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update101:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update102:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update11:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update111:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update112:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update121:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update131:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update141:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update151:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update152:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update161:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update162:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update171:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update172:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update181:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update191:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update192:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update20:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update201:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update202:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update211:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update212:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update221:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update222:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update231:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update232:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update241:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update242:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update25:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update252:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update262:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update271:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update281:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update282:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update291:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update301:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update302:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update31:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update312:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update322:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update332:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update40:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update45:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update5:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update51:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update60:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update65:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update66:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update71:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update72:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update73:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update74:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update77:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update91:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:8:update92:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:openjdk:18:*:*:*:*:*:*:*" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "xercesImpl-2.8.0.jar", + "filePath" : "/home/wtwhite/.m2/repository/xerces/xercesImpl/2.8.0/xercesImpl-2.8.0.jar", + "md5" : "7eb2db331a62e74744ab79aab5b454bd", + "sha1" : "cfd3ebe2f8034e660344f9108c3e2daf78c29cc3", + "sha256" : "13bb155eb24f03229798b3fb409d3a2c47e332d79c34d4b4b1ad39b0a917f3b8", + "description" : "\n Xerces2 is the next generation of high performance, fully compliant XML parsers in the\n Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI),\n a complete framework for building parser components and configurations that is extremely\n modular and easy to program.\n ", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xercesImpl" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "parser" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "parsers" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "version" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xerces" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xml" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xni" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/datatype/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/parsers/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/transform/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/validation/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/xpath/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xerces/impl/Version.class", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xerces/xni/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/", + "name" : "Implementation-Vendor", + "value" : "World Wide Web Consortium" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/ls/", + "name" : "Implementation-Vendor", + "value" : "World Wide Web Consortium" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/xml/sax/", + "name" : "Implementation-Vendor", + "value" : "David Megginson" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xercesImpl" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "xercesImpl" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xerces" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Xerces2 Java Parser" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://xerces.apache.org/xerces2-j" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xercesImpl" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "hint analyzer", + "name" : "product", + "value" : "xerces-j" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "datatype" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "dom" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "impl" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "parser" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "parsers" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "validation" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "version" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "w3c" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xerces" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xml" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xni" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xpath" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/datatype/", + "name" : "Implementation-Title", + "value" : "javax.xml.datatype" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/datatype/", + "name" : "Specification-Title", + "value" : "Java API for XML Processing" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/parsers/", + "name" : "Implementation-Title", + "value" : "javax.xml.parsers" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/parsers/", + "name" : "Specification-Title", + "value" : "Java API for XML Processing" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/transform/", + "name" : "Implementation-Title", + "value" : "javax.xml.transform" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/transform/", + "name" : "Specification-Title", + "value" : "Java API for XML Processing" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/validation/", + "name" : "Implementation-Title", + "value" : "javax.xml.validation" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/validation/", + "name" : "Specification-Title", + "value" : "Java API for XML Processing" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/xpath/", + "name" : "Implementation-Title", + "value" : "javax.xml.xpath" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/xpath/", + "name" : "Specification-Title", + "value" : "Java API for XML Processing" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xerces/impl/Version.class", + "name" : "Implementation-Title", + "value" : "org.apache.xerces.impl.Version" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xerces/xni/", + "name" : "Implementation-Title", + "value" : "org.apache.xerces.xni" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xerces/xni/", + "name" : "Specification-Title", + "value" : "Xerces Native Interface" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/", + "name" : "Implementation-Title", + "value" : "org.w3c.dom" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/", + "name" : "Specification-Title", + "value" : "Document Object Model, Level 3 Core" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/ls/", + "name" : "Implementation-Title", + "value" : "org.w3c.dom.ls" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/ls/", + "name" : "Specification-Title", + "value" : "Document Object Model, Level 3 Load and Save" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/xml/sax/", + "name" : "Implementation-Title", + "value" : "org.xml.sax" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/xml/sax/", + "name" : "Specification-Title", + "value" : "Simple API for XML" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xercesImpl" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xerces" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "Xerces2 Java Parser" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://xerces.apache.org/xerces2-j" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "2.8.0" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xerces/impl/Version.class", + "name" : "Implementation-Version", + "value" : "2.8.0" + }, { + "type" : "version", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-version", + "value" : "2.8.0" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "2.8.0" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/xerces/xercesImpl@2.8.0", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/xerces/xercesImpl@2.8.0?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ], + "vulnerabilityIds" : [ { + "id" : "cpe:2.3:a:apache:xerces-j:2.8.0:*:*:*:*:*:*:*", + "confidence" : "LOW" + }, { + "id" : "cpe:2.3:a:apache:xerces2_java:2.8.0:*:*:*:*:*:*:*", + "confidence" : "LOW" + } ], + "vulnerabilities" : [ { + "source" : "NVD", + "name" : "CVE-2012-0881", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.8, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "6.9" + }, + "cvssv3" : { + "baseScore" : 7.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "HIGH", + "exploitabilityScore" : "3.9", + "impactScore" : "3.6", + "version" : "3.0" + }, + "cwes" : [ "CWE-399" ], + "description" : "Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.", + "notes" : "", + "references" : [ { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451%40%3Csolr-user.lucene.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/b0656d359c7d40ec9f39c8cc61bca66802ef9a2a12ee199f5b0c1442%40%3Cdev.drill.apache.org%3E" + }, { + "source" : "OSSIndex", + "url" : "https://issues.apache.org/jira/browse/XERCESJ-1685", + "name" : "https://issues.apache.org/jira/browse/XERCESJ-1685" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2012-0881?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2012-0881] CWE-399" + }, { + "source" : "CONFIRM", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=787104", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=787104" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73%40%3Cj-users.xerces.apache.org%3E" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0881", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-0881" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/f9bc3e55f4e28d1dcd1a69aae6d53e609a758e34d2869b4d798e13cc%40%3Cissues.drill.apache.org%3E" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2014/07/08/11", + "name" : "[oss-security] 20140708 Summer bug cleaning - some Hash DoS stuff" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/519eb0fd45642dcecd9ff74cb3e71c20a4753f7d82e2f07864b5108f%40%3Cdev.drill.apache.org%3E" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5%40%3Csolr-user.lucene.apache.org%3E" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/XERCESJ-1685", + "name" : "https://issues.apache.org/jira/browse/XERCESJ-1685" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com//security-alerts/cpujul2021.html", + "name" : "N/A" + }, { + "source" : "MISC", + "url" : "https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56%40%3Ccommon-issues.hadoop.apache.org%3E", + "name" : "https://lists.apache.org/thread.html/rea7b831dceeb2a2fa817be6f63b08722042e3647fb2d47c144370a56%40%3Ccommon-issues.hadoop.apache.org%3E" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:xerces2_java:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "2.11.0" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2013-4002", + "severity" : "HIGH", + "cvssv2" : { + "score" : 7.1, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "6.9" + }, + "cwes" : [ "NVD-CWE-noinfo" ], + "description" : "XMLscanner.java in Apache Xerces2 Java Parser before 2.12.0, as used in the Java Runtime Environment (JRE) in IBM Java 5.0 before 5.0 SR16-FP3, 6 before 6 SR14, 6.0.1 before 6.0.1 SR6, and 7 before 7 SR5 as well as Oracle Java SE 7u40 and earlier, Java SE 6u60 and earlier, Java SE 5.0u51 and earlier, JRockit R28.2.8 and earlier, JRockit R27.7.6 and earlier, Java SE Embedded 7u40 and earlier, and possibly other products allows remote attackers to cause a denial of service via vectors related to XML attribute names.", + "notes" : "", + "references" : [ { + "source" : "APPLE", + "url" : "http://lists.apple.com/archives/security-announce/2013/Oct/msg00001.html", + "name" : "APPLE-SA-2013-10-15-1" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "CONFIRM", + "url" : "http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002", + "name" : "http://www.ibm.com/connections/blogs/PSIRT/entry/security_bulletin_ibm_filenet_content_manager_and_ibm_content_foundation_xml_4j_denial_of_service_attack_cve_2013_4002" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-1505.html", + "name" : "RHSA-2013:1505" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00000.html", + "name" : "SUSE-SU-2013:1293" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-1440.html", + "name" : "RHSA-2013:1440" + }, { + "source" : "CONFIRM", + "url" : "https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html", + "name" : "https://www.oracle.com/technetwork/topics/security/cpuoct2013-1899837.html" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-1081.html", + "name" : "RHSA-2013:1081" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-1059.html", + "name" : "RHSA-2013:1059" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21657539", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21657539" + }, { + "source" : "CONFIRM", + "url" : "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch", + "name" : "http://svn.apache.org/viewvc/xerces/java/trunk/src/org/apache/xerces/impl/XMLScanner.java?r1=965250&r2=1499506&view=patch" + }, { + "source" : "AIXAPAR", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg1IC98015", + "name" : "IC98015" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21644197", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21644197" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-1822.html", + "name" : "RHSA-2014:1822" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2013-11/msg00010.html", + "name" : "SUSE-SU-2013:1666" + }, { + "source" : "CONFIRM", + "url" : "http://support.apple.com/kb/HT5982", + "name" : "http://support.apple.com/kb/HT5982" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-updates/2013-11/msg00023.html", + "name" : "openSUSE-SU-2013:1663" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-1451.html", + "name" : "RHSA-2013:1451" + }, { + "source" : "OSSIndex", + "url" : "https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3COF3B40F5F7.E6552A8B-ON85257D73.00699ED7-85257D73.006A999B@ca.ibm.com%3E", + "name" : "https://mail-archives.apache.org/mod_mbox/xerces-j-dev/201410.mbox/%3COF3B40F5F7.E6552A8B-ON85257D73.00699ED7-85257D73.006A999B@ca.ibm.com%3E" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00026.html", + "name" : "SUSE-SU-2013:1255" + }, { + "source" : "SECUNIA", + "url" : "http://secunia.com/advisories/56257", + "name" : "56257" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00027.html", + "name" : "SUSE-SU-2013:1256" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-1060.html", + "name" : "RHSA-2013:1060" + }, { + "source" : "CONFIRM", + "url" : "http://www-01.ibm.com/support/docview.wss?uid=swg21653371", + "name" : "http://www-01.ibm.com/support/docview.wss?uid=swg21653371" + }, { + "source" : "MISC", + "url" : "http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013", + "name" : "http://www.ibm.com/developerworks/java/jdk/alerts/#IBM_Security_Update_July_2013" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00029.html", + "name" : "SUSE-SU-2013:1263" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2013-1447.html", + "name" : "RHSA-2013:1447" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-1823.html", + "name" : "RHSA-2014:1823" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2015-0773.html", + "name" : "RHSA-2015:0773" + }, { + "source" : "XF", + "url" : "https://exchange.xforce.ibmcloud.com/vulnerabilities/85260", + "name" : "ibm-java-cve20134002-dos(85260)" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2013-07/msg00028.html", + "name" : "SUSE-SU-2013:1257" + }, { + "source" : "CONFIRM", + "url" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html", + "name" : "http://www.hitachi.co.jp/Prod/comp/soft1/global/security/info/vuls/HS13-025/index.html" + }, { + "source" : "OSSIndex", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=1019176", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=1019176" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/61310", + "name" : "61310" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/708d94141126eac03011144a971a6411fcac16d9c248d1d535a39451@%3Csolr-user.lucene.apache.org%3E", + "name" : "[lucene-solr-user] 20190104 Re: SOLR v7 Security Issues Caused Denial of Use - Sonatype Application Composition Report" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2013-4002?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2013-4002] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')" + }, { + "source" : "SUSE", + "url" : "http://lists.opensuse.org/opensuse-security-announce/2013-08/msg00003.html", + "name" : "SUSE-SU-2013:1305" + }, { + "source" : "GENTOO", + "url" : "http://security.gentoo.org/glsa/glsa-201406-32.xml", + "name" : "GLSA-201406-32" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2014:0414", + "name" : "RHSA-2014:0414" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-1818.html", + "name" : "RHSA-2014:1818" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=138674031212883&w=2", + "name" : "HPSBUX02943" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-2089-1", + "name" : "USN-2089-1" + }, { + "source" : "HP", + "url" : "http://marc.info/?l=bugtraq&m=138674073720143&w=2", + "name" : "HPSBUX02944" + }, { + "source" : "UBUNTU", + "url" : "http://www.ubuntu.com/usn/USN-2033-1", + "name" : "USN-2033-1" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2015-0720.html", + "name" : "RHSA-2015:0720" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4002", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-4002" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2014-1821.html", + "name" : "RHSA-2014:1821" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r204ba2a9ea750f38d789d2bb429cc0925ad6133deea7cbc3001d96b5@%3Csolr-user.lucene.apache.org%3E", + "name" : "[lucene-solr-user] 20200320 CVEs (vulnerabilities) that apply to Solr 8.4.1" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2015-0675.html", + "name" : "RHSA-2015:0675" + }, { + "source" : "REDHAT", + "url" : "http://rhn.redhat.com/errata/RHSA-2015-0765.html", + "name" : "RHSA-2015:0765" + }, { + "source" : "CONFIRM", + "url" : "https://issues.apache.org/jira/browse/XERCESJ-1679", + "name" : "https://issues.apache.org/jira/browse/XERCESJ-1679" + }, { + "source" : "CONFIRM", + "url" : "http://www.ibm.com/support/docview.wss?uid=swg21648172", + "name" : "http://www.ibm.com/support/docview.wss?uid=swg21648172" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E", + "name" : "[j-users] 20180503 [ANNOUNCEMENT]: Apache Xerces-J 2.12.0 now available" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:xerces2_java:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionStartIncluding" : "2.4.0", + "versionEndExcluding" : "2.12.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.5.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.6.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:host_on-demand:11.0.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.11.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.11.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.11.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.12.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.12.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.12.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.12.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.12.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.12.5:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.13.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.14.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.15.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.16.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.16.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:5.0.16.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.5.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.6.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.8.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.8.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.9.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.9.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.9.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.10.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.10.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.11.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.12.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.13.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.13.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:6.0.13.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:7.0.0.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:7.0.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:7.0.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:7.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:7.0.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:7.0.4.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:java:7.0.4.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:sterling_b2b_integrator:5.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:sterling_b2b_integrator:5.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:sterling_b2b_integrator:5.2.4:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:sterling_file_gateway:2.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:sterling_file_gateway:2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:ibm:tivoli_application_dependency_discovery_manager:7.2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:1.5.0:update51:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:1.6.0:update60:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:1.7.0:update40:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:1.5.0:update51:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:1.6.0:update60:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:1.7.0:update40:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "r27.7.0", + "versionEndIncluding" : "r27.7.6" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jrockit:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "r28.0.0", + "versionEndIncluding" : "r28.2.8" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2022-23437", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 7.1, + "accessVector" : "NETWORK", + "accessComplexity" : "MEDIUM", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "COMPLETE", + "severity" : "HIGH", + "version" : "2.0", + "exploitabilityScore" : "8.6", + "impactScore" : "6.9", + "userInteractionRequired" : "true" + }, + "cvssv3" : { + "baseScore" : 6.5, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "REQUIRED", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "HIGH", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "2.8", + "impactScore" : "3.6", + "version" : "3.1" + }, + "cwes" : [ "CWE-835" ], + "description" : "There's a vulnerability within the Apache Xerces Java (XercesJ) XML parser when handling specially crafted XML document payloads. This causes, the XercesJ XML parser to wait in an infinite loop, which may sometimes consume system resources for prolonged duration. This vulnerability is present within XercesJ version 2.12.1 and the previous versions.", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl", + "name" : "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl" + }, { + "source" : "MISC", + "url" : "https://www.oracle.com/security-alerts/cpuapr2022.html", + "name" : "https://www.oracle.com/security-alerts/cpuapr2022.html" + }, { + "source" : "MLIST", + "url" : "http://www.openwall.com/lists/oss-security/2022/01/24/3", + "name" : "[oss-security] 20220124 CVE-2022-23437: Infinite loop within Apache XercesJ xml parser" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20221028-0005/", + "name" : "https://security.netapp.com/advisory/ntap-20221028-0005/" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23437", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2022-23437" + }, { + "source" : "N/A", + "url" : "https://www.oracle.com/security-alerts/cpujul2022.html", + "name" : "N/A" + }, { + "source" : "OSSIndex", + "url" : "http://www.openwall.com/lists/oss-security/2022/01/24/3", + "name" : "http://www.openwall.com/lists/oss-security/2022/01/24/3" + }, { + "source" : "CONFIRM", + "url" : "https://lists.apache.org/thread/6pjwm10bb69kq955fzr1n0nflnjd27dl", + "name" : "N/A" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2022-23437?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2022-23437] CWE-835: Loop with Unreachable Exit Condition ('Infinite Loop')" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:xerces-j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndIncluding" : "2.12.1" + } + }, { + "software" : { + "id" : "cpe:2.3:a:netapp:active_iq_unified_manager:-:*:*:*:*:windows:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_engineering_data_management:6.2.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:agile_plm:9.3.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_deposits_and_lines_of_credit_servicing:2.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:banking_party_management:2.7.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_asap:7.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_element_manager:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_session_report_manager:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:communications_session_route_manager:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "9.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "8.0.6.0.0", + "versionEndIncluding" : "8.0.9.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_analytical_applications_infrastructure:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "8.1.0.0", + "versionEndExcluding" : "8.1.2.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "8.0.6.0.0", + "versionEndIncluding" : "8.0.8.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_behavior_detection_platform:8.1.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_crime_and_compliance_management_studio:8.0.8.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.7.2.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.0.8.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:financial_services_enterprise_case_management:8.1.1.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:flexcube_universal_banking:12.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "13.9.4.2.2" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:global_lifecycle_management_nextgen_oui_framework:13.9.4.2.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:global_lifecycle_management_opatch:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "12.2.0.1.30" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:health_sciences_information_manager:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "3.0.1", + "versionEndIncluding" : "3.0.5" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:health_sciences_information_manager:3.0.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:ilearning:6.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:ilearning:6.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.58:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:peoplesoft_enterprise_peopletools:8.59:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "17.7", + "versionEndIncluding" : "17.12.11" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "18.8.0", + "versionEndIncluding" : "18.8.14" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "19.12.0", + "versionEndIncluding" : "19.12.13" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:primavera_gateway:*:*:*:*:*:*:*:*", + "versionStartIncluding" : "20.12.0", + "versionEndIncluding" : "20.12.8" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:product_lifecycle_analytics:3.6.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_bulk_data_integration:16.0.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_extract_transform_and_load:13.2.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_financial_integration:14.1.3.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_financial_integration:15.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_financial_integration:16.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_financial_integration:19.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:14.1.3.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:15.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:16.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_integration_bus:19.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_merchandising_system:16.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_merchandising_system:19.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:14.1.3.2:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:15.0.3.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:16.0.3:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:retail_service_backbone:19.0.1:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.3.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:12.2.1.4.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:weblogic_server:14.1.1.0.0:*:*:*:*:*:*:*" + } + } ] + }, { + "source" : "OSSINDEX", + "name" : "CVE-2017-10355", + "severity" : "MEDIUM", + "cvssv3" : { + "baseScore" : 5.9, + "attackVector" : "N", + "attackComplexity" : "H", + "privilegesRequired" : "N", + "userInteraction" : "N", + "scope" : "U", + "confidentialityImpact" : "N", + "integrityImpact" : "N", + "availabilityImpact" : "H", + "baseSeverity" : "MEDIUM" + }, + "cwes" : [ "CWE-833" ], + "description" : "sonatype-2017-0348 - xerces:xercesImpl - Denial of Service (DoS)\n\nThe software contains multiple threads or executable segments that are waiting for each other to release a necessary lock, resulting in deadlock.", + "notes" : "", + "references" : [ { + "source" : "OSSIndex", + "url" : "https://blogs.securiteam.com/index.php/archives/3271", + "name" : "https://blogs.securiteam.com/index.php/archives/3271" + }, { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2017-10355?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2017-10355] CWE-833: Deadlock" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:xerces:xercesImpl:2.8.0:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + } ] + }, { + "source" : "NVD", + "name" : "CVE-2018-2799", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 5.0, + "accessVector" : "NETWORK", + "accessComplexity" : "LOW", + "authenticationr" : "NONE", + "confidentialImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "PARTIAL", + "severity" : "MEDIUM", + "version" : "2.0", + "exploitabilityScore" : "10.0", + "impactScore" : "2.9" + }, + "cvssv3" : { + "baseScore" : 5.3, + "attackVector" : "NETWORK", + "attackComplexity" : "LOW", + "privilegesRequired" : "NONE", + "userInteraction" : "NONE", + "scope" : "UNCHANGED", + "confidentialityImpact" : "NONE", + "integrityImpact" : "NONE", + "availabilityImpact" : "LOW", + "baseSeverity" : "MEDIUM", + "exploitabilityScore" : "3.9", + "impactScore" : "1.4", + "version" : "3.1" + }, + "cwes" : [ "NVD-CWE-noinfo" ], + "description" : "Vulnerability in the Java SE, Java SE Embedded, JRockit component of Oracle Java SE (subcomponent: JAXP). Supported versions that are affected are Java SE: 7u171, 8u162 and 10; Java SE Embedded: 8u161; JRockit: R28.3.17. Easily exploitable vulnerability allows unauthenticated attacker with network access via multiple protocols to compromise Java SE, Java SE Embedded, JRockit. Successful attacks of this vulnerability can result in unauthorized ability to cause a partial denial of service (partial DOS) of Java SE, Java SE Embedded, JRockit. Note: Applies to client and server deployment of Java. This vulnerability can be exploited through sandboxed Java Web Start applications and sandboxed Java applets. It can also be exploited by supplying data to APIs in the specified Component without using sandboxed Java Web Start applications or sandboxed Java applets, such as through a web service. CVSS 3.0 Base Score 5.3 (Availability impacts). CVSS Vector: (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L).", + "notes" : "", + "references" : [ { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/r449b5d89c7b2ba3762584cf6c38e01867d4b24706e023cf2a9911307@%3Cuser.spark.apache.org%3E", + "name" : "[spark-user] 20200224 [SPARK Dependencies] Security Vulnerability with Xerces version < 2.12" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1188", + "name" : "RHSA-2018:1188" + }, { + "source" : "CONFIRM", + "url" : "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03857en_us", + "name" : "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03857en_us" + }, { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2018/dsa-4185", + "name" : "DSA-4185" + }, { + "source" : "GENTOO", + "url" : "https://security.gentoo.org/glsa/201903-14", + "name" : "GLSA-201903-14" + }, { + "source" : "BID", + "url" : "http://www.securityfocus.com/bid/103872", + "name" : "103872" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1201", + "name" : "RHSA-2018:1201" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1278", + "name" : "RHSA-2018:1278" + }, { + "source" : "CONFIRM", + "url" : "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html", + "name" : "http://www.oracle.com/technetwork/security-advisory/cpuapr2018-3678067.html" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1202", + "name" : "RHSA-2018:1202" + }, { + "source" : "UBUNTU", + "url" : "https://usn.ubuntu.com/3691-1/", + "name" : "USN-3691-1" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1975", + "name" : "RHSA-2018:1975" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1721", + "name" : "RHSA-2018:1721" + }, { + "source" : "SECTRACK", + "url" : "http://www.securitytracker.com/id/1040697", + "name" : "1040697" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1204", + "name" : "RHSA-2018:1204" + }, { + "source" : "CONFIRM", + "url" : "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0", + "name" : "https://help.ecostruxureit.com/display/public/UADCE725/Security+fixes+in+StruxureWare+Data+Center+Expert+v7.6.0" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1723", + "name" : "RHSA-2018:1723" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1974", + "name" : "RHSA-2018:1974" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1206", + "name" : "RHSA-2018:1206" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1722", + "name" : "RHSA-2018:1722" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1191", + "name" : "RHSA-2018:1191" + }, { + "source" : "UBUNTU", + "url" : "https://usn.ubuntu.com/3644-1/", + "name" : "USN-3644-1" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1724", + "name" : "RHSA-2018:1724" + }, { + "source" : "CONFIRM", + "url" : "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03915en_us", + "name" : "https://support.hpe.com/hpsc/doc/public/display?docLocale=en_US&docId=emr_na-hpesbst03915en_us" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/b53d4601ecd9ec63c799dbe1bc5b78e0d52f4cef429da2dfe63cf06d@%3Cfop-dev.xmlgraphics.apache.org%3E", + "name" : "[xmlgraphics-fop-dev] 20191018 [jira] [Created] (FOP-2885) Security Vulnerability with Xerces version <= 2.11" + }, { + "source" : "REDHAT", + "url" : "https://access.redhat.com/errata/RHSA-2018:1270", + "name" : "RHSA-2018:1270" + }, { + "source" : "CONFIRM", + "url" : "https://security.netapp.com/advisory/ntap-20180419-0001/", + "name" : "https://security.netapp.com/advisory/ntap-20180419-0001/" + }, { + "source" : "MLIST", + "url" : "https://lists.apache.org/thread.html/49dc6702104a86ecbb40292dcd329ce9ae4c32b74733199ecab14a73@%3Cj-users.xerces.apache.org%3E", + "name" : "[j-users] 20180503 [ANNOUNCEMENT]: Apache Xerces-J 2.12.0 now available" + }, { + "source" : "DEBIAN", + "url" : "https://www.debian.org/security/2018/dsa-4225", + "name" : "DSA-4225" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:apache:xerces-j:*:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true", + "versionEndExcluding" : "2.12.0" + } + }, { + "software" : { + "id" : "cpe:2.3:a:hp:xp7_command_view:*:*:*:*:advanced:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:1.7.0:update171:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:1.8.0:update162:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jdk:1.10.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:1.7.0:update171:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:1.8.0:update162:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jre:1.10.0:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:oracle:jrockit:r28.3.17:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:redhat:satellite:5.6:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:redhat:satellite:5.7:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:redhat:satellite:5.8:*:*:*:*:*:*:*" + } + }, { + "software" : { + "id" : "cpe:2.3:a:schneider-electric:struxureware_data_center_expert:*:*:*:*:*:*:*:*", + "versionEndExcluding" : "7.6.0" + } + } ] + }, { + "source" : "OSSINDEX", + "name" : "CVE-2009-2625", + "severity" : "MEDIUM", + "cvssv2" : { + "score" : 5.0, + "accessVector" : "N", + "accessComplexity" : "L", + "authenticationr" : "N", + "confidentialImpact" : "N", + "integrityImpact" : "N", + "availabilityImpact" : "P", + "severity" : "MEDIUM" + }, + "cwes" : [ "CWE-400" ], + "description" : "XMLScanner.java in Apache Xerces2 Java, as used in Sun Java Runtime Environment (JRE) in JDK and JRE 6 before Update 15 and JDK and JRE 5.0 before Update 20, and in other products, allows remote attackers to cause a denial of service (infinite loop and application hang) via malformed XML input, as demonstrated by the Codenomicon XML fuzzing framework.", + "notes" : "", + "references" : [ { + "source" : "OSSINDEX", + "url" : "https://ossindex.sonatype.org/vulnerability/CVE-2009-2625?component-type=maven&component-name=xerces%2FxercesImpl&utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1", + "name" : "[CVE-2009-2625] CWE-400: Uncontrolled Resource Consumption ('Resource Exhaustion')" + }, { + "source" : "OSSIndex", + "url" : "http://www.codenomicon.com/labs/xml/", + "name" : "http://www.codenomicon.com/labs/xml/" + }, { + "source" : "OSSIndex", + "url" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2625", + "name" : "http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-2625" + }, { + "source" : "OSSIndex", + "url" : "https://bugzilla.redhat.com/show_bug.cgi?id=512921", + "name" : "https://bugzilla.redhat.com/show_bug.cgi?id=512921" + } ], + "vulnerableSoftware" : [ { + "software" : { + "id" : "cpe:2.3:a:xerces:xercesImpl:2.8.0:*:*:*:*:*:*:*", + "vulnerabilityIdMatched" : "true" + } + } ] + } ] + }, { + "isVirtual" : false, + "fileName" : "xml-apis-1.3.03.jar", + "filePath" : "/home/wtwhite/.m2/repository/xml-apis/xml-apis/1.3.03/xml-apis-1.3.03.jar", + "md5" : "6dee9238dd2900171197104951940778", + "sha1" : "3845d5aabd62dc1954f2c0e84a799068c917ad2b", + "sha256" : "ec225a1c66d4505fecd1ad7644ce4477e626f439fd9230dbf8338cebdfc3a0e5", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xml-apis" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xml" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/datatype/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/parsers/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/transform/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/validation/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/xpath/", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xmlcommons/Version", + "name" : "Implementation-Vendor", + "value" : "Apache Software Foundation" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/", + "name" : "Implementation-Vendor", + "value" : "World Wide Web Consortium" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/ls/", + "name" : "Implementation-Vendor", + "value" : "World Wide Web Consortium" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/xml/sax/", + "name" : "Implementation-Vendor", + "value" : "David Megginson" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xml-apis" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "xml-apis" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xml-apis" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://xml.apache.org/commons/#external" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xml-apis" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "datatype" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "document" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "dom" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "javax" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "ls" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "parsers" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "sax" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "transform" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "validation" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "version" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "w3c" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xml" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xmlcommons" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xpath" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/datatype/", + "name" : "Implementation-Title", + "value" : "javax.xml.datatype" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/datatype/", + "name" : "Specification-Title", + "value" : "JSR 206 Java API for XML Processing 1.3" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/parsers/", + "name" : "Implementation-Title", + "value" : "javax.xml.parsers" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/parsers/", + "name" : "Specification-Title", + "value" : "JSR 206, Java API for XML Processing 1.3" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/transform/", + "name" : "Implementation-Title", + "value" : "javax.xml.transform" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/transform/", + "name" : "Specification-Title", + "value" : "JSR 206 Java API for XML Processing 1.3" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/validation/", + "name" : "Implementation-Title", + "value" : "javax.xml.validation" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/validation/", + "name" : "Specification-Title", + "value" : "JSR 206 Java API for XML Processing 1.3" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/xpath/", + "name" : "Implementation-Title", + "value" : "javax.xml.xpath" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/xpath/", + "name" : "Specification-Title", + "value" : "JSR 206 Java API for XML Processing 1.3" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xmlcommons/Version", + "name" : "Implementation-Title", + "value" : "org.apache.xmlcommons.Version" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/", + "name" : "Implementation-Title", + "value" : "org.w3c.dom" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/", + "name" : "Specification-Title", + "value" : "Document Object Model (DOM) Level 3 Core" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/ls/", + "name" : "Implementation-Title", + "value" : "org.w3c.dom.ls" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/ls/", + "name" : "Specification-Title", + "value" : "Document Object Model (DOM) Level 3 Load and Save" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/xml/sax/", + "name" : "Implementation-Title", + "value" : "org.xml.sax" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/xml/sax/", + "name" : "Specification-Title", + "value" : "Simple API for XML" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xml-apis" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xml-apis" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://xml.apache.org/commons/#external" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.3.03" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/datatype/", + "name" : "Implementation-Version", + "value" : "1.3.03" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/parsers/", + "name" : "Implementation-Version", + "value" : "1.3.03" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/transform/", + "name" : "Implementation-Version", + "value" : "1.3.03" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/validation/", + "name" : "Implementation-Version", + "value" : "1.3.03" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: javax/xml/xpath/", + "name" : "Implementation-Version", + "value" : "1.3.03" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: org/apache/xmlcommons/Version", + "name" : "Implementation-Version", + "value" : "1.3.03" + }, { + "type" : "version", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-version", + "value" : "1.3.03" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.3.03" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/xml-apis/xml-apis@1.3.03", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/xml-apis/xml-apis@1.3.03?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "xml-apis-ext-1.3.04.jar", + "filePath" : "/home/wtwhite/.m2/repository/xml-apis/xml-apis-ext/1.3.04/xml-apis-ext-1.3.04.jar", + "md5" : "bcb07d3b8d2397db7a3013b6465d347b", + "sha1" : "41a8b86b358e87f3f13cf46069721719105aff66", + "sha256" : "d0b4887dc34d57de49074a58affad439a013d0baffa1a8034f8ef2a5ea191646", + "description" : "xml-commons provides an Apache-hosted set of DOM, SAX, and \n JAXP interfaces for use in other xml-based projects. Our hope is that we \n can standardize on both a common version and packaging scheme for these \n critical XML standards interfaces to make the lives of both our developers \n and users easier. The External Components portion of xml-commons contains \n interfaces that are defined by external standards organizations. For DOM, \n that's the W3C; for SAX it's David Megginson and sax.sourceforge.net; for \n JAXP it's Sun.", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xml-apis-ext" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "dom" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "w3c" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/css/sac/", + "name" : "Implementation-Vendor", + "value" : "World Wide Web Consortium" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/smil/", + "name" : "Implementation-Vendor", + "value" : "World Wide Web Consortium" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/svg/", + "name" : "Implementation-Vendor", + "value" : "World Wide Web Consortium" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xml-apis-ext" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "xml-apis-ext" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xml-apis" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "XML Commons External Components XML APIs Extensions" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "apache" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://xml.apache.org/commons/components/external/" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xml-apis-ext" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "css" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "dom" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "sac" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "smil" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "svg" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "w3c" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/css/sac/", + "name" : "Implementation-Title", + "value" : "org.w3c.css.sac" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/css/sac/", + "name" : "Specification-Title", + "value" : "Simple API for CSS" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/smil/", + "name" : "Implementation-Title", + "value" : "org.w3c.dom.smil" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/smil/", + "name" : "Specification-Title", + "value" : "Document Object Model (DOM) for Synchronized Multimedia Integration Language (SMIL)" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/svg/", + "name" : "Implementation-Title", + "value" : "org.w3c.dom.svg" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: org/w3c/dom/svg/", + "name" : "Specification-Title", + "value" : "Document Object Model (DOM) for Scalable Vector Graphics (SVG)" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xml-apis-ext" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xml-apis" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "XML Commons External Components XML APIs Extensions" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-artifactid", + "value" : "apache" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "parent-groupid", + "value" : "org.apache" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://xml.apache.org/commons/components/external/" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.3.04" + }, { + "type" : "version", + "confidence" : "LOW", + "source" : "pom", + "name" : "parent-version", + "value" : "1.3.04" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.3.04" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/xml-apis/xml-apis-ext@1.3.04", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/xml-apis/xml-apis-ext@1.3.04?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + }, { + "isVirtual" : false, + "fileName" : "xom-1.2.5.jar", + "filePath" : "/home/wtwhite/.m2/repository/xom/xom/1.2.5/xom-1.2.5.jar", + "md5" : "91b16b5b53ae0804671a57dbf7623fad", + "sha1" : "4166493b9f04e91b858ba4150b28b4d197f8f8ea", + "sha256" : "0e22c49ab86a6533299160b95db9201fd7040f4f082e90d563ca7e8d972bbe3a", + "description" : "The XOM Dual Streaming/Tree API for Processing XML", + "license" : "The GNU Lesser General Public License, Version 2.1: http://www.gnu.org/licenses/lgpl-2.1.html", + "projectReferences" : [ "CVE-2013-5960:compile" ], + "includedBy" : [ { + "reference" : "pkg:maven/org.owasp.esapi/esapi@2.1.0" + } ], + "evidenceCollected" : { + "vendorEvidence" : [ { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xom" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "nu" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xom" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "bundle-requiredexecutionenvironment", + "value" : "J2SE-1.2" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "bundle-symbolicname", + "value" : "nu.xom" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Vendor", + "value" : "Elliotte Rusty Harold" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "specification-vendor", + "value" : "Elliotte Rusty Harold" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/", + "name" : "Implementation-Vendor", + "value" : "Elliotte Rusty Harold" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/jaxen/", + "name" : "Implementation-Vendor", + "value" : "CodeHaus" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xom" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "artifactid", + "value" : "xom" + }, { + "type" : "vendor", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "elharo@ibiblio.org" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer id", + "value" : "elharo" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer name", + "value" : "Elliotte Rusty Harold" + }, { + "type" : "vendor", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "developer org", + "value" : "Cafe au Lait" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xom" + }, { + "type" : "vendor", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "XOM" + }, { + "type" : "vendor", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "url", + "value" : "http://xom.nu" + } ], + "productEvidence" : [ { + "type" : "product", + "confidence" : "HIGH", + "source" : "file", + "name" : "name", + "value" : "xom" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "canonical" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "converters" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "jaxen" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "nu" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xinclude" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xom" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xpath" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "jar", + "name" : "package name", + "value" : "xslt" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "Bundle-Name", + "value" : "XOM" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "Manifest", + "name" : "bundle-requiredexecutionenvironment", + "value" : "J2SE-1.2" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "bundle-symbolicname", + "value" : "nu.xom" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Title", + "value" : "XOM" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "Manifest", + "name" : "specification-title", + "value" : "XOM" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/", + "name" : "Implementation-Title", + "value" : "nu.xom" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/", + "name" : "Specification-Title", + "value" : "XOM core classes" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/canonical/", + "name" : "Implementation-Title", + "value" : "nu.xom.canonical" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/canonical/", + "name" : "Specification-Title", + "value" : "XOM Canonical XML support" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/converters/", + "name" : "Implementation-Title", + "value" : "nu.xom.converters" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/converters/", + "name" : "Specification-Title", + "value" : "XOM converters to other object models" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/jaxen/", + "name" : "Implementation-Title", + "value" : "org.jaxen" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/jaxen/", + "name" : "Specification-Title", + "value" : "Jaxen XPath engine" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/xinclude/", + "name" : "Implementation-Title", + "value" : "nu.xom.xinclude" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/xinclude/", + "name" : "Specification-Title", + "value" : "XOM XInclude engine" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/xslt/", + "name" : "Implementation-Title", + "value" : "nu.xom.xslt" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/xslt/", + "name" : "Specification-Title", + "value" : "XOM XSLT interface" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "artifactid", + "value" : "xom" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer email", + "value" : "elharo@ibiblio.org" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer id", + "value" : "elharo" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer name", + "value" : "Elliotte Rusty Harold" + }, { + "type" : "product", + "confidence" : "LOW", + "source" : "pom", + "name" : "developer org", + "value" : "Cafe au Lait" + }, { + "type" : "product", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "groupid", + "value" : "xom" + }, { + "type" : "product", + "confidence" : "HIGH", + "source" : "pom", + "name" : "name", + "value" : "XOM" + }, { + "type" : "product", + "confidence" : "MEDIUM", + "source" : "pom", + "name" : "url", + "value" : "http://xom.nu" + } ], + "versionEvidence" : [ { + "type" : "version", + "confidence" : "HIGH", + "source" : "file", + "name" : "version", + "value" : "1.2.5" + }, { + "type" : "version", + "confidence" : "HIGH", + "source" : "Manifest", + "name" : "Implementation-Version", + "value" : "1.2.5" + }, { + "type" : "version", + "confidence" : "MEDIUM", + "source" : "manifest: nu/xom/", + "name" : "Implementation-Version", + "value" : "1.2.5" + }, { + "type" : "version", + "confidence" : "HIGHEST", + "source" : "pom", + "name" : "version", + "value" : "1.2.5" + } ] + }, + "packages" : [ { + "id" : "pkg:maven/xom/xom@1.2.5", + "confidence" : "HIGH", + "url" : "https://ossindex.sonatype.org/component/pkg:maven/xom/xom@1.2.5?utm_source=dependency-check&utm_medium=integration&utm_content=8.2.1" + } ] + } ] +} \ No newline at end of file diff --git a/CVE-2013-5960/scan-results/grype/grype-report.json b/CVE-2013-5960/scan-results/grype/grype-report.json new file mode 100644 index 0000000..817e024 --- /dev/null +++ b/CVE-2013-5960/scan-results/grype/grype-report.json @@ -0,0 +1,418 @@ +{ + "matches": [ + { + "vulnerability": { + "id": "GHSA-8m5h-hrqm-pxm2", + "dataSource": "https://github.com/advisories/GHSA-8m5h-hrqm-pxm2", + "namespace": "github:language:java", + "severity": "High", + "urls": [ + "https://github.com/advisories/GHSA-8m5h-hrqm-pxm2" + ], + "description": "Path traversal in the OWASP Enterprise Security API", + "cvss": [], + "fix": { + "versions": [ + "2.3.0.0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-23457", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-23457", + "namespace": "nvd:cpe", + "severity": "Critical", + "urls": [ + "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt", + "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-8m5h-hrqm-pxm2", + "https://security.netapp.com/advisory/ntap-20230127-0014/", + "https://securitylab.github.com/advisories/GHSL-2022-008_The_OWASP_Enterprise_Security_API/", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, the default implementation of `Validator.getValidDirectoryPath(String, String, File, boolean)` may incorrectly treat the tested input string as a child of the specified parent directory. This potentially could allow control-flow bypass checks to be defeated if an attack can specify the entire string representing the 'input' path. This vulnerability is patched in release 2.3.0.0 of ESAPI. As a workaround, it is possible to write one's own implementation of the Validator interface. However, maintainers do not recommend this.", + "cvss": [ + { + "version": "2.0", + "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 10, + "impactScore": 6.4 + }, + "vendorMetadata": {} + }, + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 9.8, + "exploitabilityScore": 3.9, + "impactScore": 5.9 + }, + "vendorMetadata": {} + }, + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "metrics": { + "baseScore": 7.5, + "exploitabilityScore": 1.6, + "impactScore": 5.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "java-matcher", + "searchedBy": { + "language": "java", + "namespace": "github:language:java", + "package": { + "name": "esapi", + "version": "2.1.0" + } + }, + "found": { + "versionConstraint": "<=2.2.3.1 (unknown)", + "vulnerabilityID": "GHSA-8m5h-hrqm-pxm2" + } + } + ], + "artifact": { + "id": "b4381ae137bfa3f0", + "name": "esapi", + "version": "2.1.0", + "type": "java-archive", + "locations": [ + { + "path": "/pom.xml" + } + ], + "language": "java", + "licenses": [], + "cpes": [ + "cpe:2.3:a:esapi:esapi:2.1.0:*:*:*:*:*:*:*", + "cpe:2.3:a:owasp:esapi:2.1.0:*:*:*:*:*:*:*" + ], + "purl": "pkg:maven/org.owasp.esapi/esapi@2.1.0", + "upstreams": [], + "metadataType": "JavaMetadata", + "metadata": { + "virtualPath": "", + "pomArtifactID": "esapi", + "pomGroupID": "org.owasp.esapi", + "manifestName": "", + "archiveDigests": null + } + } + }, + { + "vulnerability": { + "id": "GHSA-q77q-vx4q-xx6q", + "dataSource": "https://github.com/advisories/GHSA-q77q-vx4q-xx6q", + "namespace": "github:language:java", + "severity": "Medium", + "urls": [ + "https://github.com/advisories/GHSA-q77q-vx4q-xx6q" + ], + "description": "Cross-site Scripting in org.owasp.esapi:esapi", + "cvss": [], + "fix": { + "versions": [ + "2.3.0.0" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2022-24891", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2022-24891", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/ESAPI-security-bulletin8.pdf", + "https://github.com/ESAPI/esapi-java-legacy/blob/develop/documentation/esapi4java-core-2.3.0.0-release-notes.txt", + "https://github.com/ESAPI/esapi-java-legacy/security/advisories/GHSA-q77q-vx4q-xx6q", + "https://security.netapp.com/advisory/ntap-20230127-0014/", + "https://www.oracle.com/security-alerts/cpujul2022.html" + ], + "description": "ESAPI (The OWASP Enterprise Security API) is a free, open source, web application security control library. Prior to version 2.3.0.0, there is a potential for a cross-site scripting vulnerability in ESAPI caused by a incorrect regular expression for \"onsiteURL\" in the **antisamy-esapi.xml** configuration file that can cause \"javascript:\" URLs to fail to be correctly sanitized. This issue is patched in ESAPI 2.3.0.0. As a workaround, manually edit the **antisamy-esapi.xml** configuration files to change the \"onsiteURL\" regular expression. More information about remediation of the vulnerability, including the workaround, is available in the maintainers' release notes and security bulletin.", + "cvss": [ + { + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:N/I:P/A:N", + "metrics": { + "baseScore": 4.3, + "exploitabilityScore": 8.6, + "impactScore": 2.9 + }, + "vendorMetadata": {} + }, + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "metrics": { + "baseScore": 6.1, + "exploitabilityScore": 2.8, + "impactScore": 2.7 + }, + "vendorMetadata": {} + }, + { + "version": "3.1", + "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "metrics": { + "baseScore": 5.4, + "exploitabilityScore": 2.8, + "impactScore": 2.5 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "java-matcher", + "searchedBy": { + "language": "java", + "namespace": "github:language:java", + "package": { + "name": "esapi", + "version": "2.1.0" + } + }, + "found": { + "versionConstraint": "<=2.2.3.1 (unknown)", + "vulnerabilityID": "GHSA-q77q-vx4q-xx6q" + } + } + ], + "artifact": { + "id": "b4381ae137bfa3f0", + "name": "esapi", + "version": "2.1.0", + "type": "java-archive", + "locations": [ + { + "path": "/pom.xml" + } + ], + "language": "java", + "licenses": [], + "cpes": [ + "cpe:2.3:a:esapi:esapi:2.1.0:*:*:*:*:*:*:*", + "cpe:2.3:a:owasp:esapi:2.1.0:*:*:*:*:*:*:*" + ], + "purl": "pkg:maven/org.owasp.esapi/esapi@2.1.0", + "upstreams": [], + "metadataType": "JavaMetadata", + "metadata": { + "virtualPath": "", + "pomArtifactID": "esapi", + "pomGroupID": "org.owasp.esapi", + "manifestName": "", + "archiveDigests": null + } + } + }, + { + "vulnerability": { + "id": "GHSA-2g56-7jv7-wxxq", + "dataSource": "https://github.com/advisories/GHSA-2g56-7jv7-wxxq", + "namespace": "github:language:java", + "severity": "Medium", + "urls": [ + "https://github.com/advisories/GHSA-2g56-7jv7-wxxq" + ], + "description": "Missing Cryptographic Step in OWASP Enterprise Security API for Java", + "cvss": [], + "fix": { + "versions": [ + "2.1.0.1" + ], + "state": "fixed" + }, + "advisories": [] + }, + "relatedVulnerabilities": [ + { + "id": "CVE-2013-5960", + "dataSource": "https://nvd.nist.gov/vuln/detail/CVE-2013-5960", + "namespace": "nvd:cpe", + "severity": "Medium", + "urls": [ + "http://code.google.com/p/owasp-esapi-java/issues/detail?id=306", + "http://lists.owasp.org/pipermail/esapi-dev/2013-August/002285.html", + "http://owasp-esapi-java.googlecode.com/svn/trunk/documentation/ESAPI-security-bulletin1.pdf", + "http://www.securityfocus.com/bid/62415", + "https://github.com/ESAPI/esapi-java-legacy/blob/master/documentation/esapi4java-core-2.1.0.1-release-notes.txt", + "https://github.com/ESAPI/esapi-java-legacy/issues/359", + "https://github.com/esapi/esapi-java-legacy/issues/306" + ], + "description": "The authenticated-encryption feature in the symmetric-encryption implementation in the OWASP Enterprise Security API (ESAPI) for Java 2.x before 2.1.0.1 does not properly resist tampering with serialized ciphertext, which makes it easier for remote attackers to bypass intended cryptographic protection mechanisms via an attack against the intended cipher mode in a non-default configuration, a different vulnerability than CVE-2013-5679.", + "cvss": [ + { + "version": "2.0", + "vector": "AV:N/AC:M/Au:N/C:P/I:P/A:N", + "metrics": { + "baseScore": 5.8, + "exploitabilityScore": 8.6, + "impactScore": 4.9 + }, + "vendorMetadata": {} + } + ] + } + ], + "matchDetails": [ + { + "type": "exact-direct-match", + "matcher": "java-matcher", + "searchedBy": { + "language": "java", + "namespace": "github:language:java", + "package": { + "name": "esapi", + "version": "2.1.0" + } + }, + "found": { + "versionConstraint": ">=2.0.0.0,<=2.1.0.0 (unknown)", + "vulnerabilityID": "GHSA-2g56-7jv7-wxxq" + } + } + ], + "artifact": { + "id": "b4381ae137bfa3f0", + "name": "esapi", + "version": "2.1.0", + "type": "java-archive", + "locations": [ + { + "path": "/pom.xml" + } + ], + "language": "java", + "licenses": [], + "cpes": [ + "cpe:2.3:a:esapi:esapi:2.1.0:*:*:*:*:*:*:*", + "cpe:2.3:a:owasp:esapi:2.1.0:*:*:*:*:*:*:*" + ], + "purl": "pkg:maven/org.owasp.esapi/esapi@2.1.0", + "upstreams": [], + "metadataType": "JavaMetadata", + "metadata": { + "virtualPath": "", + "pomArtifactID": "esapi", + "pomGroupID": "org.owasp.esapi", + "manifestName": "", + "archiveDigests": null + } + } + } + ], + "source": { + "type": "directory", + "target": "CVE-2013-5960/" + }, + "distro": { + "name": "", + "version": "", + "idLike": null + }, + "descriptor": { + "name": "", + "version": "", + "configuration": { + "output": [ + "json" + ], + "file": "CVE-2013-5960//scan-results/grype/grype-report.json", + "distro": "", + "add-cpes-if-none": false, + "output-template-file": "", + "check-for-app-update": false, + "only-fixed": false, + "only-notfixed": false, + "platform": "", + "search": { + "scope": "Squashed", + "unindexed-archives": false, + "indexed-archives": true + }, + "ignore": null, + "exclude": [], + "db": { + "cache-dir": "/home/wtwhite/.cache/grype/db", + "update-url": "https://toolbox-data.anchore.io/grype/databases/listing.json", + "ca-cert": "", + "auto-update": false, + "validate-by-hash-on-start": false, + "validate-age": true, + "max-allowed-built-age": 3600000000000000000 + }, + "externalSources": { + "enable": false, + "maven": { + "searchUpstreamBySha1": true, + "baseUrl": "https://search.maven.org/solrsearch/select" + } + }, + "match": { + "java": { + "using-cpes": true + }, + "dotnet": { + "using-cpes": true + }, + "golang": { + "using-cpes": true + }, + "javascript": { + "using-cpes": true + }, + "python": { + "using-cpes": true + }, + "ruby": { + "using-cpes": true + }, + "stock": { + "using-cpes": true + } + }, + "fail-on-severity": "", + "registry": { + "insecure-skip-tls-verify": false, + "insecure-use-http": false, + "auth": null, + "ca-cert": "" + }, + "show-suppressed": false, + "by-cve": false, + "name": "", + "default-image-pull-source": "", + "vex-documents": [], + "vex-add": [] + }, + "db": { + "built": "2023-04-27T10:34:58Z", + "schemaVersion": 5, + "location": "/home/wtwhite/.cache/grype/db/5", + "checksum": "sha256:db85d95f6b5924c38d690f7b6a9743cc6ef58e7a100707749ab28792b573e9a9", + "error": null + }, + "timestamp": "2023-10-05T11:14:37.583465836+13:00" + } +} diff --git a/CVE-2013-5960/scan-results/snyk/snyk-report.json b/CVE-2013-5960/scan-results/snyk/snyk-report.json new file mode 100644 index 0000000..ccf9892 --- /dev/null +++ b/CVE-2013-5960/scan-results/snyk/snyk-report.json @@ -0,0 +1,4495 @@ +{ + "vulnerabilities": [ + { + "id": "SNYK-JAVA-COMMONSCODEC-561518", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Hanson Char" + ], + "semver": { + "vulnerable": [ + "[,1.13)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.13" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 3.7, + "functions": [ + { + "version": [ + "[1.5,1.13)" + ], + "functionId": { + "filePath": "org/apache/commons/codec/binary/Base32.java", + "className": "Base32", + "functionName": "decode" + } + }, + { + "version": [ + "[,1.13)" + ], + "functionId": { + "filePath": "org/apache/commons/codec/binary/Base64.java", + "className": "Base64", + "functionName": "decode" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-codec:commons-codec", + "references": [ + { + "url": "https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/CODEC-134", + "title": "Jira Issue" + } + ], + "cvssDetails": [], + "description": "## Overview\n[commons-codec:commons-codec](https://commons.apache.org/proper/commons-codec) is a package that contains simple encoder and decoders for various formats such as Base64 and Hexadecimal.\n\nAffected versions of this package are vulnerable to Information Exposure. When there is no byte array value that can be encoded into a string the Base32 implementation does not reject it, and instead decodes it into an arbitrary value which can be re-encoded again using the same implementation. This allows for information exposure exploits such as tunneling additional information via seemingly valid base 32 strings.\n## Remediation\nUpgrade `commons-codec:commons-codec` to version 1.13 or higher.\n## References\n- [GitHub Commit](https://github.com/apache/commons-codec/commit/48b615756d1d770091ea3322eefc08011ee8b113)\n- [Jira Issue](https://issues.apache.org/jira/browse/CODEC-134)\n", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "commons-codec:commons-codec", + "proprietary": false, + "creationTime": "2020-03-30T17:22:24.164713Z", + "functions_new": [ + { + "version": [ + "[1.5,1.13)" + ], + "functionId": { + "className": "org.apache.commons.codec.binary.Base32", + "functionName": "decode" + } + }, + { + "version": [ + "[,1.13)" + ], + "functionId": { + "className": "org.apache.commons.codec.binary.Base64", + "functionName": "decode" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2020-03-30T17:20:23Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-codec", + "artifactId": "commons-codec" + }, + "publicationTime": "2012-03-03T17:20:25Z", + "modificationTime": "2020-06-12T14:37:04.472432Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3", + "commons-httpclient:commons-httpclient@3.1", + "commons-codec:commons-codec@1.2" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.2.0.0", + "org.owasp.antisamy:antisamy@1.5.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-codec:commons-codec", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-30078", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:H/RL:O", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[3.0,3.2.2)" + ] + }, + "exploit": "High", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "transform" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/", + "title": "FoxGloveSecurity Blog" + }, + { + "url": "https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Issue" + }, + { + "url": "https://github.com/ianxtianxt/CVE-2015-7501", + "title": "PoC" + }, + { + "url": "https://www.exploit-db.com/exploits/46628", + "title": "Exploit DB" + }, + { + "url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog", + "title": "CISA - Known Exploited Vulnerabilities" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-01-03T17:44:31.237189Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2023-02-09T11:24:31.709730Z" + } + ], + "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nIt is possible to execute arbitrary Java code with the `InvokerTransformer` serializable collections . The `sun.reflect.annotation.AnnotationInvocationHandler#readObject` method invokes `#entrySet` and `#get` on a deserialized collection. If an attacker has to ability to send serialized data (JMX, RMI, EJB) to an application using the `common-collections` library, it is possible to combine the aforementioned methods to execute arbitrary code on the application.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [FoxGloveSecurity Blog](http://foxglovesecurity.com/2015/11/06/what-do-weblogic-websphere-jboss-jenkins-opennms-and-your-application-have-in-common-this-vulnerability/)\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/e585cd0433ae4cfbc56e58572b9869bd0c86b611)\n\n- [Jira Issue](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n\n- [PoC](https://github.com/ianxtianxt/CVE-2015-7501)\n\n- [Exploit DB](https://www.exploit-db.com/exploits/46628)\n\n- [CISA - Known Exploited Vulnerabilities](https://www.cisa.gov/known-exploited-vulnerabilities-catalog)\n", + "epssDetails": { + "percentile": "0.81082", + "probability": "0.00958", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-7501", + "CVE-2015-4852" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2016-12-25T16:51:56Z", + "functions_new": [ + { + "version": [ + "[3,3.2.2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "transform" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2015-11-06T16:51:56Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2015-11-06T16:51:56Z", + "modificationTime": "2023-05-26T04:33:37.114758Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "commons-collections:commons-collections@3.2" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.1.0.1", + "commons-collections:commons-collections@3.2.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.2" + }, + { + "id": "SNYK-JAVA-COMMONSCOLLECTIONS-472711", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:R", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.2.2)" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [ + "3.2.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.6, + "functions": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "filePath": "org/apache/commons/collections/functors/InvokerTransformer.java", + "className": "InvokerTransformer", + "functionName": "" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-collections:commons-collections", + "references": [ + { + "url": "https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-collections/pull/18", + "title": "GitHub PR" + }, + { + "url": "https://issues.apache.org/jira/browse/COLLECTIONS-580", + "title": "Jira Ticket" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2023-02-09T11:24:22.441391Z" + } + ], + "description": "## Overview\n\n[commons-collections:commons-collections](https://mvnrepository.com/artifact/commons-collections/commons-collections) is a library which contains types that extend and augment the Java Collections Framework.\n\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data.\nVersions of commons-collections prior to `3.2.2` do not prevent deserialization of the class `org.apache.commons.collections.functors.InvokerTransformer`. This could be leveraged by an attacker as a gadget within a vulnerable application which deserializes user input to execute arbitrary code. \r\n\r\nVersions of commons-collections from 3.2.2 onwards will throw an `UnsupportedOperationException` error when attempts are made to deserialize InvokerTransformer instances to prevent potential remote code execution exploits.\r\n\r\n*Note:* `org.apache.commons:commons-collections` is no longer supported and has been moved to `org.apache.commons:commons-collections4` we recommend moving to the new artifact if possible.\r\n\r\n## PoC \r\n\r\n```\r\n/*\r\n\tGadget chain:\r\n\t\tObjectInputStream.readObject()\r\n\t\t\tAnnotationInvocationHandler.readObject()\r\n\t\t\t\tMap(Proxy).entrySet()\r\n\t\t\t\t\tAnnotationInvocationHandler.invoke()\r\n\t\t\t\t\t\tLazyMap.get()\r\n\t\t\t\t\t\t\tChainedTransformer.transform()\r\n\t\t\t\t\t\t\t\tConstantTransformer.transform()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tClass.getMethod()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.getRuntime()\r\n\t\t\t\t\t\t\t\tInvokerTransformer.transform()\r\n\t\t\t\t\t\t\t\t\tMethod.invoke()\r\n\t\t\t\t\t\t\t\t\t\tRuntime.exec()\r\n\tRequires:\r\n\t\tcommons-collections\r\n */\r\n```\n\n## Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\r\n\r\n \r\n\r\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\r\n\r\n \r\n\r\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\r\n\r\n \r\n\r\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\r\n\r\n \r\n\r\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\r\n\r\n- Apache Blog\r\n\r\n \r\n\r\nThe vulnerability, also know as _Mad Gadget_\r\n\r\n> Mad Gadget is one of the most pernicious vulnerabilities we’ve seen. By merely existing on the Java classpath, seven “gadget” classes in Apache Commons Collections (versions 3.0, 3.1, 3.2, 3.2.1, and 4.0) make object deserialization for the entire JVM process Turing complete with an exec function. Since many business applications use object deserialization to send messages across the network, it would be like hiring a bank teller who was trained to hand over all the money in the vault if asked to do so politely, and then entrusting that teller with the key. The only thing that would keep a bank safe in such a circumstance is that most people wouldn’t consider asking such a question.\r\n\r\n- Google\n\n\n## Remediation\n\nUpgrade `commons-collections:commons-collections` to version 3.2.2 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/apache/commons-collections/commit/5ec476b0b756852db865b2e442180f091f8209ee)\n\n- [GitHub PR](https://github.com/apache/commons-collections/pull/18)\n\n- [Jira Ticket](https://issues.apache.org/jira/browse/COLLECTIONS-580)\n", + "epssDetails": { + "percentile": "0.80223", + "probability": "0.00880", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2015-6420" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-6hgm-866r-3cjv" + ] + }, + "packageName": "commons-collections:commons-collections", + "proprietary": false, + "creationTime": "2019-10-10T18:31:03.943542Z", + "functions_new": [ + { + "version": [ + "[3.1, 3.22)", + "[,3.0-dev2)" + ], + "functionId": { + "className": "org.apache.commons.collections.functors.InvokerTransformer", + "functionName": "" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-10-10T00:00:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-collections", + "artifactId": "commons-collections" + }, + "publicationTime": "2020-02-24T00:00:00Z", + "modificationTime": "2023-02-09T11:24:22.441391Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "commons-collections:commons-collections@3.2" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.1.0.1", + "commons-collections:commons-collections@3.2.2" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-collections:commons-collections", + "version": "3.2" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30079", + "title": "Time of Check Time of Use (TOCTOU)", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", + "credit": [ + "Karl Dyszynski", + "Hugo Vazquez Carames" + ], + "semver": { + "vulnerable": [ + "[,1.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "http://mail-archives.apache.org/mod_mbox/commons-user/201303.mbox/%3C51371C31.8020805@apache.org%3E", + "title": "Commons-user Mailing List" + }, + { + "url": "https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml%23L114", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/7d9e956627a3803c1fc5734e2b18113a033e6f60", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/CVE-2013-0248", + "title": "Redhat Bugzilla" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L", + "cvssV3BaseScore": 4.4, + "modificationTime": "2023-02-09T11:23:34.128649Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 3.1, + "modificationTime": "2023-03-26T23:16:15.823645Z" + } + ], + "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Time of Check Time of Use (TOCTOU) if the attacker has write access to the /tmp directory.\r\n\r\n## Details\r\nCommons FileUpload provides file upload capability for Servlets and web applications. During the upload process, FileUpload may (depending on configuration) save the uploaded file temporarily on disk. By default this will be in the system wide tmp directory. Because the temporary files have predictable file names and are stored in a publicly writeable location they are vulnerable to a TOCTOU attack.\r\n\r\nA successful attack requires that the attacker has write access to the tmp directory. The attack can be prevented by setting the repository to a non-publicly writeable location. The documentation for FileUpload does not highlight the potential security implications of not setting a repository, nor do the provided examples set a repository. This may have caused users to use FileUpload in an insecure manner.\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.3 or higher.\n## References\n- [Commons-user Mailing List](http://mail-archives.apache.org/mod_mbox/commons-user/201303.mbox/%3C51371C31.8020805@apache.org%3E)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/b1498c9877d751f8bc4635a6f252ebdfcba28518/src/changes/changes.xml#L114)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/7d9e956627a3803c1fc5734e2b18113a033e6f60)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/CVE-2013-0248)\n", + "epssDetails": { + "percentile": "0.05680", + "probability": "0.00042", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2013-0248" + ], + "CWE": [ + "CWE-264" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2016-12-25T16:51:47Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2013-03-15T20:55:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2015-05-06T16:51:47Z", + "modificationTime": "2023-03-26T23:16:15.823645Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "commons-fileupload:commons-fileupload@1.2" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.1.0.1", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30080", + "title": "Arbitrary File Write", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,1.3.1)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/commit/163a6061fbc077d4b6e4787d26857c2baba495d1", + "title": "GitHub Commit" + }, + { + "url": "https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186", + "title": "RedHat Bugzilla Bug" + }, + { + "url": "https://access.redhat.com/security/cve/CVE-2013-2186", + "title": "RedHat CVE Database" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2023-02-09T11:24:47.974398Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2023-04-01T14:50:20.293418Z" + } + ], + "description": "## Overview\n[`commons-fileupload:commons-fileupload`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-fileupload%22)\nAffected versions of this package are vulnerable to Arbitrary File Write.\n\n## Details\nThe DiskFileItem class in Apache Commons FileUpload, as used in Red Hat JBoss BRMS 5.3.1; JBoss Portal 4.3 CP07, 5.2.2, and 6.0.0; and Red Hat JBoss Web Server 1.0.2 allows remote attackers to write to arbitrary files via a NULL byte in a file name in a serialized instance.\n\n## References\n- [Redhat Security Advisory](https://access.redhat.com/security/cve/CVE-2013-2186)\n- [Redhat Bugzilla](https://bugzilla.redhat.com/show_bug.cgi?id=CVE-2013-2186)\n", + "epssDetails": { + "percentile": "0.88946", + "probability": "0.02681", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2013-2186" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2016-12-25T16:51:48Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2013-06-16T16:51:48Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2013-06-16T16:51:48Z", + "modificationTime": "2023-04-01T14:50:20.293418Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "commons-fileupload:commons-fileupload@1.2" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.1.0.1", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30081", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:F", + "credit": [ + "Mark Thomas" + ], + "semver": { + "vulnerable": [ + "[,1.3.1)" + ] + }, + "exploit": "Functional", + "fixedIn": [ + "1.3.1" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E", + "title": "Apache Mailing list archives" + }, + { + "url": "http://svn.apache.org/viewvc?view=revision&revision=1565143", + "title": "Apache-SVN" + }, + { + "url": "https://www.exploit-db.com/exploits/31615", + "title": "Exploit DB" + }, + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L90", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/c61ff05b3241cb14d989b67209e57aa71540417a", + "title": "GitHub Commit" + }, + { + "url": "http://struts.apache.org/docs/s2-020.html", + "title": "Issue documentation" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050", + "title": "NVD" + }, + { + "url": "http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html", + "title": "Oren Hafif Blog" + }, + { + "url": "https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries/", + "title": "POC: Potential Exploit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2023-02-09T11:23:35.776405Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "cvssV3BaseScore": 5.3, + "modificationTime": "2023-02-09T11:24:59.734247Z" + } + ], + "description": "## Overview\n[`commons-fileupload:commons-fileupload`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-fileupload%22)\nAffected versions of this package are vulnerable to Denial of Service (DoS) attacks. An attacker may send a specially crafted `Content-Type` header that bypasses a loop's intended exit conditions, causing an infinite loop and high CPU consumption.\n\n## Details\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\r\n\r\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\r\n\r\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\r\n\r\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\r\n\r\nTwo common types of DoS vulnerabilities:\r\n\r\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\r\n\r\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](npm:ws:20171108)\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0050)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L90)\n- [Oren Hafif Blog](http://blog.spiderlabs.com/2014/02/cve-2014-0050-exploit-with-boundaries-loops-without-boundaries.html)\n- [Apache-SVN](http://svn.apache.org/viewvc?view=revision&revision=1565143)\n- [Apache Mailing list archives](http://mail-archives.apache.org/mod_mbox/www-announce/201402.mbox/%3C52F373FC.9030907@apache.org%3E)\n- [Issue documentation](http://struts.apache.org/docs/s2-020.html)\n", + "epssDetails": { + "percentile": "0.95131", + "probability": "0.15701", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2014-0050" + ], + "CWE": [ + "CWE-264" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2016-12-25T16:51:51Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-02-11T16:51:51Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2014-02-11T16:51:51Z", + "modificationTime": "2023-02-09T11:24:59.734247Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "commons-fileupload:commons-fileupload@1.2" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.1.0.1", + "commons-fileupload:commons-fileupload@1.3.1" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-30401", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[1.1,1.3.3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[1.1,1.3.3)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/disk/DiskFileItem.java", + "className": "DiskFileItem", + "functionName": "readObject" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L65", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031", + "title": "NVD" + }, + { + "url": "http://www.tenable.com/security/research/tra-2016-12", + "title": "Tenable Security" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-07-26T01:11:38.227729Z" + }, + { + "assigner": "SUSE", + "severity": "critical", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-05-04T00:43:11.123709Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L", + "cvssV3BaseScore": 7.3, + "modificationTime": "2022-10-26T19:44:19.103303Z" + } + ], + "description": "## Overview\n[`commons-fileupload:commons-fileupload`](http://search.maven.org/#search%7Cga%7C1%7Ca%3A%22commons-fileupload%22)\nThe Apache Commons FileUpload library contains a Java Object that, upon deserialization, can be manipulated to write or copy files in arbitrary locations. If integrated with [`ysoserial`](https://github.com/frohoff/ysoserial), it is possible to upload and execute binaries in a single deserialization call.\n\n# Details\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n- Apache Blog\n\n## Remediation\nUpgrade `commons-fileupload` to version 1.3.3 or higher.\n\n\n## References\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2016-1000031)\n- [Tenable Security](http://www.tenable.com/security/research/tra-2016-12)\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L65)\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/388e824518697c2c8f9f83fd964621d9c2f8fc4c)\n", + "epssDetails": { + "percentile": "0.91021", + "probability": "0.04227", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2016-1000031" + ], + "CWE": [ + "CWE-284" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2017-02-22T07:28:18.753000Z", + "functions_new": [ + { + "version": [ + "[1.1,1.3.3)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.disk.DiskFileItem", + "functionName": "readObject" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2016-10-25T14:29:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2016-10-26T03:04:11.895000Z", + "modificationTime": "2022-10-26T19:44:19.103303Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "commons-fileupload:commons-fileupload@1.2" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.2.0.0", + "commons-fileupload:commons-fileupload@1.3.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-31540", + "title": "Information Exposure", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,1.3.2)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.3.2" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [ + { + "version": [ + "[1.2.0 ,1.3.2)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUploadBase$FileItemIteratorImpl.java", + "className": "FileUploadBase$FileItemIteratorImpl", + "functionName": "" + } + }, + { + "version": [ + "[1.0-rc1,1.2.0)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUploadBase.java", + "className": "FileUploadBase", + "functionName": "parseRequest" + } + }, + { + "version": [ + "[,1.0-rc1)" + ], + "functionId": { + "filePath": "org/apache/commons/fileupload/FileUpload.java", + "className": "FileUpload", + "functionName": "parseRequest" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml%23L56", + "title": "Github ChangeLog" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814", + "title": "GitHub Commit" + } + ], + "cvssDetails": [], + "description": "## Overview\r\n[`commons-fileupload:commons-fileupload`](https://commons.apache.org/proper/commons-fileupload/) provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\r\n\r\nAffected versions of the package are vulnerable to Information Disclosure because the `InputStream` is not closed on exception.\r\n\r\n## Remediation\r\nUpgrade `commons-fileupload` to version 1.3.2 or higher.\r\n\r\n## References\r\n- [Github ChangeLog](https://github.com/apache/commons-fileupload/blob/master/src/changes/changes.xml#L56)\r\n- [Github Commit](https://github.com/apache/commons-fileupload/commit/5b4881d7f75f439326f54fa554a9ca7de6d60814)", + "epssDetails": null, + "identifiers": { + "CVE": [], + "CWE": [ + "CWE-200" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2017-10-01T08:05:48.497000Z", + "functions_new": [ + { + "version": [ + "[1.2.0 ,1.3.2)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUploadBase$FileItemIteratorImpl", + "functionName": "" + } + }, + { + "version": [ + "[1.0-rc1,1.2.0)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUploadBase", + "functionName": "parseRequest" + } + }, + { + "version": [ + "[,1.0-rc1)" + ], + "functionId": { + "className": "org.apache.commons.fileupload.FileUpload", + "functionName": "parseRequest" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2014-02-17T22:00:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2017-02-17T08:05:48Z", + "modificationTime": "2020-12-14T14:41:37.686165Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "commons-fileupload:commons-fileupload@1.2" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.2.0.0", + "commons-fileupload:commons-fileupload@1.3.3" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-COMMONSFILEUPLOAD-3326457", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Jakob Ackermann" + ], + "semver": { + "vulnerable": [ + "[1.0-beta-1, 1.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-fileupload:commons-fileupload", + "references": [ + { + "url": "https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy", + "title": "Apache Mailing List" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e", + "title": "GitHub Commit (Tomcat)" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 6.5, + "modificationTime": "2023-02-28T14:13:08.790066Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-02T01:10:12.884606Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-11T11:02:24.927537Z" + } + ], + "description": "## Overview\n[commons-fileupload:commons-fileupload](https://mvnrepository.com/artifact/commons-fileupload/commons-fileupload) is a component that provides a simple yet flexible means of adding support for multipart file upload functionality to servlets and web applications.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) when an attacker sends a large number of request parts in a series of uploads or a single multipart upload.\r\n\r\n**NOTE:** After upgrading to the fixed version, the `setFileCountMax()` must be explicitly set to avoid this vulnerability.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nUpgrade `commons-fileupload:commons-fileupload` to version 1.5 or higher.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/4xl4l09mhwg4vgsk7dxqogcjrobrrdoy)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/0a306f75949f2e9f5f92c400cad39d20117a2eb0)\n- [GitHub Commit](https://github.com/apache/commons-fileupload/commit/e20c04990f7420ca917e96a84cec58b13a1b3d17)\n- [GitHub Commit (Tomcat)](https://github.com/apache/tomcat/commit/063e2e81ede50c287f737cc8e2915ce7217e886e)\n", + "epssDetails": { + "percentile": "0.70204", + "probability": "0.00408", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-24998" + ], + "CWE": [ + "CWE-400" + ] + }, + "packageName": "commons-fileupload:commons-fileupload", + "proprietary": false, + "creationTime": "2023-02-21T08:19:49.294883Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-02-21T08:00:22Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-fileupload", + "artifactId": "commons-fileupload" + }, + "publicationTime": "2023-02-21T09:23:34.093821Z", + "modificationTime": "2023-03-11T11:02:24.927537Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "commons-fileupload:commons-fileupload@1.2" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.5.2.0", + "commons-fileupload:commons-fileupload@1.5" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-fileupload:commons-fileupload", + "version": "1.2" + }, + { + "id": "SNYK-JAVA-COMMONSHTTPCLIENT-30083", + "title": "Improper Certificate Validation", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,3.1-jenkins-3)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "3.1-jenkins-3" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.4, + "functions": [ + { + "version": [ + "[2.0, 3.1)" + ], + "functionId": { + "filePath": "org/apache/commons/httpclient/protocol/SSLProtocolSocketFactory.java", + "className": "SSLProtocolSocketFactory", + "functionName": "createSocket" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-httpclient:commons-httpclient", + "references": [ + { + "url": "https://github.com/jenkinsci/lib-commons-httpclient/commit/a4427f1a6e57ff5250d5b9699948f4ccbb0efef1", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/HTTPCLIENT-1265", + "title": "Jira Issue" + }, + { + "url": "http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf", + "title": "The University of Texas" + }, + { + "url": "https://exchange.xforce.ibmcloud.com/vulnerabilities/79984", + "title": "X-force Vulnerability Report" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-02-09T11:24:12.775159Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 3.7, + "modificationTime": "2022-09-01T17:13:01.019923Z" + } + ], + "description": "## Overview\n[commons-httpclient:commons-httpclient](https://mvnrepository.com/artifact/commons-httpclient/commons-httpclient) is a HttpClient component of the Apache HttpComponents project.\n\nAffected versions of this package are vulnerable to Improper Certificate Validation due to not verifying that the requesting server hostname matches a domain name in the subject's `Common Name (CN)` or `subjectAltName` field of the X.509 certificate. This allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.\r\n\r\n**NOTE:** This plugin has been deprecated, but a fix has been released in version 3.1-jenkins-3 on a special Jenkins fork of the project.\n## Remediation\nUpgrade `commons-httpclient:commons-httpclient` to version 3.1-jenkins-3 or higher.\n## References\n- [GitHub Commit](https://github.com/jenkinsci/lib-commons-httpclient/commit/a4427f1a6e57ff5250d5b9699948f4ccbb0efef1)\n- [Jira Issue](https://issues.apache.org/jira/browse/HTTPCLIENT-1265)\n- [The University of Texas](http://www.cs.utexas.edu/~shmat/shmat_ccs12.pdf)\n- [X-force Vulnerability Report](https://exchange.xforce.ibmcloud.com/vulnerabilities/79984)\n", + "epssDetails": { + "percentile": "0.60643", + "probability": "0.00238", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2012-5783" + ], + "CWE": [ + "CWE-295" + ] + }, + "packageName": "commons-httpclient:commons-httpclient", + "proprietary": false, + "creationTime": "2016-12-25T16:51:47Z", + "functions_new": [ + { + "version": [ + "[2.0, 3.1)" + ], + "functionId": { + "className": "org.apache.commons.httpclient.protocol.SSLProtocolSocketFactory", + "functionName": "createSocket" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2012-11-04T22:55:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-httpclient", + "artifactId": "commons-httpclient" + }, + "publicationTime": "2013-03-25T16:51:47Z", + "modificationTime": "2023-02-09T11:24:12.775159Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3", + "commons-httpclient:commons-httpclient@3.1" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.2.0.0", + "org.owasp.antisamy:antisamy@1.5.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-httpclient:commons-httpclient", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-COMMONSHTTPCLIENT-31660", + "title": "Man-in-the-Middle (MitM)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4.3, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "commons-httpclient:commons-httpclient", + "references": [ + { + "url": "https://github.com/apache/httpcomponents-client/commit/6e14fc146a66e0f3eb362f45f95d1a58ee18886a", + "title": "GitHub Commit" + }, + { + "url": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153", + "title": "NVD" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N", + "cvssV3BaseScore": 4.3, + "modificationTime": "2023-02-09T11:24:12.416149Z" + }, + { + "assigner": "Red Hat", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "cvssV3BaseScore": 5.4, + "modificationTime": "2023-02-09T11:24:57.645898Z" + } + ], + "description": "## Overview\n[commons-httpclient:commons-httpclient](https://mvnrepository.com/artifact/commons-httpclient/commons-httpclient) is a HttpClient component of the Apache HttpComponents project.\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM) due to not verifing the requesting server's hostname agains existing domain names in the SSL Certificate. The `AbstractVerifier` does not properly verify that the server hostname matches a domain name in the subject's `Common Name (CN)` or `subjectAltName` field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via a certificate with a subject that specifies a common name in a field that is not the CN field. \r\n\r\n**NOTE:** this issue exists because of an incomplete fix for [CVE-2012-5783](SNYK-JAVA-COMMONSHTTPCLIENT-30083).\n## Remediation\nThere is no fixed version for `commons-httpclient:commons-httpclient`.\n## References\n- [GitHub Commit](https://github.com/apache/httpcomponents-client/commit/6e14fc146a66e0f3eb362f45f95d1a58ee18886a)\n- [NVD](https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-6153)\n", + "epssDetails": { + "percentile": "0.50674", + "probability": "0.00154", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2012-6153" + ], + "CWE": [ + "CWE-20" + ] + }, + "packageName": "commons-httpclient:commons-httpclient", + "proprietary": false, + "creationTime": "2017-02-22T07:28:21.771000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2014-09-04T17:55:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "commons-httpclient", + "artifactId": "commons-httpclient" + }, + "publicationTime": "2018-04-08T12:56:14Z", + "modificationTime": "2023-02-09T11:24:57.645898Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3", + "commons-httpclient:commons-httpclient@3.1" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.2.0.0", + "org.owasp.antisamy:antisamy@1.5.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "commons-httpclient:commons-httpclient", + "version": "3.1" + }, + { + "id": "SNYK-JAVA-LOG4J-1300176", + "title": "Man-in-the-Middle (MitM)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "low", + "cvssScore": 3.7, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "log4j:log4j", + "references": [ + { + "url": "https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html", + "title": "Atlassian Patch" + }, + { + "url": "https://github.com/apache/logging-log4j2/commit/6851b5083ef9610bae320bf07e1f24d2aa08851b", + "title": "GitHub Commit" + }, + { + "url": "https://issues.apache.org/jira/browse/LOG4J2-2819", + "title": "Jira Issue" + }, + { + "url": "https://github.com/qos-ch/reload4j/commit/90bc7826c206c256ee9ec6b51318cc1865cc19e9", + "title": "Reload4j Fix Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 3.7, + "modificationTime": "2022-05-13T01:10:59.793871Z" + }, + { + "assigner": "Red Hat", + "severity": "low", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N", + "cvssV3BaseScore": 3.7, + "modificationTime": "2022-10-25T22:25:05.921273Z" + } + ], + "description": "## Overview\n[log4j:log4j](https://github.com/apache/log4j) is a 1.x branch of the Apache Log4j project.\n\nAffected versions of this package are vulnerable to Man-in-the-Middle (MitM). Improper validation of certificate with host mismatch in Apache Log4j SMTP appender. This could allow an SMTPS connection to be intercepted by a man-in-the-middle attack which could leak any log messages sent through that appender.\n## Remediation\nThere is no fixed version for `log4j:log4j`.\n## References\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [GitHub Commit](https://github.com/apache/logging-log4j2/commit/6851b5083ef9610bae320bf07e1f24d2aa08851b)\n- [Jira Issue](https://issues.apache.org/jira/browse/LOG4J2-2819)\n- [Reload4j Fix Commit](https://github.com/qos-ch/reload4j/commit/90bc7826c206c256ee9ec6b51318cc1865cc19e9)\n", + "epssDetails": { + "percentile": "0.60788", + "probability": "0.00231", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2020-9488" + ], + "CWE": [ + "CWE-297" + ], + "GHSA": [ + "GHSA-vwqq-5vrc-xw9h" + ] + }, + "packageName": "log4j:log4j", + "proprietary": false, + "creationTime": "2021-06-04T15:38:41.700520Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2020-04-27T17:16:14Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "log4j", + "artifactId": "log4j" + }, + "publicationTime": "2020-04-28T17:16:14Z", + "modificationTime": "2023-09-28T10:28:56.484981Z", + "socialTrendAlert": false, + "severityWithCritical": "low", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "log4j:log4j@1.2.16" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.5.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "log4j:log4j", + "version": "1.2.16" + }, + { + "id": "SNYK-JAVA-LOG4J-2316893", + "title": "Arbitrary Code Execution", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.6, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "log4j:log4j", + "references": [ + { + "url": "https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx", + "title": "Apache Mail" + }, + { + "url": "https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html", + "title": "Atlassian Patch" + }, + { + "url": "https://github.com/apache/logging-log4j2/pull/608%23issuecomment-991723301", + "title": "GitHub Comment" + }, + { + "url": "https://github.com/apache/logging-log4j2/pull/608", + "title": "GitHub Discussion" + } + ], + "cvssDetails": [ + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.4, + "modificationTime": "2022-05-03T21:14:50.879880Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-11-27T21:15:02.884557Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-10-06T01:10:27.666341Z" + } + ], + "description": "## Overview\n[log4j:log4j](https://github.com/apache/log4j) is a 1.x branch of the Apache Log4j project.\n\nAffected versions of this package are vulnerable to Arbitrary Code Execution.
**Note:** Even though this vulnerability appears to be related to the [log4j 2.x vulnerability](https://security.snyk.io/vuln/SNYK-JAVA-ORGAPACHELOGGINGLOG4J-2314720), the 1.x branch of the module requires an attacker to have access to modify configurations to be exploitable, which is rarely possible.\r\n\r\nIn order to leverage this vulnerability the following conditions must be met:\r\n\r\n1. The application has enabled `JMSAppender` (or a class that extends `JMSAppender`)\r\n2. The attacker has access to directly modify the `TopicBindingName` or `TopicConnectionFactoryBindingName` configuration variables - which is an unlikely scenario \r\n\r\nIf these conditions are met, log4j 1.x allows a `lookup` feature that does not protect against attacker-controlled LDAP and other JNDI related endpoints. Therefore, an attacker with access to the aforementioned configuration variables is able to execute arbitrary code when loaded from an LDAP server.\r\n\r\n## PoC\r\n\r\n```\r\nimport org.apache.log4j.net.JMSAppender;\r\n// ...\r\nJMSAppender a = new JMSAppender();\r\na.setTopicConnectionFactoryBindingName(\"ldap://\");\r\n// OR a.setTopicBindingName(\"ldap://\");\r\na.activateOptions();\r\n```\n## Remediation\nThere is no fixed version for `log4j:log4j`.\n## References\n- [Apache Mail](https://lists.apache.org/thread/0x4zvtq92yggdgvwfgsftqrj4xx5w0nx)\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [GitHub Comment](https://github.com/apache/logging-log4j2/pull/608#issuecomment-991723301)\n- [GitHub Discussion](https://github.com/apache/logging-log4j2/pull/608)\n", + "epssDetails": { + "percentile": "0.98358", + "probability": "0.89218", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-4104" + ], + "CWE": [ + "CWE-94" + ] + }, + "packageName": "log4j:log4j", + "proprietary": false, + "creationTime": "2021-12-13T14:52:40.887231Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-12-10T00:00:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "log4j", + "artifactId": "log4j" + }, + "publicationTime": "2021-12-13T15:31:00Z", + "modificationTime": "2023-09-28T10:34:57.544358Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "log4j:log4j@1.2.16" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.5.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "log4j:log4j", + "version": "1.2.16" + }, + { + "id": "SNYK-JAVA-LOG4J-2342645", + "title": "SQL Injection", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "log4j:log4j", + "references": [ + { + "url": "https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y", + "title": "Apache Mailing List" + }, + { + "url": "https://logging.apache.org/log4j/1.2/index.html", + "title": "Apache Security Advisory" + }, + { + "url": "https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html", + "title": "Atlassian Patch" + }, + { + "url": "https://github.com/qos-ch/reload4j/commit/e845f28e7fb0ecbc0fcce383b11179f2650a51a2", + "title": "Reload4j Fix Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-07-26T01:11:24.708151Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2022-05-11T11:31:53.940580Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2022-11-27T21:23:50.447464Z" + } + ], + "description": "## Overview\n[log4j:log4j](https://github.com/apache/log4j) is a 1.x branch of the Apache Log4j project.\n\nAffected versions of this package are vulnerable to SQL Injection. By design, the `JDBCAppender` in Log4j 1.2.x accepts an SQL statement as a configuration parameter where the values to be inserted are converters from `PatternLayout`. The message converter, `%m`, is likely to always be included. This allows attackers to manipulate the SQL by entering crafted strings into input fields or headers of an application that are logged allowing unintended SQL queries to be executed.\r\n\r\n*Note:* this issue only affects Log4j 1.x when specifically configured to use the `JDBCAppender`, which is not the default. \r\n\r\nApache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions. Beginning in version 2.0-beta8, the `JDBCAppender` was re-introduced with proper support for parameterized SQL queries and further customization over the columns written to in logs.\n## Remediation\nThere is no fixed version for `log4j:log4j`.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/pt6lh3pbsvxqlwlp4c5l798dv2hkc85y)\n- [Apache Security Advisory](https://logging.apache.org/log4j/1.2/index.html)\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [Reload4j Fix Commit](https://github.com/qos-ch/reload4j/commit/e845f28e7fb0ecbc0fcce383b11179f2650a51a2)\n", + "epssDetails": { + "percentile": "0.71874", + "probability": "0.00443", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-23305" + ], + "CWE": [ + "CWE-89" + ] + }, + "packageName": "log4j:log4j", + "proprietary": false, + "creationTime": "2022-01-18T17:06:29.378900Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-01-18T17:01:37Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "log4j", + "artifactId": "log4j" + }, + "publicationTime": "2022-01-18T17:13:25Z", + "modificationTime": "2023-09-28T10:30:34.953517Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "log4j:log4j@1.2.16" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.5.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "log4j:log4j", + "version": "1.2.16" + }, + { + "id": "SNYK-JAVA-LOG4J-2342646", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "log4j:log4j", + "references": [ + { + "url": "https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh", + "title": "Apache Mailing List" + }, + { + "url": "https://logging.apache.org/log4j/1.2/index.html", + "title": "Apache Security Advisory" + }, + { + "url": "https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html", + "title": "Atlassian Patch" + }, + { + "url": "https://github.com/qos-ch/reload4j/commit/64902fe18ce5a5dd40487051a2f6231d9fbbe9b0", + "title": "Reload4j Fix Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2022-07-26T01:11:23.442829Z" + }, + { + "assigner": "SUSE", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.1, + "modificationTime": "2022-05-11T11:32:04.853481Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2022-11-27T21:23:46.897083Z" + } + ], + "description": "## Overview\n[log4j:log4j](https://github.com/apache/log4j) is a 1.x branch of the Apache Log4j project.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. CVE-2020-9493 identified a deserialization issue that was present in Apache Chainsaw. Prior to Chainsaw V2.0 Chainsaw was a component of Apache Log4j 1.2.x where the same issue exists.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.\n \n## Remediation\nThere is no fixed version for `log4j:log4j`.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/rg4yyc89vs3dw6kpy3r92xop9loywyhh)\n- [Apache Security Advisory](https://logging.apache.org/log4j/1.2/index.html)\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [Reload4j Fix Commit](https://github.com/qos-ch/reload4j/commit/64902fe18ce5a5dd40487051a2f6231d9fbbe9b0)\n", + "epssDetails": { + "percentile": "0.79566", + "probability": "0.00797", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-23307" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "log4j:log4j", + "proprietary": false, + "creationTime": "2022-01-18T17:08:37.955423Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-01-18T17:06:32Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "log4j", + "artifactId": "log4j" + }, + "publicationTime": "2022-01-18T17:13:25Z", + "modificationTime": "2023-09-28T10:37:55.904293Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "log4j:log4j@1.2.16" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.5.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "log4j:log4j", + "version": "1.2.16" + }, + { + "id": "SNYK-JAVA-LOG4J-2342647", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 8.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "log4j:log4j", + "references": [ + { + "url": "https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w", + "title": "Apache Mailing List" + }, + { + "url": "https://logging.apache.org/log4j/1.2/index.html", + "title": "Apache Security Advisory" + }, + { + "url": "https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html", + "title": "Atlassian Patch" + }, + { + "url": "https://github.com/qos-ch/reload4j/commit/f221f2427c45134cf5768f46279ddf72fe1407c9", + "title": "Reload4j Fix Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2022-07-26T01:11:25.323210Z" + }, + { + "assigner": "SUSE", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 6.6, + "modificationTime": "2022-05-11T11:31:14.452251Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 8.8, + "modificationTime": "2022-11-27T21:20:50.584044Z" + } + ], + "description": "## Overview\n[log4j:log4j](https://github.com/apache/log4j) is a 1.x branch of the Apache Log4j project.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. `JMSSink` in all versions of Log4j 1.x is vulnerable to deserialization of untrusted data when the attacker has write access to the Log4j configuration or if the configuration references an LDAP service the attacker has access to. The attacker can provide a `TopicConnectionFactoryBindingName` configuration causing `JMSSink` to perform `JNDI` requests that result in remote code execution in a similar fashion to [`CVE-2021-4104`](https://security.snyk.io/vuln/SNYK-JAVA-LOG4J-2316893). \r\n\r\n*Note:* this issue only affects Log4j 1.x when specifically configured to use `JMSSink`, which is not the default.\r\n\r\nApache Log4j 1.2 reached end of life in August 2015. Users should upgrade to Log4j 2 as it addresses numerous other issues from the previous versions.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)) is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, thus allowing the attacker to control the state or the flow of the execution.\n \n## Remediation\nThere is no fixed version for `log4j:log4j`.\n## References\n- [Apache Mailing List](https://lists.apache.org/thread/bsr3l5qz4g0myrjhy9h67bcxodpkwj4w)\n- [Apache Security Advisory](https://logging.apache.org/log4j/1.2/index.html)\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [Reload4j Fix Commit](https://github.com/qos-ch/reload4j/commit/f221f2427c45134cf5768f46279ddf72fe1407c9)\n", + "epssDetails": { + "percentile": "0.79473", + "probability": "0.00790", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-23302" + ], + "CWE": [ + "CWE-502" + ] + }, + "packageName": "log4j:log4j", + "proprietary": false, + "creationTime": "2022-01-18T17:25:51.891230Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-01-18T17:22:50Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "log4j", + "artifactId": "log4j" + }, + "publicationTime": "2022-01-18T17:28:19Z", + "modificationTime": "2023-09-28T10:31:47.894637Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "log4j:log4j@1.2.16" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.5.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "log4j:log4j", + "version": "1.2.16" + }, + { + "id": "SNYK-JAVA-LOG4J-3358774", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "Garrett Tucker of Red Hat" + ], + "semver": { + "vulnerable": [ + "[1.0.4,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.9, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "log4j:log4j", + "references": [ + { + "url": "https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t", + "title": "Apache Lists" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-16T01:10:11.157125Z" + }, + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-30T13:31:03.696549Z" + } + ], + "description": "## Overview\n[log4j:log4j](https://github.com/apache/log4j) is a 1.x branch of the Apache Log4j project.\n\nAffected versions of this package are vulnerable to Denial of Service (DoS). When using the `Chainsaw` or `SocketAppender` components with Log4j 1.x on JRE less than 1.7, an attacker that manages to cause a logging entry involving a specially-crafted, deeply nested `hashmap` or `hashtable` (depending on which logging component is in use) to be processed could exhaust the available memory in the virtual machine and achieve denial of service when the object is deserialized. \r\n\r\nThis issue affects Apache Log4j before 2. Affected users are recommended to update to Log4j 2.x `org.apache.logging.log4j/log4j-core`. \r\n\r\n*NOTE:* This vulnerability only affects products that are no longer supported by the maintainer.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nThere is no fixed version for `log4j:log4j`.\n## References\n- [Apache Lists](https://lists.apache.org/thread/wkx6grrcjkh86crr49p4blc1v1nflj3t)\n", + "epssDetails": { + "percentile": "0.37094", + "probability": "0.00089", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2023-26464" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-vp98-w2p3-mv35" + ] + }, + "packageName": "log4j:log4j", + "proprietary": false, + "creationTime": "2023-03-11T13:18:05.378536Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2023-03-10T15:30:43Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "log4j", + "artifactId": "log4j" + }, + "publicationTime": "2023-03-11T13:18:05.600249Z", + "modificationTime": "2023-09-28T09:38:02.694904Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "log4j:log4j@1.2.16" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.5.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "log4j:log4j", + "version": "1.2.16" + }, + { + "id": "SNYK-JAVA-LOG4J-572732", + "title": "Deserialization of Untrusted Data", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H/E:P", + "credit": [ + "Marcio Almeida de Macedo" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Proof of Concept", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "critical", + "cvssScore": 9.8, + "functions": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "filePath": "org/apache/log4j/net/SocketServer.java", + "className": "SocketServer", + "functionName": "main" + } + } + ], + "malicious": false, + "isDisputed": false, + "moduleName": "log4j:log4j", + "references": [ + { + "url": "https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E", + "title": "Apache Security Advisory" + }, + { + "url": "https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html", + "title": "Atlassian Patch" + }, + { + "url": "https://0xsapra.github.io/website/CVE-2019-17571", + "title": "PoC" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-07-26T01:11:37.621986Z" + }, + { + "assigner": "SUSE", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-05-03T23:36:31.140776Z" + }, + { + "assigner": "Red Hat", + "severity": "critical", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", + "cvssV3BaseScore": 9.8, + "modificationTime": "2022-10-26T20:30:52.296974Z" + } + ], + "description": "## Overview\n[log4j:log4j](https://github.com/apache/log4j) is a 1.x branch of the Apache Log4j project.\n\nAffected versions of this package are vulnerable to Deserialization of Untrusted Data. Included in Log4j 1.2 is a SocketServer class that is vulnerable to deserialization of untrusted data which can be exploited to remotely execute arbitrary code when combined with a deserialization gadget when listening to untrusted network traffic for log data.\n\n## Details\n\nSerialization is a process of converting an object into a sequence of bytes which can be persisted to a disk or database or can be sent through streams. The reverse process of creating object from sequence of bytes is called deserialization. Serialization is commonly used for communication (sharing objects between multiple hosts) and persistence (store the object state in a file or a database). It is an integral part of popular protocols like _Remote Method Invocation (RMI)_, _Java Management Extension (JMX)_, _Java Messaging System (JMS)_, _Action Message Format (AMF)_, _Java Server Faces (JSF) ViewState_, etc.\n\n_Deserialization of untrusted data_ ([CWE-502](https://cwe.mitre.org/data/definitions/502.html)), is when the application deserializes untrusted data without sufficiently verifying that the resulting data will be valid, letting the attacker to control the state or the flow of the execution.\n\nJava deserialization issues have been known for years. However, interest in the issue intensified greatly in 2015, when classes that could be abused to achieve remote code execution were found in a [popular library (Apache Commons Collection)](https://snyk.io/vuln/SNYK-JAVA-COMMONSCOLLECTIONS-30078). These classes were used in zero-days affecting IBM WebSphere, Oracle WebLogic and many other products.\n\n \nAn attacker just needs to identify a piece of software that has both a vulnerable class on its path, and performs deserialization on untrusted data. Then all they need to do is send the payload into the deserializer, getting the command executed.\n \n\n> Developers put too much trust in Java Object Serialization. Some even de-serialize objects pre-authentication. When deserializing an Object in Java you typically cast it to an expected type, and therefore Java's strict type system will ensure you only get valid object trees. Unfortunately, by the time the type checking happens, platform code has already created and executed significant logic. So, before the final type is checked a lot of code is executed from the readObject() methods of various objects, all of which is out of the developer's control. By combining the readObject() methods of various classes which are available on the classpath of the vulnerable application an attacker can execute functions (including calling Runtime.exec() to execute local OS commands).\n\n- Apache Blog\n \n## Remediation\nThere is no fixed version for `log4j:log4j`.\n## References\n- [Apache Security Advisory](https://lists.apache.org/thread.html/eea03d504b36e8f870e8321d908e1def1addda16adda04327fe7c125%40%3Cdev.logging.apache.org%3E)\n- [Atlassian Patch](https://confluence.atlassian.com/jirakb/list-of-security-vulnerabilities-addressed-in-atlassian-log4j1-1141965553.html)\n- [PoC](https://0xsapra.github.io/website/CVE-2019-17571)\n", + "epssDetails": { + "percentile": "0.99947", + "probability": "0.97467", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2019-17571" + ], + "CWE": [ + "CWE-502" + ], + "GHSA": [ + "GHSA-2qrg-x229-3v8q" + ] + }, + "packageName": "log4j:log4j", + "proprietary": false, + "creationTime": "2020-06-18T15:47:31.144561Z", + "functions_new": [ + { + "version": [ + "[0,]" + ], + "functionId": { + "className": "org.apache.log4j.net.SocketServer", + "functionName": "main" + } + } + ], + "alternativeIds": [], + "disclosureTime": "2019-12-22T09:33:11Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "log4j", + "artifactId": "log4j" + }, + "publicationTime": "2020-06-19T09:33:01Z", + "modificationTime": "2023-09-28T10:33:14.290033Z", + "socialTrendAlert": false, + "severityWithCritical": "critical", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "log4j:log4j@1.2.16" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.5.0.0" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "log4j:log4j", + "version": "1.2.16" + }, + { + "id": "SNYK-JAVA-NETSOURCEFORGENEKOHTML-2621454", + "title": "Denial of Service (DoS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "credit": [ + "이형관 (windshock)" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "high", + "cvssScore": 7.5, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "net.sourceforge.nekohtml:nekohtml", + "references": [ + { + "url": "https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "Red Hat", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2023-03-26T14:47:52.054472Z" + }, + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-07-26T01:11:19.792610Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Denial of Service (DoS) due to an uncaught `java.lang.OutOfMemoryError` exception when parsing ill-formed HTML markup.\n\n## Details\n\nDenial of Service (DoS) describes a family of attacks, all aimed at making a system inaccessible to its intended and legitimate users.\n\nUnlike other vulnerabilities, DoS attacks usually do not aim at breaching security. Rather, they are focused on making websites and services unavailable to genuine users resulting in downtime.\n\nOne popular Denial of Service vulnerability is DDoS (a Distributed Denial of Service), an attack that attempts to clog network pipes to the system by generating a large volume of traffic from many machines.\n\nWhen it comes to open source libraries, DoS vulnerabilities allow attackers to trigger such a crash or crippling of the service by using a flaw either in the application code or from the use of open source libraries.\n\nTwo common types of DoS vulnerabilities:\n\n* High CPU/Memory Consumption- An attacker sending crafted requests that could cause the system to take a disproportionate amount of time to process. For example, [commons-fileupload:commons-fileupload](SNYK-JAVA-COMMONSFILEUPLOAD-30082).\n\n* Crash - An attacker sending crafted requests that could cause the system to crash. For Example, [npm `ws` package](https://snyk.io/vuln/npm:ws:20171108)\n\n## Remediation\nA fix was pushed into the `master` branch but not yet published.\n## References\n- [GitHub Commit](https://github.com/sparklemotion/nekohtml/commit/a800fce3b079def130ed42a408ff1d09f89e773d)\n", + "epssDetails": { + "percentile": "0.46292", + "probability": "0.00127", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-24839" + ], + "CWE": [ + "CWE-400" + ], + "GHSA": [ + "GHSA-9849-p7jc-9rmv" + ] + }, + "packageName": "net.sourceforge.nekohtml:nekohtml", + "proprietary": false, + "creationTime": "2022-04-12T11:45:16.731969Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-12T11:40:23Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "net.sourceforge.nekohtml", + "artifactId": "nekohtml" + }, + "publicationTime": "2022-04-12T14:21:53.906896Z", + "modificationTime": "2023-03-26T14:47:52.054472Z", + "socialTrendAlert": false, + "severityWithCritical": "high", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3", + "net.sourceforge.nekohtml:nekohtml@1.9.12" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.3.0.0", + "org.owasp.antisamy:antisamy@1.6.7" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "net.sourceforge.nekohtml:nekohtml", + "version": "1.9.12" + }, + { + "id": "SNYK-JAVA-NETSOURCEFORGENEKOHTML-2774754", + "title": "Memory Allocation with Excessive Size Value", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "net.sourceforge.nekohtml:nekohtml", + "references": [ + { + "url": "https://htmlunit.sourceforge.io/changes-report.html%23a2.27", + "title": "Releases" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-10-29T01:10:33.676290Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Memory Allocation with Excessive Size Value via a crafted Processing Instruction (PI) input.\n## Remediation\nThere is no fixed version for `net.sourceforge.nekohtml:nekohtml`.\n## References\n- [Releases](https://htmlunit.sourceforge.io/changes-report.html#a2.27)\n", + "epssDetails": { + "percentile": "0.36345", + "probability": "0.00088", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-28366" + ], + "CWE": [ + "CWE-789" + ] + }, + "packageName": "net.sourceforge.nekohtml:nekohtml", + "proprietary": false, + "creationTime": "2022-04-24T14:07:34.794547Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-24T13:26:47Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "net.sourceforge.nekohtml", + "artifactId": "nekohtml" + }, + "publicationTime": "2022-04-24T15:16:32Z", + "modificationTime": "2022-10-29T01:10:33.676290Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3", + "net.sourceforge.nekohtml:nekohtml@1.9.12" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.3.0.0", + "org.owasp.antisamy:antisamy@1.6.7" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "net.sourceforge.nekohtml:nekohtml", + "version": "1.9.12" + }, + { + "id": "SNYK-JAVA-NETSOURCEFORGENEKOHTML-2803036", + "title": "Heap-based Buffer Overflow", + "CVSSv3": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[0,]" + ] + }, + "exploit": "Not Defined", + "fixedIn": [], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "net.sourceforge.nekohtml:nekohtml", + "references": [ + { + "url": "https://github.com/HtmlUnit/htmlunit-neko/commit/9d2aecd69223469e40c12ca3edddda09009110cc", + "title": "GitHub Commit" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "high", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H", + "cvssV3BaseScore": 7.5, + "modificationTime": "2022-05-05T01:10:56.807574Z" + } + ], + "description": "## Overview\n\nAffected versions of this package are vulnerable to Heap-based Buffer Overflow via a crafted Processing Instruction (PI) input.\n## Remediation\nThere is no fixed version for `net.sourceforge.nekohtml:nekohtml`.\n## References\n- [GitHub Commit](https://github.com/HtmlUnit/htmlunit-neko/commit/9d2aecd69223469e40c12ca3edddda09009110cc)\n", + "epssDetails": { + "percentile": "0.30603", + "probability": "0.00075", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-29546" + ], + "CWE": [ + "CWE-122" + ], + "GHSA": [ + "GHSA-6jmm-mp6w-4rrg" + ] + }, + "packageName": "net.sourceforge.nekohtml:nekohtml", + "proprietary": false, + "creationTime": "2022-04-25T11:36:53.287581Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-25T11:31:46Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "net.sourceforge.nekohtml", + "artifactId": "nekohtml" + }, + "publicationTime": "2022-04-25T15:16:24.219695Z", + "modificationTime": "2022-05-05T01:10:56.807574Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3", + "net.sourceforge.nekohtml:nekohtml@1.9.12" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.3.0.0", + "org.owasp.antisamy:antisamy@1.6.7" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "net.sourceforge.nekohtml:nekohtml", + "version": "1.9.12" + }, + { + "id": "SNYK-JAVA-ORGOWASPANTISAMY-1320080", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "Sebastián Passaro" + ], + "semver": { + "vulnerable": [ + "[,1.6.4)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.6.4" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.owasp.antisamy:antisamy", + "references": [ + { + "url": "https://github.com/nahsra/antisamy/commit/6a1c2f8a9e46872565229a9fe5f84b3b3bffbc6c", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/nahsra/antisamy/pull/87", + "title": "GitHub PR" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2022-10-29T13:10:59.763439Z" + } + ], + "description": "## Overview\n[org.owasp.antisamy:antisamy](https://mvnrepository.com/artifact/org.owasp.antisamy/antisamy) is a library for performing fast, configurable cleansing of HTML coming from untrusted sources.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) via HTML attributes when using the HTML output serializer (XHTML is not affected).\r\nWhen serializing results to HTML, URLs are not being encoded when they are on HTML attributes. This can lead to mistakes when validating values.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.owasp.antisamy:antisamy` to version 1.6.4 or higher.\n## References\n- [GitHub Commit](https://github.com/nahsra/antisamy/commit/6a1c2f8a9e46872565229a9fe5f84b3b3bffbc6c)\n- [GitHub PR](https://github.com/nahsra/antisamy/pull/87)\n", + "epssDetails": { + "percentile": "0.40289", + "probability": "0.00100", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2021-35043" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.owasp.antisamy:antisamy", + "proprietary": false, + "creationTime": "2021-07-20T09:19:16.842327Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2021-07-20T08:45:35Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.owasp.antisamy", + "artifactId": "antisamy" + }, + "publicationTime": "2021-07-20T14:23:10.776196Z", + "modificationTime": "2022-10-29T13:10:59.763439Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.3.0.0", + "org.owasp.antisamy:antisamy@1.6.7" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.owasp.antisamy:antisamy", + "version": "1.4.3" + }, + { + "id": "SNYK-JAVA-ORGOWASPANTISAMY-2774681", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "Hyeong Gwan", + "Yi" + ], + "semver": { + "vulnerable": [ + "[,1.6.6)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.6.6" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.owasp.antisamy:antisamy", + "references": [ + { + "url": "https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/nahsra/antisamy/releases/tag/v1.6.6", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2022-05-04T01:11:15.502903Z" + } + ], + "description": "## Overview\n[org.owasp.antisamy:antisamy](https://mvnrepository.com/artifact/org.owasp.antisamy/antisamy) is a library for performing fast, configurable cleansing of HTML coming from untrusted sources.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) via `HTML` tag smuggling on `STYLE` content with crafted input. This is due to an improper serialization of the output which does not properly encode the supposed Cascading Style Sheets (CSS) content.\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.owasp.antisamy:antisamy` to version 1.6.6 or higher.\n## References\n- [GitHub Commit](https://github.com/nahsra/antisamy/commit/0199e7e194dba5e7d7197703f43ebe22401e61ae)\n- [GitHub Release](https://github.com/nahsra/antisamy/releases/tag/v1.6.6)\n", + "epssDetails": { + "percentile": "0.19458", + "probability": "0.00054", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-28367" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.owasp.antisamy:antisamy", + "proprietary": false, + "creationTime": "2022-04-24T10:59:44.569034Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-24T10:56:44Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.owasp.antisamy", + "artifactId": "antisamy" + }, + "publicationTime": "2022-04-24T14:02:56.777351Z", + "modificationTime": "2022-05-04T01:11:15.502903Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.3.0.0", + "org.owasp.antisamy:antisamy@1.6.7" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.owasp.antisamy:antisamy", + "version": "1.4.3" + }, + { + "id": "SNYK-JAVA-ORGOWASPANTISAMY-2774682", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N", + "credit": [ + "Unknown" + ], + "semver": { + "vulnerable": [ + "[,1.6.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.6.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 5.4, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.owasp.antisamy:antisamy", + "references": [ + { + "url": "https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/nahsra/antisamy/releases/tag/v1.6.7", + "title": "GitHub Release" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2022-07-26T01:11:23.331406Z" + } + ], + "description": "## Overview\n[org.owasp.antisamy:antisamy](https://mvnrepository.com/artifact/org.owasp.antisamy/antisamy) is a library for performing fast, configurable cleansing of HTML coming from untrusted sources.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) via `HTML` tag smuggling on `STYLE` content with a crafted input. This is due to an incomplete fix for [CVE-2022-28367](https://security.snyk.io/vuln/SNYK-JAVA-ORGOWASPANTISAMY-2774681)\n## Details\n\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\n\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\n\nInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\n\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\n \nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \n\n### Types of attacks\nThere are a few methods by which XSS can be manipulated:\n\n|Type|Origin|Description|\n|--|--|--|\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\n\n### Affected environments\nThe following environments are susceptible to an XSS attack:\n\n* Web servers\n* Application servers\n* Web application environments\n\n### How to prevent\nThis section describes the top best practices designed to specifically protect your code: \n\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \n* Give users the option to disable client-side scripts.\n* Redirect invalid requests.\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\nUpgrade `org.owasp.antisamy:antisamy` to version 1.6.7 or higher.\n## References\n- [GitHub Commit](https://github.com/nahsra/antisamy/commit/32e273507da0e964b58c50fd8a4c94c9d9363af0)\n- [GitHub Release](https://github.com/nahsra/antisamy/releases/tag/v1.6.7)\n", + "epssDetails": { + "percentile": "0.45846", + "probability": "0.00125", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2022-29577" + ], + "CWE": [ + "CWE-79" + ] + }, + "packageName": "org.owasp.antisamy:antisamy", + "proprietary": false, + "creationTime": "2022-04-24T11:02:30.412430Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2022-04-24T09:36:19Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.owasp.antisamy", + "artifactId": "antisamy" + }, + "publicationTime": "2022-04-24T14:36:23.431638Z", + "modificationTime": "2022-07-26T01:11:23.331406Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.3.0.0", + "org.owasp.antisamy:antisamy@1.6.7" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.owasp.antisamy:antisamy", + "version": "1.4.3" + }, + { + "id": "SNYK-JAVA-ORGOWASPANTISAMY-31591", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "credit": [ + "Rajesh Veerappan" + ], + "semver": { + "vulnerable": [ + "[,1.5.7)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.5.7" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.owasp.antisamy:antisamy", + "references": [ + { + "url": "https://github.com/nahsra/antisamy/commit/82da009e733a989a57190cd6aa1b6824724f6d36", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/nahsra/antisamy/issues/10", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2022-01-03T16:19:28.715391Z" + } + ], + "description": "## Overview\n\n[org.owasp.antisamy:antisamy](https://mvnrepository.com/artifact/org.owasp.antisamy/antisamy) is a library for performing fast, configurable cleansing of HTML coming from untrusted sources.\n\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS)\nvia HTML5 entities, as demonstrated by use of `:` to construct a javascript: URL.\n\n## Details\nA cross-site scripting attack occurs when the attacker tricks a legitimate web-based application or site to accept a request as originating from a trusted source.\r\n\r\nThis is done by escaping the context of the web application; the web application then delivers that data to its users along with other trusted dynamic content, without validating it. The browser unknowingly executes malicious script on the client side (through client-side languages; usually JavaScript or HTML) in order to perform actions that are otherwise typically blocked by the browser’s Same Origin Policy.\r\n\r\nֿInjecting malicious code is the most prevalent manner by which XSS is exploited; for this reason, escaping characters in order to prevent this manipulation is the top method for securing code against this vulnerability.\r\n\r\nEscaping means that the application is coded to mark key characters, and particularly key characters included in user input, to prevent those characters from being interpreted in a dangerous context. For example, in HTML, `<` can be coded as `<`; and `>` can be coded as `>`; in order to be interpreted and displayed as themselves in text, while within the code itself, they are used for HTML tags. If malicious content is injected into an application that escapes special characters and that malicious content uses `<` and `>` as HTML tags, those characters are nonetheless not interpreted as HTML tags by the browser if they’ve been correctly escaped in the application code and in this way the attempted attack is diverted.\r\n \r\nThe most prominent use of XSS is to steal cookies (source: OWASP HttpOnly) and hijack user sessions, but XSS exploits have been used to expose sensitive information, enable access to privileged services and functionality and deliver malware. \r\n\r\n### Types of attacks\r\nThere are a few methods by which XSS can be manipulated:\r\n\r\n|Type|Origin|Description|\r\n|--|--|--|\r\n|**Stored**|Server|The malicious code is inserted in the application (usually as a link) by the attacker. The code is activated every time a user clicks the link.|\r\n|**Reflected**|Server|The attacker delivers a malicious link externally from the vulnerable web site application to a user. When clicked, malicious code is sent to the vulnerable web site, which reflects the attack back to the user’s browser.| \r\n|**DOM-based**|Client|The attacker forces the user’s browser to render a malicious page. The data in the page itself delivers the cross-site scripting data.|\r\n|**Mutated**| |The attacker injects code that appears safe, but is then rewritten and modified by the browser, while parsing the markup. An example is rebalancing unclosed quotation marks or even adding quotation marks to unquoted parameters.|\r\n\r\n### Affected environments\r\nThe following environments are susceptible to an XSS attack:\r\n\r\n* Web servers\r\n* Application servers\r\n* Web application environments\r\n\r\n### How to prevent\r\nThis section describes the top best practices designed to specifically protect your code: \r\n\r\n* Sanitize data input in an HTTP request before reflecting it back, ensuring all data is validated, filtered or escaped before echoing anything back to the user, such as the values of query parameters during searches. \r\n* Convert special characters such as `?`, `&`, `/`, `<`, `>` and spaces to their respective HTML or URL encoded equivalents. \r\n* Give users the option to disable client-side scripts.\r\n* Redirect invalid requests.\r\n* Detect simultaneous logins, including those from two separate IP addresses, and invalidate those sessions.\r\n* Use and enforce a Content Security Policy (source: Wikipedia) to disable any features that might be manipulated for an XSS attack.\r\n* Read the documentation for any of the libraries referenced in your code to understand which elements allow for embedded HTML.\n\n## Remediation\n\nUpgrade `org.owasp.antisamy:antisamy` to version 1.5.7 or higher.\n\n\n## References\n\n- [GitHub Commit](https://github.com/nahsra/antisamy/commit/82da009e733a989a57190cd6aa1b6824724f6d36)\n\n- [GitHub Issue](https://github.com/nahsra/antisamy/issues/10)\n", + "epssDetails": { + "percentile": "0.65332", + "probability": "0.00303", + "modelVersion": "v2023.03.01" + }, + "identifiers": { + "CVE": [ + "CVE-2017-14735" + ], + "CWE": [ + "CWE-79" + ], + "GHSA": [ + "GHSA-q44v-xc3g-v7jq" + ] + }, + "packageName": "org.owasp.antisamy:antisamy", + "proprietary": false, + "creationTime": "2017-11-21T08:28:01.581000Z", + "functions_new": [], + "alternativeIds": [], + "disclosureTime": "2017-07-05T21:00:00Z", + "packageManager": "maven", + "mavenModuleName": { + "groupId": "org.owasp.antisamy", + "artifactId": "antisamy" + }, + "publicationTime": "2017-11-28T14:47:21Z", + "modificationTime": "2022-01-03T16:19:28.715391Z", + "socialTrendAlert": false, + "severityWithCritical": "medium", + "from": [ + "io.github.jensdietrich.xshady:CVE-2013-5960@1.0.0", + "org.owasp.esapi:esapi@2.1.0", + "org.owasp.antisamy:antisamy@1.4.3" + ], + "upgradePath": [ + false, + "org.owasp.esapi:esapi@2.2.0.0", + "org.owasp.antisamy:antisamy@1.5.8" + ], + "isUpgradable": true, + "isPatchable": false, + "name": "org.owasp.antisamy:antisamy", + "version": "1.4.3" + }, + { + "id": "SNYK-JAVA-ORGOWASPANTISAMY-598767", + "title": "Cross-site Scripting (XSS)", + "CVSSv3": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "credit": [ + "Vivek Krishna" + ], + "semver": { + "vulnerable": [ + "[,1.5.5)" + ] + }, + "exploit": "Not Defined", + "fixedIn": [ + "1.5.5" + ], + "patches": [], + "insights": { + "triageAdvice": null + }, + "language": "java", + "severity": "medium", + "cvssScore": 6.1, + "functions": [], + "malicious": false, + "isDisputed": false, + "moduleName": "org.owasp.antisamy:antisamy", + "references": [ + { + "url": "https://github.com/nahsra/antisamy/commit/7313931dc3c0d1377b010f07faef2063dd359a36%23commitcomment-41485849", + "title": "GitHub Commit" + }, + { + "url": "https://github.com/nahsra/antisamy/issues/2", + "title": "GitHub Issue" + } + ], + "cvssDetails": [ + { + "assigner": "NVD", + "severity": "medium", + "cvssV3Vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N", + "cvssV3BaseScore": 6.1, + "modificationTime": "2022-01-03T17:41:49.097888Z" + } + ], + "description": "## Overview\n[org.owasp.antisamy:antisamy](https://mvnrepository.com/artifact/org.owasp.antisamy/antisamy) is a library for performing fast, configurable cleansing of HTML coming from untrusted sources.\n\nAffected versions of this package are vulnerable to Cross-site Scripting (XSS) via `