timeseries-stockfeed-0.1.3.jar: 36 vulnerabilities (highest severity is: 9.8) #302
Labels
Mend: dependency security vulnerability
Security vulnerability detected by Mend
Comments
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Vulnerabilities
*For some transitive vulnerabilities, there is no version of direct dependency with a fix. Check the "Details" section below to see if there is a version of transitive dependency where vulnerability is fixed.
**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation
Details
Vulnerable Library - htmlunit-2.70.0.jar
A headless browser intended for use in testing web-based applications.
Library home page: http://www.GargoyleSoftware.com/
Path to dependency file: /timeseries-sources/YahooFinanceAPI/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/net/sourceforge/htmlunit/htmlunit/2.70.0/htmlunit-2.70.0.jar,/home/wss-scanner/.m2/repository/net/sourceforge/htmlunit/htmlunit/2.70.0/htmlunit-2.70.0.jar,/home/wss-scanner/.m2/repository/net/sourceforge/htmlunit/htmlunit/2.70.0/htmlunit-2.70.0.jar,/home/wss-scanner/.m2/repository/net/sourceforge/htmlunit/htmlunit/2.70.0/htmlunit-2.70.0.jar,/home/wss-scanner/.m2/repository/net/sourceforge/htmlunit/htmlunit/2.70.0/htmlunit-2.70.0.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
Versions of the package net.sourceforge.htmlunit:htmlunit from 0 and before 3.0.0 are vulnerable to Remote Code Execution (RCE) via XSTL, when browsing the attacker’s webpage.
Publish Date: 2023-04-03
URL: CVE-2023-26119
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.cve.org/CVERecord?id=CVE-2023-26119
Release Date: 2023-04-03
Fix Resolution: net.sourceforge.htmlunit:htmlunit:3.0.0
Step up your Open Source Security Game with Mend here
Vulnerable Libraries - derby-10.14.2.0.jar, derby-10.16.1.1.jar
derby-10.14.2.0.jar
Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.
Library home page: http://db.apache.org/
Path to dependency file: /timeseries-sources/alphavantage4j/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/derby/derby/10.14.2.0/derby-10.14.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/derby/derby/10.14.2.0/derby-10.14.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/derby/derby/10.14.2.0/derby-10.14.2.0.jar,/home/wss-scanner/.m2/repository/org/apache/derby/derby/10.14.2.0/derby-10.14.2.0.jar
Dependency Hierarchy:
derby-10.16.1.1.jar
Contains the core Apache Derby database engine, which also includes the embedded JDBC driver.
Library home page: http://db.apache.org/
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/derby/derby/10.16.1.1/derby-10.16.1.1.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
A cleverly devised username might bypass LDAP authentication checks. In
LDAP-authenticated Derby installations, this could let an attacker fill
up the disk by creating junk Derby databases. In LDAP-authenticated
Derby installations, this could also allow the attacker to execute
malware which was visible to and executable by the account which booted
the Derby server. In LDAP-protected databases which weren't also
protected by SQL GRANT/REVOKE authorization, this vulnerability could
also let an attacker view and corrupt sensitive data and run sensitive
database functions and procedures.
Mitigation:
Users should upgrade to Java 21 and Derby 10.17.1.0.
Alternatively, users who wish to remain on older Java versions should
build their own Derby distribution from one of the release families to
which the fix was backported: 10.16, 10.15, and 10.14. Those are the
releases which correspond, respectively, with Java LTS versions 17, 11,
and 8.
Publish Date: 2023-11-20
URL: CVE-2022-46337
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://issues.apache.org/jira/browse/DERBY-7147
Release Date: 2023-11-20
Fix Resolution: org.apache.derby:derby:10.14.3,10.15.2.1,10.16.1.2,10.17.1.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - maven-shared-utils-3.2.1.jar
Shared utils without any further dependencies
Library home page: https://www.apache.org/
Path to dependency file: /timeseries-sources/alphavantage4j/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.2.1/maven-shared-utils-3.2.1.jar,/home/wss-scanner/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.2.1/maven-shared-utils-3.2.1.jar,/home/wss-scanner/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.2.1/maven-shared-utils-3.2.1.jar,/home/wss-scanner/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.2.1/maven-shared-utils-3.2.1.jar,/home/wss-scanner/.m2/repository/org/apache/maven/shared/maven-shared-utils/3.2.1/maven-shared-utils-3.2.1.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
In Apache Maven maven-shared-utils prior to version 3.3.3, the Commandline class can emit double-quoted strings without proper escaping, allowing shell injection attacks.
Publish Date: 2022-05-23
URL: CVE-2022-29599
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-rhgr-952r-6p8q
Release Date: 2022-05-23
Fix Resolution: org.apache.maven.shared:maven-shared-utils:3.3.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
The MuleSoft Mule Community Edition runtime engine before 3.8 allows remote attackers to execute arbitrary code because of Java Deserialization, related to Apache Commons Collections
Publish Date: 2019-10-16
URL: CVE-2019-13116
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13116
Release Date: 2019-10-16
Fix Resolution: commons-collections:commons-collections:3.2.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
In Apache Synapse, by default no authentication is required for Java Remote Method Invocation (RMI). So Apache Synapse 3.0.1 or all previous releases (3.0.0, 2.1.0, 2.0.0, 1.2, 1.1.2, 1.1.1) allows remote code execution attacks that can be performed by injecting specially crafted serialized objects. And the presence of Apache Commons Collections 3.2.1 (commons-collections-3.2.1.jar) or previous versions in Synapse distribution makes this exploitable. To mitigate the issue, we need to limit RMI access to trusted users only. Further upgrading to 3.0.1 version will eliminate the risk of having said Commons Collection version. In Synapse 3.0.1, Commons Collection has been updated to 3.2.2 version.
Publish Date: 2017-12-11
URL: CVE-2017-15708
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-15708
Release Date: 2017-12-11
Fix Resolution: org.apache.synapse:Apache-Synapse:3.0.1;commons-collections:commons-collections:3.2.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
Red Hat JBoss A-MQ 6.x; BPM Suite (BPMS) 6.x; BRMS 6.x and 5.x; Data Grid (JDG) 6.x; Data Virtualization (JDV) 6.x and 5.x; Enterprise Application Platform 6.x, 5.x, and 4.3.x; Fuse 6.x; Fuse Service Works (FSW) 6.x; Operations Network (JBoss ON) 3.x; Portal 6.x; SOA Platform (SOA-P) 5.x; Web Server (JWS) 3.x; Red Hat OpenShift/xPAAS 3.x; and Red Hat Subscription Asset Manager 1.3 allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2017-11-09
URL: CVE-2015-7501
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://bugzilla.redhat.com/show_bug.cgi?id=1279330
Release Date: 2017-11-09
Fix Resolution: commons-collections:commons-collections:3.2.2;org.apache.commons:commons-collections4:4.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers to execute arbitrary commands via a crafted serialized Java object in T3 protocol traffic to TCP port 7001, related to oracle_common/modules/com.bea.core.apache.commons.collections.jar. NOTE: the scope of this CVE is limited to the WebLogic Server product.
Publish Date: 2015-11-18
URL: CVE-2015-4852
CVSS 3 Score Details (9.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://www.openwall.com/lists/oss-security/2015/11/17/19
Release Date: 2015-11-18
Fix Resolution: commons-collections:commons-collections:3.2.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - maven-core-3.0.jar
Maven is a project development management and comprehension tool. Based on the concept of a project object model: builds, dependency management, documentation creation, site publication, and distribution publication are all controlled from the declarative file. Maven can be extended by plugins to utilise a number of other development tools for reporting or the build process.
Library home page: http://www.apache.org/
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/maven/maven-core/3.0/maven-core-3.0.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
Apache Maven will follow repositories that are defined in a dependency’s Project Object Model (pom) which may be surprising to some users, resulting in potential risk if a malicious actor takes over that repository or is able to insert themselves into a position to pretend to be that repository. Maven is changing the default behavior in 3.8.1+ to no longer follow http (non-SSL) repository references by default. More details available in the referenced urls. If you are currently using a repository manager to govern the repositories used by your builds, you are unaffected by the risks present in the legacy behavior, and are unaffected by this vulnerability and change to default behavior. See this link for more information about repository management: https://maven.apache.org/repository-management.html
Publish Date: 2021-04-23
URL: CVE-2021-26291
CVSS 3 Score Details (9.1)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-2f88-5hg8-9x2x
Release Date: 2021-04-23
Fix Resolution: org.apache.maven:maven-core:3.8.1, org.apache.maven:maven-compat:3.8.1, org.apache-maven:3.8.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - velocity-1.5.jar
Apache Velocity is a general purpose template engine.
Library home page: http://www.apache.org/
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/apache/velocity/velocity/1.5/velocity-1.5.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
An attacker that is able to modify Velocity templates may execute arbitrary Java code or run arbitrary system commands with the same privileges as the account running the Servlet container. This applies to applications that allow untrusted users to upload/modify velocity templates running Apache Velocity Engine versions up to 2.2.
Publish Date: 2021-03-10
URL: CVE-2020-13936
CVSS 3 Score Details (8.8)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2021-03-10
Fix Resolution: org.apache.velocity:velocity-engine-core:2.3
Step up your Open Source Security Game with Mend here
Vulnerable Library - gson-2.7.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.7/gson-2.7.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
Denial of Service vulnerability was discovered in gson before 2.8.9 via the writeReplace() method.
Publish Date: 2021-10-11
URL: WS-2021-0419
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2021-10-11
Fix Resolution: com.google.code.gson:gson:2.8.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - gson-2.7.jar
Gson JSON library
Library home page: https://github.com/google/gson
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/com/google/code/gson/gson/2.7/gson-2.7.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
The package com.google.code.gson:gson before 2.8.9 are vulnerable to Deserialization of Untrusted Data via the writeReplace() method in internal classes, which may lead to DoS attacks.
Publish Date: 2022-05-01
URL: CVE-2022-25647
CVSS 3 Score Details (7.7)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: High
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25647`
Release Date: 2022-05-01
Fix Resolution: com.google.code.gson:gson:gson-parent-2.8.9
Step up your Open Source Security Game with Mend here
Vulnerable Library - selenium-ie-driver-3.141.59.jar
Selenium automates browsers. That's it! What you do with that power is entirely up to you.
Library home page: http://www.seleniumhq.org/
Path to dependency file: /timeseries-lambda/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/seleniumhq/selenium/selenium-ie-driver/3.141.59/selenium-ie-driver-3.141.59.jar,/home/wss-scanner/.m2/repository/org/seleniumhq/selenium/selenium-ie-driver/3.141.59/selenium-ie-driver-3.141.59.jar,/home/wss-scanner/.m2/repository/org/seleniumhq/selenium/selenium-ie-driver/3.141.59/selenium-ie-driver-3.141.59.jar,/home/wss-scanner/.m2/repository/org/seleniumhq/selenium/selenium-ie-driver/3.141.59/selenium-ie-driver-3.141.59.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
NULL Pointer Dereference in GitHub repository seleniumhq/selenium prior to 4.14.0.
Publish Date: 2023-10-15
URL: CVE-2023-5590
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://huntr.dev/bounties/e268cd68-4f34-49bd-878b-82b96dcc0c99/
Release Date: 2023-10-15
Fix Resolution: selenium-4.14.0;org.seleniumhq.selenium:selenium-ie-driver:4.14.1;Selenium.WebDriver - 4.14.1;selenium - 4.15.1;selenium-webdriver:4.20.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - jetty-http-9.4.50.v20221201.jar
Library home page: https://webtide.com
Path to dependency file: /timeseries-lambda/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.50.v20221201/jetty-http-9.4.50.v20221201.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.50.v20221201/jetty-http-9.4.50.v20221201.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.50.v20221201/jetty-http-9.4.50.v20221201.jar,/home/wss-scanner/.m2/repository/org/eclipse/jetty/jetty-http/9.4.50.v20221201/jetty-http-9.4.50.v20221201.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
Eclipse Jetty provides a web server and servlet container. In versions 11.0.0 through 11.0.15, 10.0.0 through 10.0.15, and 9.0.0 through 9.4.52, an integer overflow in
MetaDataBuilder.checkSizeallows for HTTP/2 HPACK header values toexceed their size limit.
MetaDataBuilder.javadetermines if a header name or value exceeds the size limit, and throws an exception if the limit is exceeded. However, when length is very large and huffman is true, the multiplication by 4 in line 295will overflow, and length will become negative.
(_size+length)will now be negative, and the check on line 296 will not be triggered. Furthermore,MetaDataBuilder.checkSizeallows for user-entered HPACK header value sizes to be negative, potentially leading to a very large buffer allocation later on when the user-entered size is multiplied by 2. This means that if a user provides a negative length value (or, more precisely, a length value which, when multiplied by the 4/3 fudge factor, is negative), and this length value is a very large positive number when multiplied by 2, then the user can cause a very large buffer to be allocated on the server. Users of HTTP/2 can be impacted by a remote denial of service attack. The issue has been fixed in versions 11.0.16, 10.0.16, and 9.4.53. There are no known workarounds.Publish Date: 2023-10-10
URL: CVE-2023-36478
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: GHSA-wgh7-54f2-x98r
Release Date: 2023-10-10
Fix Resolution: org.eclipse.jetty.http2:http2-hpack:9.4.53.v20231009,10.0.16,11.0.16;org.eclipse.jetty.http3:http3-qpack:10.0.16,11.0.16;org.eclipse.jetty:jetty-http:9.4.53.v20231009,10.0.16,11.0.16
Step up your Open Source Security Game with Mend here
Vulnerable Library - plexus-utils-3.0.22.jar
A collection of various utility classes to ease working with strings, files, command lines, XML and more.
Library home page: http://www.codehaus.org/
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/codehaus/plexus/plexus-utils/3.0.22/plexus-utils-3.0.22.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
A flaw was found in codeplex-codehaus. A directory traversal attack (also known as path traversal) aims to access files and directories stored outside the intended folder. By manipulating files with "dot-dot-slash (../)" sequences and their variations or by using absolute file paths, it may be possible to access arbitrary files and directories stored on the file system, including application source code, configuration, and other critical system files.
Publish Date: 2023-09-25
URL: CVE-2022-4244
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2023-09-25
Fix Resolution: org.codehaus.plexus:plexus-utils:3.0.24
Step up your Open Source Security Game with Mend here
Vulnerable Library - jsoup-1.11.3.jar
jsoup is a Java library for working with real-world HTML. It provides a very convenient API for extracting and manipulating data, using the best of DOM, CSS, and jquery-like methods. jsoup implements the WHATWG HTML5 specification, and parses HTML to the same DOM as modern browsers do.
Library home page: http://jonathanhedley.com/
Path to dependency file: /timeseries-lambda/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.11.3/jsoup-1.11.3.jar,/home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.11.3/jsoup-1.11.3.jar,/home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.11.3/jsoup-1.11.3.jar,/home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.11.3/jsoup-1.11.3.jar,/home/wss-scanner/.m2/repository/org/jsoup/jsoup/1.11.3/jsoup-1.11.3.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
jsoup is a Java library for working with HTML. Those using jsoup versions prior to 1.14.2 to parse untrusted HTML or XML may be vulnerable to DOS attacks. If the parser is run on user supplied input, an attacker may supply content that causes the parser to get stuck (loop indefinitely until cancelled), to complete more slowly than usual, or to throw an unexpected exception. This effect may support a denial of service attack. The issue is patched in version 1.14.2. There are a few available workarounds. Users may rate limit input parsing, limit the size of inputs based on system resources, and/or implement thread watchdogs to cap and timeout parse runtimes.
Publish Date: 2021-08-18
URL: CVE-2021-37714
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://jsoup.org/news/release-1.14.2
Release Date: 2021-08-18
Fix Resolution: org.jsoup:jsoup:1.14.2
Step up your Open Source Security Game with Mend here
Vulnerable Library - xercesImpl-2.8.1.jar
Xerces2 is the next generation of high performance, fully compliant XML parsers in the Apache Xerces family. This new version of Xerces introduces the Xerces Native Interface (XNI), a complete framework for building parser components and configurations that is extremely modular and easy to program.
Library home page: http://www.apache.org/
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/xerces/xercesImpl/2.8.1/xercesImpl-2.8.1.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
Apache Xerces2 Java Parser before 2.12.0 allows remote attackers to cause a denial of service (CPU consumption) via a crafted message to an XML service, which triggers hash table collisions.
Publish Date: 2017-10-30
URL: CVE-2012-0881
CVSS 3 Score Details (7.5)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: None
- Integrity Impact: None
- Availability Impact: High
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0881
Release Date: 2017-10-30
Fix Resolution: xerces:xercesImpl:2.12.0
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-beanutils-1.7.0.jar
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
In Apache Commons Beanutils 1.9.2, a special BeanIntrospector class was added which allows suppressing the ability for an attacker to access the classloader via the class property available on all Java objects. We, however were not using this by default characteristic of the PropertyUtilsBean.
Publish Date: 2019-08-20
URL: CVE-2019-10086
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2019-08-20
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-collections-3.2.jar
Types that extend and augment the Java Collections Framework.
Library home page: http://jakarta.apache.org
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-collections/commons-collections/3.2/commons-collections-3.2.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
Serialized-object interfaces in certain Cisco Collaboration and Social Media; Endpoint Clients and Client Software; Network Application, Service, and Acceleration; Network and Content Security Devices; Network Management and Provisioning; Routing and Switching - Enterprise and Service Provider; Unified Computing; Voice and Unified Communications Devices; Video, Streaming, TelePresence, and Transcoding Devices; Wireless; and Cisco Hosted Services products allow remote attackers to execute arbitrary commands via a crafted serialized Java object, related to the Apache Commons Collections (ACC) library.
Publish Date: 2015-12-15
URL: CVE-2015-6420
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Release Date: 2015-12-15
Fix Resolution: commons-collections:commons-collections3.2.2,org.apache.commons:commons-collections4:4.1
Step up your Open Source Security Game with Mend here
Vulnerable Library - commons-beanutils-1.7.0.jar
Path to dependency file: /timeseries-spring-boot-server/pom.xml
Path to vulnerable library: /home/wss-scanner/.m2/repository/commons-beanutils/commons-beanutils/1.7.0/commons-beanutils-1.7.0.jar
Dependency Hierarchy:
Found in HEAD commit: bac6f7ebd6c19aea950976261c402682d8f316f8
Found in base branch: master
Vulnerability Details
Apache Commons BeanUtils, as distributed in lib/commons-beanutils-1.8.0.jar in Apache Struts 1.x through 1.3.10 and in other products requiring commons-beanutils through 1.9.2, does not suppress the class property, which allows remote attackers to "manipulate" the ClassLoader and execute arbitrary code via the class parameter, as demonstrated by the passing of this parameter to the getClass method of the ActionForm object in Struts 1.
Publish Date: 2014-04-30
URL: CVE-2014-0114
CVSS 3 Score Details (7.3)
Base Score Metrics:
- Exploitability Metrics:
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Impact Metrics:
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: Low
For more information on CVSS3 Scores, click here.Suggested Fix
Type: Upgrade version
Origin: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0114
Release Date: 2014-04-30
Fix Resolution: commons-beanutils:commons-beanutils:1.9.4;org.apache.struts:struts2-core:2.0.5
Step up your Open Source Security Game with Mend here
The text was updated successfully, but these errors were encountered: